Thread: Attempting to get kerberos authentication working
Hello,
I'm trying to get kerberos working with postgres 8.4 on openSUSE authenticating against AD. I have the server configured and can do a kinit against my account on the server. I have a keytab file produced by the administrators.
$ klist -kt poe3b.keytab
Keytab name: FILE:bob.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/31/69 19:00:00 HTTP/bob.lab2k.net@LAB2K.NET
I've added
krb_srvname = 'HTTP' to postgresl.conf
When I try and log in from psql on a windows workstation that is on the same AD domain, I get an entry in the log file: FATAL: GSSAPI authentication failed for user "jdoe", psql gives me:
C:\Program Files\PostgreSQL\8.4\bin>psql -h bob testdb
psql: SSPI continuation error: The specified target is unknown or unreachable
(80090303)
I tried just doing a kinit from linux without any luck, but I'm not sure if that it is really an issue or not.
$kinit -V -k -t poe3b.keytab HTTP
kinit(v5): Client not found in Kerberos database while getting initial credentials
$ kinit -V -k -t poe3b.keytab HTTP/poe3b.lab2k.net
kinit(v5): Preauthentication failed while getting initial credentials
At this point, I don't know if it is an account issue on the AD server, the keytab file, postgres configuration, psql or something else!!! I did try some linux forums, but no response from there.
Any help much appreciated.
Thanks.
I'm trying to get kerberos working with postgres 8.4 on openSUSE authenticating against AD. I have the server configured and can do a kinit against my account on the server. I have a keytab file produced by the administrators.
$ klist -kt poe3b.keytab
Keytab name: FILE:bob.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
1 12/31/69 19:00:00 HTTP/bob.lab2k.net@LAB2K.NET
I've added
krb_srvname = 'HTTP' to postgresl.conf
When I try and log in from psql on a windows workstation that is on the same AD domain, I get an entry in the log file: FATAL: GSSAPI authentication failed for user "jdoe", psql gives me:
C:\Program Files\PostgreSQL\8.4\bin>psql -h bob testdb
psql: SSPI continuation error: The specified target is unknown or unreachable
(80090303)
I tried just doing a kinit from linux without any luck, but I'm not sure if that it is really an issue or not.
$kinit -V -k -t poe3b.keytab HTTP
kinit(v5): Client not found in Kerberos database while getting initial credentials
$ kinit -V -k -t poe3b.keytab HTTP/poe3b.lab2k.net
kinit(v5): Preauthentication failed while getting initial credentials
At this point, I don't know if it is an account issue on the AD server, the keytab file, postgres configuration, psql or something else!!! I did try some linux forums, but no response from there.
Any help much appreciated.
Thanks.
On Wed, Jun 2, 2010 at 22:42, Bryan Montgomery <monty@english.net> wrote: > Hello, > I'm trying to get kerberos working with postgres 8.4 on openSUSE > authenticating against AD. I have the server configured and can do a kinit > against my account on the server. I have a keytab file produced by the > administrators. > > $ klist -kt poe3b.keytab > Keytab name: FILE:bob.keytab > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 1 12/31/69 19:00:00 HTTP/bob.lab2k.net@LAB2K.NET > I've added > krb_srvname = 'HTTP' to postgresl.conf Have you also added this on the client side? Either to the connection string or to the environment variable? And if you did it with the environment variable, double-check that it actually took effect in the client app - sometimes you need to log out and back in again when using the GUI editors, and if you changed it from the commandline it might simply be gone. -- Magnus Hagander Me: http://www.hagander.net/ Work: http://www.redpill-linpro.com/