Re: PG 8.3 and kerberos failures

On Fri, Apr 18, 2008 at 12:43 PM, Peter Koczan <pjkoczan(at)gmail(dot)com> wrote:
> On Thu, Apr 17, 2008 at 11:40 AM, Peter Koczan <pjkoczan(at)gmail(dot)com> wrote:
> > Hi all,
> >
> > I just upgraded one of my servers and I'm having a bit of trouble
> > getting some of the kerberos authentication bits working.
> > Specifically, any Kerberos instance run out of a v5srvtab doesn't work
> > so well. Using stashed tickets or normal principals worked fine.
> > Gritty details follow.
> >
> > Peter
> >
> > Here are details from the specific v5srvtab's...
> > [root(at)sensei postgres]# klist -k -t /etc/v5srvtab.wsbackup
> > Keytab name: FILE:/etc/v5srvtab.wsbackup
> > KVNO Timestamp Principal
> > ---- ----------------- --------------------------------------------------------
> > 13 12/20/07 15:56:11 wsbackup/sensei(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
>
> Here's what happens when I do this (it's on a different machine but
> it's the same mechanism).
>
> [root(at)ator] ~ $ su - wsbackup
> ator(1)% kinit -f -k -t /etc/v5srvtab.wsbackup -l 1d
> wsbackup/ator(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
> ator(2)% klist
> Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_28528
> Default principal: wsbackup/ator(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU
>
> Valid starting Expires Service principal
> 04/18/08 12:25:00 04/19/08 12:25:00 krbtgt/CS(dot)WISC(dot)EDU(at)CS(dot)WISC(dot)EDU
>
>
> Kerberos 4 ticket cache: /tmp/tkt28528
> klist: You have no tickets cached

One more thing to note, I said before that stashed tickets and login
principals "just work." Here might be something...

[koczan(at)ator] koczan $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_ZtKJNK
Default principal: koczan(at)CS(dot)WISC(dot)EDU
...

[root(at)mitchell ~]# export KRB5CCNAME=/var/adm/krb5/tmp/stash/krb5cc_25555.stash
[root(at)mitchell ~]# klist
Ticket cache: FILE:/var/adm/krb5/tmp/stash/krb5cc_25555.stash
Default principal: strivia(at)CS(dot)WISC(dot)EDU
...

They don't contain hostname data in the default principal like the
keytab principal does, and yet they both connect fine. There could be
something to this, but I don't know what, or how to take advantage of
it.

Peter