Hi,
I'm using PostgreSQL 9.1 and I have configured GSSAPI authentication for
my client application.
The client application has this principal:
service/uaa-authz-uat01@stanford.edu
and I have it mapped to the DB role/user uaa
pg_ident.conf
# MAPNAME SYSTEM-USERNAME PG-USERNAME
krb5 service/uaa-authz-uat01 uaa
Connecting works fine with psql. I use k5start to get the appropriate
tickets and then connect
k5start -qUf /etc/oauth/keytab -- psql -h authz-uat01 -U uaa
However, when I try connecting with the JDBC driver I run into trouble.
I've configured my JAAS config
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
principal="service/uaa-authz-uat01"
useKeyTab=true
keyTab="/etc/oauth/keytab"
doNotPrompt=true
useTicketCache=true
storeKey=true
debug=true
renewTGT=true;
};
and my JDBC connection with these properties
database:
driverClassName: org.postgresql.Driver
url:
jdbc:postgresql://authz-uat01.stanford.edu/uaa?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
username: uaa
however when I go to connect I get the error
"No valid credentials provided (Mechanism level: Failed to find any
Kerberos tgt)" which is odd because in the JAAS debug output it seems to
be able to create a tgt based on the keytab just fine.
Reviewing the code in 'MakeGSS.java' I see the problem.
GSSName clientName = manager.createName(user, GSSName.NT_USER_NAME);
GSSCredential clientCreds = manager.createCredential(clientName, 8*3600,
desiredMechs, GSSCredential.INITIATE_ONLY);
The driver assumes that the client is a 'GSSName.NT_USER_NAME' which is
"Name type to indicate a named user on a local system.". It passes in
'uaa' (the username) to createName(), and then the next call to
createCredential() fails since the tgt is for 'service/uaa-authz-uat01'
and its looking for one that matches 'uaa'.
Setting the db username to 'service/uaa-authz-uat01' gets by the GSSAPI
issues, but then fails because I don't have (nor wish to have) a
postgres user with the same name.
Deleting those two lines, and changing the manager.createContext() call to
GSSContext secContext = manager.createContext(serverName,
desiredMechs[0], null, GSSContext.DEFAULT_LIFETIME);
e.g. using a null for the 3rd argument
makes the driver work fine.
The javadoc for manager.createContext() says "Use null to act as the
default initiator principal.".
So...
does that mean the two lines related clientCreds/Name aren't needed at all?
If they are needed for some scenarios, how can the code be modified to
handle both use cases?
thanks,
Patrick