Thread: Can't connect to DB using GSS(Kerberos) auth
Before I did anything I checked the ticket cache:
someuser@clienthost:~$ kinit -k -t drhouse.keytab -p drhouse
someuser@clienthost:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_20000_Z95lup
Default principal: drhouse@HOSPITAL.DE
Valid starting Expires Service principal
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx krbtgt/HOSPITAL.DE@HOSPITAL.DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRIA
This is the corresponding keytab for drhouse:
someuser@clienthost:~$ ktutil
ktutil: read_kt drhouse.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 5 drhouse@HOSPITAL.DE
2 5 drhouse@HOSPITAL.DE
3 5 drhouse@HOSPITAL.DE
4 5 drhouse@HOSPITAL.DE
Now I launched eclipse from that shell and tried something like this:
Properties connectionProps = new Properties();
connectionProps.setProperty("user", "drhouse");
connectionProps.setProperty("loglevel", Integer.toString(org.postgresql.Driver.DEBUG));
String databaseUrl = "jdbc:" + DBMS + "://" + HOST + "/" + DATABASE;
connection = DriverManager.getConnection(databaseUrl, connectionProps);
The result was a failure to connect:
xx:xx:xx.879 (1) PostgreSQL 9.2 JDBC3 (build 1002)
xx:xx:xx.883 (1) Trying to establish a protocol version 3 connection to databasehost:5432
xx:xx:xx.895 (1) Receive Buffer Size is 186240
xx:xx:xx.895 (1) Send Buffer Size is 43520
xx:xx:xx.895 (1) FE=> StartupPacket(user=drhouse, database=measurements, client_encoding=UTF8, DateStyle=ISO, extra_float_digits=2, TimeZone=Europe/Berlin)
xx:xx:xx.898 (1) <=BE AuthenticationReqGSS
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:47)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:486)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:173)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
at org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:187)
at tlogger.TLogger.start(TLogger.java:123)
at tlogger.TLogger.main(TLogger.java:108)
SQLException: SQLState(08006)
getConnection failed: org.postgresql.util.PSQLException: GSS Authentication failed
GSS Authentication failed
On the server this looked like that:
2015-05-13 xx:xx:xx CEST LOG: connection received: host=databasehostip port=39829
2015-05-13 xx:xx:xx CEST FATAL: GSSAPI authentication failed for user "drhouse"
2015-05-13 xx:xx:xx CEST DETAIL: Connection matched pg_hba.conf line 95: "host all all ne.tm.as.k/16 gss"
BUT when I tried to connect using psql (from that very same shell):
someuser@clienthost:/$ psql -U drhouse -h databasehost measurements
psql (9.4.1, server 9.3.6)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
measurements=>
Looking at the ticket cache:
someuser@clienthost:~/eclipse$ klist -f
Ticket cache: FILE:/tmp/krb5cc_20000_Z95lup
Default principal: drhouse@HOSPITAL.DE
Valid starting Expires Service principal
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx krbtgt/HOSPITAL.DE@HOSPITAL.DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRIA
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx postgres/databasehost.dep.hospital.de@
renew until 14.05.2015 xx:xx:xx, Flags: FPRAT
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx postgres/databasehost.dep.hospital.de@HOSPITAL.DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRAT
someuser@clienthost:~$ kinit -k -t drhouse.keytab -p drhouse
someuser@clienthost:~$ klist -f
Ticket cache: FILE:/tmp/krb5cc_20000_Z95lup
Default principal: drhouse@HOSPITAL.DE
Valid starting Expires Service principal
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx krbtgt/HOSPITAL.DE@HOSPITAL.DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRIA
This is the corresponding keytab for drhouse:
someuser@clienthost:~$ ktutil
ktutil: read_kt drhouse.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------
1 5 drhouse@HOSPITAL.DE
2 5 drhouse@HOSPITAL.DE
3 5 drhouse@HOSPITAL.DE
4 5 drhouse@HOSPITAL.DE
Now I launched eclipse from that shell and tried something like this:
Properties connectionProps = new Properties();
connectionProps.setProperty("user", "drhouse");
connectionProps.setProperty("loglevel", Integer.toString(org.postgresql.Driver.DEBUG));
String databaseUrl = "jdbc:" + DBMS + "://" + HOST + "/" + DATABASE;
connection = DriverManager.getConnection(databaseUrl, connectionProps);
The result was a failure to connect:
xx:xx:xx.879 (1) PostgreSQL 9.2 JDBC3 (build 1002)
xx:xx:xx.883 (1) Trying to establish a protocol version 3 connection to databasehost:5432
xx:xx:xx.895 (1) Receive Buffer Size is 186240
xx:xx:xx.895 (1) Send Buffer Size is 43520
xx:xx:xx.895 (1) FE=> StartupPacket(user=drhouse, database=measurements, client_encoding=UTF8, DateStyle=ISO, extra_float_digits=2, TimeZone=Europe/Berlin)
xx:xx:xx.898 (1) <=BE AuthenticationReqGSS
org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:47)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:486)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:173)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:64)
at org.postgresql.jdbc2.AbstractJdbc2Connection.<init>(AbstractJdbc2Connection.java:136)
at org.postgresql.jdbc3.AbstractJdbc3Connection.<init>(AbstractJdbc3Connection.java:29)
at org.postgresql.jdbc3.Jdbc3Connection.<init>(Jdbc3Connection.java:24)
at org.postgresql.Driver.makeConnection(Driver.java:393)
at org.postgresql.Driver.connect(Driver.java:267)
at java.sql.DriverManager.getConnection(DriverManager.java:571)
at java.sql.DriverManager.getConnection(DriverManager.java:187)
at tlogger.TLogger.start(TLogger.java:123)
at tlogger.TLogger.main(TLogger.java:108)
SQLException: SQLState(08006)
getConnection failed: org.postgresql.util.PSQLException: GSS Authentication failed
GSS Authentication failed
On the server this looked like that:
2015-05-13 xx:xx:xx CEST LOG: connection received: host=databasehostip port=39829
2015-05-13 xx:xx:xx CEST FATAL: GSSAPI authentication failed for user "drhouse"
2015-05-13 xx:xx:xx CEST DETAIL: Connection matched pg_hba.conf line 95: "host all all ne.tm.as.k/16 gss"
BUT when I tried to connect using psql (from that very same shell):
someuser@clienthost:/$ psql -U drhouse -h databasehost measurements
psql (9.4.1, server 9.3.6)
SSL connection (protocol: TLSv1.2, cipher: DHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help.
measurements=>
Looking at the ticket cache:
someuser@clienthost:~/eclipse$ klist -f
Ticket cache: FILE:/tmp/krb5cc_20000_Z95lup
Default principal: drhouse@HOSPITAL.DE
Valid starting Expires Service principal
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx krbtgt/HOSPITAL.DE@HOSPITAL.DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRIA
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx postgres/databasehost.dep.hospital.de@
renew until 14.05.2015 xx:xx:xx, Flags: FPRAT
13.05.2015 xx:xx:xx 13.05.2015 xx:xx:xx postgres/databasehost.dep.hospital.de@HOSPITAL.DE
renew until 14.05.2015 xx:xx:xx, Flags: FPRAT
Any hint on what might be going wrong?
Thanks,
Alex