Обсуждение: Kerberized login to Postgres database
Hi all! I have a problem with kerberizing PostgreSQL 9.1.1. PostgreSQL and Kerberos installed at different computers in network. I'm using internal network in VirtualBox 4.1.6. There are no firewalls on both machines. So, let's see pg_hba.conf: less /var/lib/pgsql/data/pg_hba.conf # TYPE DATABASE USER ADDRESS METHOD # "local" is for Unix domain socket connections only local all all trust # IPv4 local connections: host all all 127.0.0.1/32 trust host all all 192.168.100.0/24 krb5 And content of my postgresql.conf # Kerberos and GSSAPI krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab' #krb_srvname = 'postgres' # (Kerberos only) #krb_caseins_users = off Pricipals in keytab file: postgres/db.domain.int@DOMAIN.INT host/db.domain.int@DOMAIN.INT Passwords for principals in keytab randomly generated by kadmin.local during export to keytab. User postgres is exists in database of course. Now, let's try connect to postgres database through kerberos: [postgres@localhost eugene]$ kinit postgres Password for postgres@DOMAIN.INT: [postgres@localhost eugene]$ klist Ticket cache: FILE:/tmp/krb5cc_481 Default principal: postgres@DOMAIN.INT Valid starting Expires Service principal 12/30/11 12:21:14 12/31/11 12:21:14 krbtgt/DOMAIN.INT@DOMAIN.INT renew until 01/06/12 12:21:14 All works good. Other services such as kerberized login for operating system works fine. But if try connect to postgres database: [postgres@localhost eugene]$ psql -h 192.168.100.10 -U postgres psql: Kerberos 5 authentication rejected: Wrong principal in request What I'am doing wrong? Any ideas? Questions? Thanks in advance for your help. --- Best regards, Budanov Eugene
2012-01-10 07:05 keltezéssel, Eugene Budanov írta: > Hi all! > > I have a problem with kerberizing PostgreSQL 9.1.1. > > PostgreSQL and Kerberos installed at different computers in network. I'm using internal network in VirtualBox 4.1.6. > There are no firewalls on both machines. > > So, let's see pg_hba.conf: > > less /var/lib/pgsql/data/pg_hba.conf > > # TYPE DATABASE USER ADDRESS METHOD > > # "local" is for Unix domain socket connections only > local all all trust > # IPv4 local connections: > host all all 127.0.0.1/32 trust > host all all 192.168.100.0/24 krb5 > > And content of my postgresql.conf > > # Kerberos and GSSAPI > krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab' > #krb_srvname = 'postgres' # (Kerberos only) > #krb_caseins_users = off > > Pricipals in keytab file: > > postgres/db.domain.int@DOMAIN.INT > host/db.domain.int@DOMAIN.INT > > Passwords for principals in keytab randomly generated by kadmin.local during export to keytab. > > User postgres is exists in database of course. > > Now, let's try connect to postgres database through kerberos: > > [postgres@localhost eugene]$ kinit postgres > Password for postgres@DOMAIN.INT: > [postgres@localhost eugene]$ klist > Ticket cache: FILE:/tmp/krb5cc_481 > Default principal: postgres@DOMAIN.INT > Valid starting Expires Service principal > 12/30/11 12:21:14 12/31/11 12:21:14 krbtgt/DOMAIN.INT@DOMAIN.INT > renew until 01/06/12 12:21:14 > > All works good. Other services such as kerberized login for operating system works fine. > > But if try connect to postgres database: > > [postgres@localhost eugene]$ psql -h 192.168.100.10 -U postgres > psql: Kerberos 5 authentication rejected: Wrong principal in request > > What I'am doing wrong? Any ideas? Questions? > > Thanks in advance for your help. > --- > Best regards, > Budanov Eugene > If kerberos is unable to do a reverse lookup of the IP address it will be also unable to get the right ticket for the service. You should try to connect by fqdn instead of ip address: psql -h FQDN -U USER. BTW you don't need the host principal in the /var/lib/pgsql/data/krb5.keytab keytab used only by postgres. Regards Geza
Hi, I had a same problem already, but I recompiled Postgre with GSSAPI, it does works correctly. On 1/10/12, Gémes Géza <geza@kzsdabas.hu> wrote: > 2012-01-10 07:05 keltezéssel, Eugene Budanov írta: >> Hi all! >> >> I have a problem with kerberizing PostgreSQL 9.1.1. >> >> PostgreSQL and Kerberos installed at different computers in network. I'm >> using internal network in VirtualBox 4.1.6. >> There are no firewalls on both machines. >> >> So, let's see pg_hba.conf: >> >> less /var/lib/pgsql/data/pg_hba.conf >> >> # TYPE DATABASE USER ADDRESS METHOD >> >> # "local" is for Unix domain socket connections only >> local all all trust >> # IPv4 local connections: >> host all all 127.0.0.1/32 trust >> host all all 192.168.100.0/24 krb5 >> >> And content of my postgresql.conf >> >> # Kerberos and GSSAPI >> krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab' >> #krb_srvname = 'postgres' # (Kerberos only) >> #krb_caseins_users = off >> >> Pricipals in