Re: GSSAPI / Kerberos Authentication

I was just looking at the Kerberos support. Is your server principal postgres/x.y.z@REALM, where x.y.z is the DNS name for your server? It probably won't affect you but think it needs to be POSTGRES/x.y.z@REALM for windows networks.

I'll have to check my notes for more details, e.g., I'm 99% sure it's 'postgres' and not 'postgresql'.

I know you need to use password authentication from the client - and the username has to be simple (bob@REALM, not bob/postgres@REALM). I'll be submitting a patch to support a keytab file and compound principals when I have some free time.

Bear

On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven <SWeingartner@semprautilities.com> wrote:

I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi.  I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4).  Our company use vas for an interface to Kerberos, The errors I am getting are as follows:

 

[sweingar@pglgisprtd001 ~]$ psql -hpglgisprtd001 -dpostgres

psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

 

or from a windows client

 

C:\Users\sweingar>psql -hpglgisprtd001.sempra.com -Usweingar

psql: SSPI continuation error: The specified target is unknown or unreachable

(80090303)

 

I see nothing worthwhile in the postgresql log, nor in /var/log/messages.  I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.