Re: GSSAPI Authentication using a CNAME

Description

I am not able to connect to my PostgreSQL Server using the PostgreSQL JDBC Driver with GSSAPI when using the short name if the short name is a CNAME Record.

The fully qualified domain name does work when it is a CNAME.

For comparison, the psql client is able to connect using the short name when it is a CNAME.

JDBC Version

postgresql-42.2.16.jar

Dependancies

commons-cli-1.4

$ cat /opt/pgsql/conf/jaas.conf 

pgjdbc {

com.sun.security.auth.module.Krb5LoginModule required

doNotPrompt=true

useTicketCache=true

renewTGT=true

debug=false

client=true;

};

Code Snippet

$ cat JDBCExample.java 

import java.sql.Connection;

import java.sql.DriverManager;

import java.sql.SQLException;

import org.apache.commons.cli.CommandLine;

import org.apache.commons.cli.CommandLineParser;

import org.apache.commons.cli.DefaultParser;

import org.apache.commons.cli.Option;

import org.apache.commons.cli.Options;

import org.apache.commons.cli.ParseException;

public class JDBCExample {

    public static void main(String[] args) throws ParseException {

        Options options = new Options();

        Option host = Option.builder()

            .longOpt("host")

            .argName("host")

            .hasArg()

            .desc("Name of the PostgreSQL Server.")

            .build();

        options.addOption(host);

        Option db = Option.builder()

            .longOpt("db")

            .argName("db")

            .hasArg()

            .desc("Name of the PostgreSQL Database.")

            .build();

        options.addOption(db);

        CommandLineParser parser = new DefaultParser();

        CommandLine cmd = parser.parse( options, args);

        String jdbcUrl = "jdbc:postgresql://" + cmd.getOptionValue("host") + ":5432/" + cmd.getOptionValue("db");

        try (Connection conn = DriverManager.getConnection(jdbcUrl)) {

            if (conn != null) {

                System.out.println("Connected to the database!");

            } else {

                System.out.println("Failed to make connection!");

            }

        } catch (SQLException e) {

            System.err.format("SQL State: %s\n%s", e.getSQLState(), e.getMessage());

        } catch (Exception e) {

            e.printStackTrace();

        }

    }

}

Compilation Steps

javac -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample.java

Results

$ java -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=EXAMPLE.COM -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf  -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host cname-hostname --db mydb

SQL State: 08006

GSS Authentication failed

$ java -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=EXAMPLE.COM -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host cname-hostname.example.com --db mydb

Connected to the database!

$ java -Djava.security.krb5.realm=EXAMPLE.COM -Djava.security.krb5.kdc=EXAMPLE.COM -Djava.security.auth.login.config=/opt/pgsql/conf/jaas.conf -cp .:postgresql-42.2.16.jar:commons-cli-1.4/commons-cli-1.4.jar JDBCExample --host hostname --db mydb

Connected to the database!

Jason Breitman