| From: | Khushboo Vashi <khushboo(dot)vashi(at)enterprisedb(dot)com> |
|---|---|
| To: | Gregory McKaige <gmckaige(at)gmail(dot)com> |
| Cc: | pgadmin-support(at)lists(dot)postgresql(dot)org |
| Subject: | Re: Kerberos Authentication to Postgres from PGADMIN in IPA REALM |
| Date: | 2023-04-11 08:21:05 |
| Message-ID: | CAFOhELd_uSCpy6amxj-UG6nrW3kxDj06FHYiXt0gmS=nE-sEBQ@mail.gmail.com |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgadmin-support |
Hi,
As you can log in to the pgAdmin web app through Kerberos, you should be
able to connect Postgres through Kerberos.
One thing I want to confirm is that when you created the server, you turned
on the *Kerberos authentication *option.
See the below screen-shot.
[image: Screenshot 2023-04-11 at 1.48.38 PM.png]
Thanks,
Khushboo
On Tue, Apr 11, 2023 at 1:17 PM Gregory McKaige <gmckaige(at)gmail(dot)com> wrote:
> Environment:
> VM - FreeIPA providing LDAP/Kerberos (FreeIPA 4.10.0) on Rocky Linux 9.1
> VM - Rocky Linux 9.1 as Docker Host
> -- PGADMIN (Container) 6.15
> VM - Rocky Linux 9.1 providing Postgres 15
>
> From an IPA joined client Kerberos SSO works to the PGAdmin container (no
> extra login prompt)
> From an IPA joined client with psql installed I can connect to Postgres
> using Kerberos. I see the "GSSAPI - Encrypted connection" in the
> connection.
>
> When I attempt to connect with the same account from the PGAdmin web
> application I receive the following error in the web interface.
> "GSSAPI continuation error. No credentials were supplied, or the
> credentials were unavailable or inaccessible. No Kerberos credentials
> available.(Default cache: FILE:/tmp/krb5cc_5050)
>
> On Postgres I checked the logs and it looks like the right user is being
> sent....but not authenticated:
> 2023-04-11 13:31:53.364 +07 [3858] FATAL: GSSAPI authentication failed
> for user "a01-6"
> 2023-04-11 13:31:53.364 +07 [3858] DETAIL: Connection matched pg_hba.conf
> line 91: "host all all 192.168.1.0/24
> gss include_realm=0 krb_realm=MY.LAB"
>
> Initially I thought it might be the typical kerberos double-hop issue with
> Kerberos delegation and I found the following article on Kerberos
> delelgation.
>
>
> https://access.redhat.com/documentation/en%02us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/assembly_using-constrained-delegation-in-idm_configuring-and-managing-idm#con_constrained-delegation-in-identity-management_assembly_using-constrained-delegation-in-idm
>
> I configured the delegation (First time in the Linux world I've done this
> so maybe it's wrong?) using:
>
> ipa servicedelegationtarget-add
> ipa servicedelegationtarget-ad-member
> ipa servicedelegationrule-add
> ipa servicedelegationrule-add-member
> ipa servicedelegationrule-add-target
>
> Then rebooted everything, but same results. Is there a way in the PGAdmin
> container to turn up logging to see what's happening?
>
> Thanks,
> Greg
>
>
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Khushboo Vashi | 2023-04-11 09:45:50 | Re: Kerberos Authentication to Postgres from PGADMIN in IPA REALM |
| Previous Message | Gregory McKaige | 2023-04-11 07:46:44 | Kerberos Authentication to Postgres from PGADMIN in IPA REALM |