Re: Kerberos authentication in pgAdmin4 server

Hi,

While creating the server, have you checked the `Kerberos authentication ?'
field?

On Wed, Nov 26, 2025 at 8:57 PM Haiko Sawatzky <haikosaw69(at)gmail(dot)com> wrote:

> Hello.
>
> I've been having seemingly the same issue as in the following thread:
> https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJevkupqE9np%3DY7GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d5922b1fa9b4ee880
> I would like to see if someone can help me diagnose what I'm doing wrong.
>
> My environment is:
> * pgAdmin4 server version 9.10, running in a Docker container
> (dpage/pgadmin4:9.10) - Ubuntu server VM
> * Postgresql server configured for Kerberos authentication - Ubuntu
> server VM
> * Our company is using Microsoft Windows Active Directory
>
> What I have working:
> * Logging into Postgresql directly with my Microsoft Active Directory
> user using Kerberos (from Windows & Linux)
> * Logging into pgAdmin web with my Microsoft Active Directory user using
> Kerberos (currently only on Firefox on Windows)
>
> What's currently not working for me is the Kerberos authentication from
> within pgAdmin to the Postgresql server. The container logs this the moment
> I try to connect to the Postgresql server:
> pgadmin-1 | Error: connection failed: connection to server at
> "<ip-address>", port 5432 failed: GSSAPI continuation error: No credentials
> were supplied, or the credentials were unavailable or inaccessible: No
> Kerberos credentials available (default cache: FILE:/tmp/krb5cc_5050)
>
> I do however find a ticket for my Kerberos session in the cache directory:
> docker exec -ti pgadmin-test-pgadmin-1 bash -c 'ls -la
> /var/lib/pgadmin/krbccache/'
> total 12
> drwxr-xr-x 2 pgadmin root 4096 Nov 26 09:42 .
> drwxrwxr-x 6 pgadmin root 4096 Nov 26 09:42 ..
> -rw------- 1 pgadmin root 1533 Nov 26 09:42
> pgadmin_cache_testuser(at)AD(dot)DOMAIN(dot)LAB
>
> I've tried, just to see if it would do a login:
> * Create an environment variable for the whole container KRB5CCNAME as
> the absolute path to my Kerberos ticket in krbccache
> * copy the ticket in /var/lib/pgadmin/krbccache/ to /tmp/krb5cc_5050
> The environment variable had no affect, but copying the ticket
> to /tmp/krb5cc_5050 changed the error that I got to:
> pgadmin-1 | Error: connection failed: connection to server at
> "<ip-address>", port 5432 failed: connection to server at "<ip-address>",
> port 5432 failed: GSSAPI continuation error: Unspecified GSS failure.
> Minor code may provide more information: The ticket isn't for us
>
> Another issue I've already worked around: the documentation specifies to
> set an environment variable for "KRB_KTNAME" or set "KRB_KTNAME" in the
> pgAdmin config, and that this should work instead of needing to configure
> "default_keytab_name" in krb5.conf. But this has not worked for me at all,
> I can't go without explicitly creating a krb5.conf file that specifies
> "default_keytab_name = /path/to/keytab". But as I said, when I configure
> this in krb5.conf, the login into pgAdmin using Kerberos works.
>