Re: GSSAPI Authentication using a CNAME

HI Jason,

Top posting because I don't want to delete below. I am wondering if this is
a java thing. The docs for GSSAPI for java are pretty horrible.

Is there a setting to deal with CNAME's ?

Dave

On Wed, 26 Aug 2020 at 19:00, Jason Breitman <
jbreitman(at)tildenparkcapital(dot)com> wrote:

> *Description*
> I am not able to connect to my PostgreSQL Server using the PostgreSQL JDBC
> Driver with GSSAPI when using the short name if the short name is a CNAME
> Record.
> The fully qualified domain name does work when it is a CNAME.
>
> For comparison, the psql client is able to connect using the short name when
> it is a CNAME.
>
> *JDBC Version*
> postgresql-42.2.16.jar
>
> *Dependancies*
> commons-cli-1.4
>
> $ cat /opt/pgsql/conf/jaas.conf
> pgjdbc {
> com.sun.security.auth.module.Krb5LoginModule required
> doNotPrompt=true
> useTicketCache=true
> renewTGT=true
> debug=false
> client=true;
> };
>
> *Code Snippet*
> $ cat JDBCExample.java
> import java.sql.Connection;
> import java.sql.DriverManager;
> import java.sql.SQLException;
>
> import org.apache.commons.cli.CommandLine;
> import org.apache.commons.cli.CommandLineParser;
> import org.apache.commons.cli.DefaultParser;
> import org.apache.commons.cli.Option;
> import org.apache.commons.cli.Options;
> import org.apache.commons.cli.ParseException;
>
> public class JDBCExample {
>
> public static void main(String[] args) throws ParseException {
>
> Options options = new Options();
>
> Option host = Option.builder()
> .longOpt("host")
> .argName("host")
> .hasArg()
> .desc("Name of the PostgreSQL Server.")
> .build();
>
> options.addOption(host);
>
> Option db = Option.builder()
> .longOpt("db")
> .argName("db")
> .hasArg()
> .desc("Name of the PostgreSQL Database.")
> .build();
>
> options.addOption(db);
>
> CommandLineParser parser = new DefaultParser();
> CommandLine cmd = parser.parse( options, args);
>
> String jdbcUrl = "jdbc:postgresql://" + cmd.getOptionValue("host")
> + ":5432/" + cmd.getOptionValue("db");
>
> try (Connection conn = DriverManager.getConnection(jdbcUrl)) {
>
> if (conn != null) {
> System.out.println("Connected to the database!");
> } else {
> System.out.println("Failed to make connection!");
> }
>
> } catch (SQLException e) {
> System.err.format("SQL State: %s\n%s", e.getSQLState(),
> e.getMessage());
> } catch (Exception e) {
> e.printStackTrace();
> }
>
> }
> }
>
> *Compilation Steps*
> javac -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar
> JDBCExample.java
>
> *Results*
> $ java -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=
> EXAMPLE.COM -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf
> -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar
> JDBCExample --host cname-hostname --db mydb
> SQL State: 08006
> GSS Authentication failed
>
> $ java -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=
> EXAMPLE.COM -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf
> -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar
> JDBCExample --host cname-hostname.example.com --db mydb
> Connected to the database!
>
> $ java -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=
> EXAMPLE.COM -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf
> -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar
> JDBCExample --host hostname --db mydb
> Connected to the database!
>
>
> Jason Breitman
>
>