Greetings,
* Matthew Dennison (mail@matty-uk.co.uk) wrote:
> No matter what I try I don't seem to be able to get the psl command locally to work using Kerberos. I receive for
followingmessage:
> FATAL: GSSAPI authentication failed for user "postgres"
> FATAL: GSSAPI authentication failed for user myad.username@MYDOMAIN.NET
[...]
> kinit -kt /pgcluster/data/postgres.keytab
POSTGRES/hostname.mydomain.net@MYDOMAIN.NET<mailto:POSTGRES/hostname.mydomain.net@MYDOMAIN.NET>
> klist
> Ticket cache: KCM:0:20151
> Default principal: POSTGRES/hostname.mydomain.net@MYDOMAIN.NET
>
> Valid starting Expires Service principal
> 23/02/24 10:19:12 23/02/24 20:19:12 krbtgt/MYDOMAIN.NET@MYDOMAIN.NET
> renew until 23/02/24 20:19:12
Doesn't look like you're actually getting a PG tickets ...
> psql -h localhost -U postgres -d postgres
And this might be why. Don't use '-h localhost' because that'll, by
default anyway, cause the Kerberos library to try to do reverse DNS on
the address you are trying to connect to (::1/128, for example) ... and
that possibly just resolves to 'localhost', which isn't the server's
name that you're trying to connect to. If the rDNS lookup fails then
we'll use what you provided- but again, that's just 'localhost' and
isn't the server's name in the AD realm.
Try doing:
psql -h hostname.mydomain.net -U postgres -d postgres
instead, and update your pg_hba.conf to match those connections which
are coming into the system's actual IP address instead of only matching
loaclhost connection attempts.
You're definitely not going to have any succcess until you can do a
'klist' and see a POSTGRES/hostname.mydomain.net ticket listed after
doing your psql attempt.
Thanks,
Stephen