Thread: Having trouble with connecting to database via kerberos
Hello! I wonder if you folks can help me. I am having the hardest time location documentation on, or otherwise figuring out howto connect to a Kerberos-authenticated database using pgAdmin in Amazon RDS. I can connect to the database just fine with psql + kinit on linux, but the rest of my team is on Windows and pgAdmin. How, in general, do you connect to a Kerberos-authenticated database from pgAdmin on Windows? I haven't been able to findthe answer to this question. In particular, I am connecting to a 12.3 pgsql database hosted on amazon RDS. No matter what I try, whenever I try to authvia Kerberos, I get this error: SSPI continuation error: The specified target is unknown or unreachable (80090303) If I connect using a local pg user, the connection succeeds. If I connect using kinit + psql on linux, the connection succeeds. If I connect using the correct host endpoint, I get the error above. If I connect using the AWS alternative method described here[1] of connecting to <endpoint>.<aws-ad-domain>, I *still* getthe error above. Is there anyone who can help? 1: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html Daniel Haskin ________________________________ This email is intended solely for the recipient. It may contain privileged, proprietary or confidential information or material.If you are not the intended recipient, please delete this email and any attachments and notify the sender of theerror.
Hi
On Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J <DHaskin@verisk.com> wrote:
Hello!
I wonder if you folks can help me. I am having the hardest time location documentation on, or otherwise figuring out how to connect to a Kerberos-authenticated database using pgAdmin in Amazon RDS.
I can connect to the database just fine with psql + kinit on linux, but the rest of my team is on Windows and pgAdmin.
How, in general, do you connect to a Kerberos-authenticated database from pgAdmin on Windows? I haven't been able to find the answer to this question.
In particular, I am connecting to a 12.3 pgsql database hosted on amazon RDS. No matter what I try, whenever I try to auth via Kerberos, I get this error:
SSPI continuation error: The specified target is unknown or unreachable
(80090303)
If I connect using a local pg user, the connection succeeds.
If I connect using kinit + psql on linux, the connection succeeds.
If I connect using the correct host endpoint, I get the error above.
If I connect using the AWS alternative method described here[1] of connecting to <endpoint>.<aws-ad-domain>, I *still* get the error above.
Is there anyone who can help?
1: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html
pgAdmin doesn't (yet) officially support kerberos authentication. You can use SSPI if you're connecting from Windows to a Windows-hosted PostgreSQL server in a domain or on a the same machine (I actually verified that works yesterday), or you can in theory use GSSAPI to authenticate to a Linux hosted server if you're on a Linux client (I'm working on verifying that at the moment).
Once I've got those scenarios working and verified, I'll move on to figuring out how to handle Windows/Mac clients connecting with GSSAPI.
Note that SSPI/GSSAPI will require that you're running pgAdmin in Desktop mode. It will not work in Server mode (because the server will typically be running under a different user account). There's a feature request for that in the backlog.
On Fri, Aug 28, 2020 at 11:03 AM Dave Page <dpage@pgadmin.org> wrote:
HiOn Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J <DHaskin@verisk.com> wrote:Hello!
I wonder if you folks can help me. I am having the hardest time location documentation on, or otherwise figuring out how to connect to a Kerberos-authenticated database using pgAdmin in Amazon RDS.
I can connect to the database just fine with psql + kinit on linux, but the rest of my team is on Windows and pgAdmin.
How, in general, do you connect to a Kerberos-authenticated database from pgAdmin on Windows? I haven't been able to find the answer to this question.
In particular, I am connecting to a 12.3 pgsql database hosted on amazon RDS. No matter what I try, whenever I try to auth via Kerberos, I get this error:
SSPI continuation error: The specified target is unknown or unreachable
(80090303)
If I connect using a local pg user, the connection succeeds.
If I connect using kinit + psql on linux, the connection succeeds.
If I connect using the correct host endpoint, I get the error above.
If I connect using the AWS alternative method described here[1] of connecting to <endpoint>.<aws-ad-domain>, I *still* get the error above.
Is there anyone who can help?
1: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.htmlpgAdmin doesn't (yet) officially support kerberos authentication. You can use SSPI if you're connecting from Windows to a Windows-hosted PostgreSQL server in a domain or on a the same machine (I actually verified that works yesterday), or you can in theory use GSSAPI to authenticate to a Linux hosted server if you're on a Linux client (I'm working on verifying that at the moment).Once I've got those scenarios working and verified, I'll move on to figuring out how to handle Windows/Mac clients connecting with GSSAPI.Note that SSPI/GSSAPI will require that you're running pgAdmin in Desktop mode. It will not work in Server mode (because the server will typically be running under a different user account). There's a feature request for that in the backlog.
FYI, I've also confirmed that Linux - Linux works with GSSAPI.