keytab file: >> >> postgres/db.domain.int@DOMAIN.INT >> host/db.domain.int@DOMAIN.INT >> >> Passwords for principals in keytab randomly generated by kadmin.local >> during export to keytab. >> >> User postgres is exists in database of course. >> >> Now, let's try connect to postgres database through kerberos: >> >> [postgres@localhost eugene]$ kinit postgres >> Password for postgres@DOMAIN.INT: >> [postgres@localhost eugene]$ klist >> Ticket cache: FILE:/tmp/krb5cc_481 >> Default principal: postgres@DOMAIN.INT >> Valid starting Expires Service principal >> 12/30/11 12:21:14 12/31/11 12:21:14 krbtgt/DOMAIN.INT@DOMAIN.INT >> renew until 01/06/12 12:21:14 >> >> All works good. Other services such as kerberized login for operating >> system works fine. >> >> But if try connect to postgres database: >> >> [postgres@localhost eugene]$ psql -h 192.168.100.10 -U postgres >> psql: Kerberos 5 authentication rejected: Wrong principal in request >> >> What I'am doing wrong? Any ideas? Questions? >> >> Thanks in advance for your help. >> --- >> Best regards, >> Budanov Eugene >> > If kerberos is unable to do a reverse lookup of the IP address it will > be also unable to get the right ticket for the service. > You should try to connect by fqdn instead of ip address: psql -h FQDN -U > USER. > BTW you don't need the host principal in the > /var/lib/pgsql/data/krb5.keytab keytab used only by postgres. > > Regards > > Geza > > > -- > Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-admin > -- With Best Regards Rahimeh Khodadadi
Hi! >You should try to connect by fqdn instead of ip address: psql -h FQDN -U USER. I tried it. I got same error. DNS lookup work fine. >BTW you don't need the host principal in the >/var/lib/pgsql/data/krb5.keytab keytab used only by postgres. It's strange. Official postgres documentation says opposite. Most of docs about kerberizing Postgres says about needing hostprincipal in keytab file. --- Best regards, Budanov Eugene
Hi! >I had a same problem already, but I recompiled Postgre with GSSAPI, it >does works correctly. Very interesting. Can you send me your config files? --- Best regards, Budanov Eugene
2012-01-11 07:44 keltezéssel, Eugene Budanov írta: > Hi! > >> I had a same problem already, but I recompiled Postgre with GSSAPI, it >> does works correctly. > Very interesting. Can you send me your config files? > > --- > Best regards, > Budanov Eugene > The relevant parts of my config is below: postgresql.conf: listen_addresses = '*' krb_server_keyfile = '/etc/postgresql/postgres.keytab' krb_caseins_users = on pg_hba.conf: host all all 0.0.0.0/0 gss ktutil -k /etc/postgresql/postgres.keytab list gives: Vno Type Principal Aliases 1 aes256-cts-hmac-sha1-96 postgres/intranet.kzsdabas.hu@KZSDABAS.HU 1 des3-cbc-sha1 postgres/intranet.kzsdabas.hu@KZSDABAS.HU 1 arcfour-hmac-md5 postgres/intranet.kzsdabas.hu@KZSDABAS.HU The service is running on a debian squeeze box, the rest of the settings are unrelated. Regards Geza
Hi, I use postgres/fqdn-domain-name only. #kadmin.local Kadmin.local: ank –randkey postgres/aftab.example.com Principal “postgres/aftab.example.com@EXAMPLE.COM” created #ktadd –k /tmp/postgresql.keytab postgres/aftab.example.com Entry for principal postgres/ aftab.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/tmp/postgresql.keytab. Entry for principal postgres/aftab.example.com with kvno 3, encryption type DES cbc mode with CRC-32 added to keytab WRFILE:/tmp/postgresql.keytab. #scp /tmp/postgresql.keytab/| Aftab.example.com:/usr/local/pgsql/data/postgresql.keytab #rm /tmp/postgresql.keytab #chown postgres:postgres /usr/local/pgsql/data/postgresql.keytab #chmod 400 /usr/local/pgsql/data/postgresql.keytab 2- I edited the paramet of "krb_server_keytab " to keytab file path Regards Khodadadi On 1/11/12, Gémes Géza <geza@kzsdabas.hu> wrote: > 2012-01-11 07:44 keltezéssel, Eugene Budanov írta: >> Hi! >> >>> I had a same problem already, but I recompiled Postgre with GSSAPI, it >>> does works correctly. >> Very interesting. Can you send me your config files? >> >> --- >> Best regards, >> Budanov Eugene >> > The relevant parts of my config is below: > > postgresql.conf: > > listen_addresses = '*' > krb_server_keyfile = '/etc/postgresql/postgres.keytab' > krb_caseins_users = on > > pg_hba.conf: > > host all all 0.0.0.0/0 gss > > ktutil -k /etc/postgresql/postgres.keytab list gives: > > Vno Type Principal > Aliases > 1 aes256-cts-hmac-sha1-96 postgres/intranet.kzsdabas.hu@KZSDABAS.HU > 1 des3-cbc-sha1 postgres/intranet.kzsdabas.hu@KZSDABAS.HU > 1 arcfour-hmac-md5 postgres/intranet.kzsdabas.hu@KZSDABAS.HU > > The service is running on a debian squeeze box, the rest of the settings > are unrelated. > > Regards > > Geza > > -- > Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-admin > -- With Best Regards Rahimeh Khodadadi