RE: Unable to get PostgreSQL 15 with Kerberos (GSS) working

Поиск
Список
Период
Сортировка
От Matthew Dennison
Тема RE: Unable to get PostgreSQL 15 with Kerberos (GSS) working
Дата
Msg-id AS2P191MB23272C17F525B660638434E4A7582@AS2P191MB2327.EURP191.PROD.OUTLOOK.COM
обсуждение исходный текст
Ответ на Re: Unable to get PostgreSQL 15 with Kerberos (GSS) working  (Stephen Frost <sfrost@snowman.net>)
Ответы Re: Unable to get PostgreSQL 15 with Kerberos (GSS) working
Список pgsql-general
Дерево обсуждения 
I have subsequence discovered that the psql command running from remote Windows (server/client) and RHEL8 works as
expectedusing GSS.  PGAdmin4 also works via Kerberos (was on my list of things to get working).  It's just locally on
theserver psql will not work to postgresql running on the same server. 

I really don't get it, but have decided I can live without it working on the server.

R
-----Original Message-----
From: Stephen Frost <sfrost@snowman.net>
Sent: Monday, February 26, 2024 7:33 PM
To: Matthew Dennison <mail@matty-uk.co.uk>
Cc: pgsql-general@lists.postgresql.org
Subject: Re: Unable to get PostgreSQL 15 with Kerberos (GSS) working

Greetings,

* Matthew Dennison (mail@matty-uk.co.uk) wrote:
> No matter what I try I don't seem to be able to get the psl command locally to work using Kerberos.  I receive for
followingmessage: 
> FATAL:  GSSAPI authentication failed for user "postgres"
> FATAL:  GSSAPI authentication failed for user
> myad.username@MYDOMAIN.NET
[...]
> kinit -kt /pgcluster/data/postgres.keytab
> POSTGRES/hostname.mydomain.net@MYDOMAIN.NET<mailto:POSTGRES/hostname.m
> ydomain.net@MYDOMAIN.NET>
> klist
> Ticket cache: KCM:0:20151
> Default principal: POSTGRES/hostname.mydomain.net@MYDOMAIN.NET
>
> Valid starting     Expires            Service principal
> 23/02/24 10:19:12  23/02/24 20:19:12  krbtgt/MYDOMAIN.NET@MYDOMAIN.NET
>         renew until 23/02/24 20:19:12

Doesn't look like you're actually getting a PG tickets ...

> psql -h localhost -U postgres -d postgres

And this might be why.  Don't use '-h localhost' because that'll, by default anyway, cause the Kerberos library to try
todo reverse DNS on the address you are trying to connect to (::1/128, for example) ... and that possibly just resolves
to'localhost', which isn't the server's name that you're trying to connect to.  If the rDNS lookup fails then we'll use
whatyou provided- but again, that's just 'localhost' and isn't the server's name in the AD realm. 

Try doing:

psql -h hostname.mydomain.net -U postgres -d postgres

instead, and update your pg_hba.conf to match those connections which are coming into the system's actual IP address
insteadof only matching loaclhost connection attempts. 

You're definitely not going to have any succcess until you can do a 'klist' and see a POSTGRES/hostname.mydomain.net
ticketlisted after doing your psql attempt. 

Thanks,

Stephen

В списке pgsql-general по дате отправления:

Предыдущее
От: Andreas Kretschmer
Дата:
Сообщение: Re: PostgreSQL Read-only mode usage
Следующее
От: Riivo Kolka
Дата:
Сообщение: Orphan table files at data/base/