Re: Service principal, GSSAPI and JDBC connection issue

Is anyone else using GSSAPI authentication?

I would like to submit a patch to fix my problem, but I would like
someone with a different kerberos setup then me to verify it doesn't
cause them issues.

thanks,

Patrick


On 12/6/13, 2:48 PM, Patrick Radtke wrote:
> Hi,
>
> I'm using PostgreSQL 9.1 and I have configured GSSAPI authentication for
> my client application.
>
> The client application has this principal:
> service/uaa-authz-uat01@stanford.edu
>
> and I have it mapped to the DB role/user uaa
>
> pg_ident.conf
> # MAPNAME     SYSTEM-USERNAME                 PG-USERNAME
> krb5          service/uaa-authz-uat01            uaa
>
> Connecting works fine with psql. I use k5start to get the appropriate
> tickets and then connect
>
> k5start -qUf /etc/oauth/keytab -- psql -h authz-uat01 -U uaa
>
> However, when I try connecting with the JDBC driver I run into trouble.
> I've configured my JAAS config
>
> pgjdbc {
>       com.sun.security.auth.module.Krb5LoginModule required
>          principal="service/uaa-authz-uat01"
>          useKeyTab=true
>          keyTab="/etc/oauth/keytab"
>          doNotPrompt=true
>          useTicketCache=true
>          storeKey=true
>          debug=true
>          renewTGT=true;
> };
>
> and my JDBC connection with these properties
> database:
>    driverClassName: org.postgresql.Driver
>    url:
> jdbc:postgresql://authz-uat01.stanford.edu/uaa?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
>
>    username: uaa
>
>
> however when I go to connect I get the error
> "No valid credentials provided (Mechanism level: Failed to find any
> Kerberos tgt)" which is odd because in the JAAS debug output it seems to
> be able to create a tgt based on the keytab just fine.
>
> Reviewing the code in 'MakeGSS.java' I see the problem.
>
> GSSName clientName = manager.createName(user, GSSName.NT_USER_NAME);
>
> GSSCredential clientCreds = manager.createCredential(clientName, 8*3600,
> desiredMechs, GSSCredential.INITIATE_ONLY);
>
> The driver assumes that the client is a 'GSSName.NT_USER_NAME' which is
> "Name type to indicate a named user on a local system.". It passes in
> 'uaa' (the username) to createName(), and then the next call to
> createCredential() fails since the tgt is for 'service/uaa-authz-uat01'
> and its looking for one that matches 'uaa'.
>
> Setting the db username to 'service/uaa-authz-uat01' gets by the GSSAPI
> issues, but then fails because I don't have (nor wish to have) a
> postgres user with the same name.
>
> Deleting those two lines, and changing the manager.createContext() call to
>
>       GSSContext secContext = manager.createContext(serverName,
> desiredMechs[0], null, GSSContext.DEFAULT_LIFETIME);
>
> e.g. using a null for the 3rd argument
>
> makes the driver work fine.
>
> The javadoc for manager.createContext() says "Use null to act as the
> default initiator principal.".
>
> So...
> does that mean the two lines related clientCreds/Name aren't needed at all?
> If they are needed for some scenarios, how can the code be modified to
> handle both use cases?
>
>
> thanks,
>
> Patrick
>
>
>
>
>
>