Thread: Kerberos support interfering with normal access?

Kerberos support interfering with normal access?

From

Greg Stark

Date:

16 December 2002, 04:57:25

The Debian postgres package is compiled with Kerberos support enabled. This
seems to be causing problems even though I don't have postgres configured to
make use of this support. In fact even with postgres configured to
automatically trust any connection without any authentication it's still
causing a problem.

The source of the confusion seems to be that my kerberos principle doesn't
actually match my unix username. I'm not sure why this should cause confusion
since even if it wanted to authenticate me as "gsstark" it should still let me
log in.

Or have I not diagnosed the problem right? I don't understand why it's still
calling it "IDENT authentication" when it has to either be "trust"
authentication or "kerberos" authentication.



$ psql -d slo
psql: FATAL:  IDENT authentication failed for user "gsstark"

[Exit 2]

$ echo $USER
stark

$ klist | head -2
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: gsstark@ATHENA.MIT.EDU

$ strace -e open -d slo
strace: slo: command not found
[Exit 1]

$ strace -e open psql -d slo
...
open("/etc/krb5.conf", O_RDONLY)        = 3
open("/tmp/krb5cc_1000", O_RDONLY)      = 3
psql: FATAL:  IDENT authentication failed for user "gsstark"

$ grep '^[^# ]' /etc/postgresql/pg_hba.conf
local   all         all                                             trust
host    all         all         127.0.0.1         255.255.255.255   trust
host    all         all         0.0.0.0           255.255.255.255   reject


--
greg

Re: Kerberos support interfering with normal access?

From

Oliver Elphick

Date:

16 December 2002, 05:38:17

On Mon, 2002-12-16 at 09:57, Greg Stark wrote:
> The Debian postgres package is compiled with Kerberos support enabled. This
> seems to be causing problems even though I don't have postgres configured to
> make use of this support. In fact even with postgres configured to
> automatically trust any connection without any authentication it's still
> causing a problem.
>
> The source of the confusion seems to be that my kerberos principle doesn't
> actually match my unix username. I'm not sure why this should cause confusion
> since even if it wanted to authenticate me as "gsstark" it should still let me
> log in.
>
> Or have I not diagnosed the problem right? I don't understand why it's still
> calling it "IDENT authentication" when it has to either be "trust"
> authentication or "kerberos" authentication.

The pg_hba.conf you list doesn't have any authentication method but
"trust".

Have you let the postmaster reread the configuration since you changed
it?  ("pg_ctl reload" or "/etc/init.d/postgresql reload")

--
Oliver Elphick                                Oliver.Elphick@lfix.co.uk
Isle of Wight, UK                             http://www.lfix.co.uk/oliver
GPG: 1024D/3E1D0C1C: CA12 09E0 E8D5 8870 5839  932A 614D 4C34 3E1D 0C1C
                 ========================================
     "Let another man praise thee, and not thine own mouth;
      a stranger, and not thine own lips."
                                   Proverbs 27:2