Re: GSS Authentication

As suggested below, I just tried this:

kinit -S POSTGRES/host.domain.com user

(where user is my account name in AD).  That then asked for my password and when I entered it, it seemed to work. And now klist shows that I have a ticket.  Doing it this way though, the keytab file doesn't seem to come into play.  Does this point to something in my keytab file being wrong?

I did this: 

klist -ket postgres.keytab

and got:

KVNO Timestamp         Principal
---- ----------------- --------------------------------------------------------
   3 12/31/69 19:00:00 POSTGRES/host.domain.com@DOMAIN.COM (DES cbc mode with RSA-MD5)

That timestamp seems kinda funky, doesn't it?  12/31/69?  That can't be right, can it?

Thanks again.

Greig

----- Original Message -----
From: "Stephen Frost" <sfrost@snowman.net>
To: "Bryan Montgomery" <monty@english.net>
Cc: greigwise@comcast.net, pgsql-general@postgresql.org
Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication

* Bryan Montgomery (monty@english.net) wrote:
> I've been trying this as well off and on. In my case I'm not convinced the
> AD configuration is correct (And someone else manages that).

Yeah, that can be a challenge..  but it's *definitely* possible to get
it set up and working correctly.

> Can you use kinit with the key tab options to get a good response from the
> server? I think I should be able to do this ..
> $ kinit -V -k -t poe3b.keytab HTTP/poe3b.lab2k.net
> kinit(v5): Preauthentication failed while getting initial credentials

err, I'm not sure that should be expected to work.

What does klist -ek <keytab file> return?  Also, you should be able to
kinit to *your* princ in the AD, and if you can do that, you should be
able to use your princ to request the service princ ticket from the KDC
by doing kinit -S HTTP/poe3b.lab2k.net your.princ

Also, provided your *client* is set up/configured correctly, you should
be able to see that it acquires the ticket (by using klist) when you try
to connect to the server, even if the server is misconfigured.

> I'd be interested to know if you get something different - and the steps you
> went through on the AD side.

You have to create an account in Active Directory for the PG service and
then use:

ktpass /princ POSTGRES/myserver.mydomain.com@MYDOMAIN.COM /mapuser
postgres@mydomain.com /pass mypass /crypto AES256-SHA1 /ptype
KRB5_NT_PRINCIPAL /out krb5.keytab

Then copy that krb5.keytab to the server.  Note that you then have to
adjust the server config to have service name set to POSTGRES, and
adjust clients using the environment variables to indiciate they should
ask for POSTGRES (instead of the postgres default).

        Thanks,

                Stephen