| From: | Niels Jespersen <NJN(at)dst(dot)dk> |
|---|---|
| To: | pgsql-general list <pgsql-general(at)lists(dot)postgresql(dot)org> |
| Subject: | Logon via GSSAPI from Linux fails, but works from Windows |
| Date: | 2022-05-13 16:25:21 |
| Message-ID: | 3307acb3f9a84562a704c85b8e0c5a25@dst.dk |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Hello all
We have our analysis users log on to Postgres without a password. Instead we rely on their Windows identity.
When the Postgres server is on Windows, we use SSPI. Works great.
When the Postgres server is on Linux, we use GSSAPI. Works great.
Now, we are introducing Linux for analysts to run their Python/R/SQL/whatever.
They log onto Linux using their Windows identity. The Linux analysis servers are joined to the Windows domain using sssd.
This gives us a headache. Logging onto Postgres without a password does not immediately work when the Windows user is logged onto a Linux server with their Windows credentials.
Linux is Ubuntu 22.04 on the client side, Ubuntu 20.04 on the Postgres server side. Postgres server version is server 14.2 (Ubuntu 14.2-1.pgdg20.04+1). psql client is psql (PostgreSQL) 14.2 (Ubuntu 14.2-1ubuntu1).
What happens is this
yyy(at)srvpython8:~$ psql service=bigdata_db1
psql: error: connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: could not initiate GSSAPI security context: Unspecified GSS failure. Minor code may provide more information: Server not found in Kerberos database
connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information: Server not found in Kerberos database
yyy(at)srvpython8:~$
The Postgres server log has this.
2022-05-13 18:14:01.140 CEST,,,474093,"172.30.32.213:33554",627e83c9.73bed,1,"",2022-05-13 18:14:01 CEST,,0,LOG,00000,"connection received: host=172.30.32.213 port=33554",,,,,,,,,"","not initialized",,0
2022-05-13 18:14:01.159 CEST,,,474094,"172.30.32.213:33556",627e83c9.73bee,1,"",2022-05-13 18:14:01 CEST,,0,LOG,00000,"connection received: host=172.30.32.213 port=33556",,,,,,,,,"","not initialized",,0
2022-05-13 18:14:01.176 CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-05-13 18:14:01 CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user ""yyy""","Connection matched pg_hba.conf line 15: ""host all all 172.0.0.0/8 gss map=xxxlocal include_realm=0 krb_realm=""XXX.LOCAL""""",,,,,,,,"","client backend",,-3382135431624836920
Are we forgetting to set something up?
Regards Niels Jespersen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Zheng Li | 2022-05-13 21:01:33 | Re: Support logical replication of DDLs |
| Previous Message | Adrian Klaver | 2022-05-13 15:30:30 | Re: Restricting user to see schema structure |