Re: GSSAPI Authentication Problem

On Fri, Aug 3, 2012 at 4:41 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> John,
>
> * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> Following is the information you suggested reporting. The test is with
>> 'User Name' = 'john'. I used a system DSN generated with the ODBC data
>> source administrator. Before I set 'User Name' = 'john', I
>> successfully tested the DSN with user csmprovver whose AD and PG names
>> are identical with 'User Name' = ''.
>
> After you have tried to connect, you might try running 'klist' on the
> Windows system and reviewing the tickets to see if you acquired a ticket
> for the postgres service.
>
> In general, this does look very similar to our setup (which works just
> fine). I will say that we always use "include_realm=1" and then have
> the mapping include the realm, eg:
>
> pg_hba.conf:
>
> host all all 0.0.0.0/0 gss include_realm=1 map=krbmap
>
> pg_ident.conf:
>
> krbmap /^[mM]12345(at)REALM\(dot)ORG$ sfrost
>
> In the end, however, it sounds like that's some kind of GSSAPI issue
> that's causing trouble (hence the gssapi auth complaint in the server
> log). Is there any additional information around that error about what
> the GSSAPI error is? Have you tried increasing the verbosity of the
> server messages to see if more information is provided?
>
> Thanks,
>
> Stephen

Stephen,

'klist tickets' on the Windows XP client does not show a ticket for
the Postgresql service principal after failed attempts to
authenticate. It does show a ticket after a successful gssapi
authentication with psql.

I added 'include_realm=1' to pg_hba.conf and included the realm in
pg_ident.conf. Authentication by psqlODBC failed. Authentication with
psql was successful.

I increased the logging level on the server as far as it will go, I
believe, and don't see anything that suggests the source of the
authentication failure. The log entries from configuration reload to
authentication failure follow:

*pg_log with log_min_messages = debug5 and log_error_verbosity = verbose*

2012-08-06 08:41:01 CDT LOG: 08P01: incomplete startup packet
2012-08-06 08:41:01 CDT LOCATION: ProcessStartupPacket, postmaster.c:1525
2012-08-06 08:41:01 CDT LOG: 00000: received SIGHUP, reloading
configuration files
2012-08-06 08:41:01 CDT LOCATION: SIGHUP_handler, postmaster.c:2051
2012-08-06 08:41:13 CDT DEBUG: 00000: forked new backend, pid=16722 socket=10
2012-08-06 08:41:13 CDT LOCATION: BackendStartup, postmaster.c:3108
2012-08-06 08:41:13 CDT FATAL: 28000: GSSAPI authentication failed
for user "john"
2012-08-06 08:41:13 CDT LOCATION: auth_failed, auth.c:273
2012-08-06 08:41:13 CDT DEBUG: 00000: shmem_exit(1): 0 callbacks to make
2012-08-06 08:41:13 CDT LOCATION: shmem_exit, ipc.c:211
2012-08-06 08:41:13 CDT DEBUG: 00000: proc_exit(1): 1 callbacks to make
2012-08-06 08:41:13 CDT LOCATION: proc_exit_prepare, ipc.c:183
2012-08-06 08:41:13 CDT DEBUG: 00000: exit(1)
2012-08-06 08:41:13 CDT LOCATION: proc_exit, ipc.c:135
2012-08-06 08:41:13 CDT DEBUG: 00000: shmem_exit(-1): 0 callbacks to make
2012-08-06 08:41:13 CDT LOCATION: shmem_exit, ipc.c:211

Thank you for staying with me on this.

John