Обсуждение: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"
I have Kerberos Authentication working for PostgreSQL 8.4 on Debian Squeeze, against a Windows 2000 Server Domain. I tried upgrading some test servers to Debian Wheezy which upgrades PostgreSQL to 9.1, but Kerberos authentication breaks with the "Wrong principal in request" error. These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do SSO in a Windows web browser and that gets passed to PostgreSQL, but I have the issue with psql as well and that is where I normally start troubleshooting. Mod-Auth-Kerb in Apache2 continues to authenticate and work after the upgrade, only PostgreSQL stops working. Here is everything I've looked at and the results I get - I am baffled on why this stopped working with 9.1, my config is the same, hostnames, DNS, clocks, etc. look good and nothing changed there. Below is from a fresh, clean install of Debian Wheezy/ PostgreSQL 9.1 on a new test VM and I still get the error. If anyone sees something I am doing wrong or something I missed and should be looking into, your advice would be greatly appreciated. Thanks, Josh IN /etc/postgresql/9.1/main/postgresql.conf krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab' IN /etc/postgresql/9.1/main/pg_hba.conf host all all 10.203.105.96 255.255.255.255 krb5 krb_server_hostname=ss-sv-tmp40.mydomain.local root@ss-sv-tmp40:~# hostname --fqdn ss-sv-tmp40.mydomain.local root@ss-sv-tmp40:~# cat /etc/hosts 127.0.0.1 localhost 10.203.105.96 ss-sv-tmp40.mydomain.local ss-sv-tmp40 root@ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab KVNO Principal ---- -------------------------------------------------------------------------- 1 postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL (des-cbc-md5) jdt@ss-sv-tmp40:~$ kinit jdt@MYDOMAIN.LOCAL Password for jdt@MYDOMAIN.LOCAL: jdt@ss-sv-tmp40:~$ klist -e Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jdt@MYDOMAIN.LOCAL Valid starting Expires Service principal 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 31/05/2013 15:36, Etype (skey, tkt): arcfour-hmac, arcfour-hmac jdt@ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt psql: Kerberos 5 authentication rejected: Wrong principal in request jdt@ss-sv-tmp40:~$ klist -e Ticket cache: FILE:/tmp/krb5cc_1000 Default principal: jdt@MYDOMAIN.LOCAL Valid starting Expires Service principal 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL renew until 31/05/2013 15:36, Etype (skey, tkt): arcfour-hmac, arcfour-hmac 31/05/2013 07:38 31/05/2013 15:36 postgres/ss-sv-tmp40.mydomain.local@ renew until 31/05/2013 15:36, Etype (skey, tkt): des-cbc-crc, des-cbc-crc 31/05/2013 07:38 31/05/2013 15:36 postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL renew until 31/05/2013 15:36, Etype (skey, tkt): des-cbc-crc, des-cbc-crc root@ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log 2013-05-31 07:38:07 EDT LOG: Kerberos recvauth returned error -1765328240 postgres: Wrong principal in request from krb5_recvauth 2013-05-31 07:38:07 EDT FATAL: Kerberos 5 authentication failed for user "jdt" root@ss-sv-tmp40:~# cat /etc/krb5.conf [libdefaults] default_realm = MYDOMAIN.LOCAL allow_weak_crypto = true <snip>
Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"
От
Stephen Frost
Дата:
Josh, That key type (des-cbc-md5) has looonngggg been deprecated and has been actively disabled and disallowed from use in modern Kerberos libraries. Please go get an AES256 key and install that instead. Thanks, Stephen * Josh Tanski (mortonjt@rochester.rr.com) wrote: > I have Kerberos Authentication working for PostgreSQL 8.4 on Debian > Squeeze, against a Windows 2000 Server Domain. I tried upgrading > some test servers to Debian Wheezy which upgrades PostgreSQL to 9.1, > but Kerberos authentication breaks with the "Wrong principal in > request" error. > > These servers ultimately use Apache2/mod-auth-kerb/php5-cgi to do > SSO in a Windows web browser and that gets passed to PostgreSQL, but > I have the issue with psql as well and that is where I normally > start troubleshooting. Mod-Auth-Kerb in Apache2 continues to > authenticate and work after the upgrade, only PostgreSQL stops > working. > > Here is everything I've looked at and the results I get - I am > baffled on why this stopped working with 9.1, my config is the same, > hostnames, DNS, clocks, etc. look good and nothing changed there. > Below is from a fresh, clean install of Debian Wheezy/ PostgreSQL > 9.1 on a new test VM and I still get the error. If anyone sees > something I am doing wrong or something I missed and should be > looking into, your advice would be greatly appreciated. > > Thanks, > Josh > > IN /etc/postgresql/9.1/main/postgresql.conf > krb_server_keyfile = '/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab' > > IN /etc/postgresql/9.1/main/pg_hba.conf > host all all 10.203.105.96 255.255.255.255 > krb5 krb_server_hostname=ss-sv-tmp40.mydomain.local > > root@ss-sv-tmp40:~# hostname --fqdn > ss-sv-tmp40.mydomain.local > > root@ss-sv-tmp40:~# cat /etc/hosts > 127.0.0.1 localhost > 10.203.105.96 ss-sv-tmp40.mydomain.local ss-sv-tmp40 > > > root@ss-sv-tmp40:~# klist -ek /etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab > Keytab name: FILE:/etc/postgresql/9.1/main/ss-sv-tmp40_pg.keytab > KVNO Principal > ---- -------------------------------------------------------------------------- > 1 postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL (des-cbc-md5) > > > jdt@ss-sv-tmp40:~$ kinit jdt@MYDOMAIN.LOCAL > Password for jdt@MYDOMAIN.LOCAL: > jdt@ss-sv-tmp40:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: jdt@MYDOMAIN.LOCAL > > Valid starting Expires Service principal > 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL > renew until 31/05/2013 15:36, Etype (skey, tkt): > arcfour-hmac, arcfour-hmac > > jdt@ss-sv-tmp40:~$ psql -h ss-sv-tmp40.mydomain.local -U jdt > psql: Kerberos 5 authentication rejected: Wrong principal in request > jdt@ss-sv-tmp40:~$ klist -e > Ticket cache: FILE:/tmp/krb5cc_1000 > Default principal: jdt@MYDOMAIN.LOCAL > > Valid starting Expires Service principal > 31/05/2013 07:36 31/05/2013 15:36 krbtgt/MYDOMAIN.LOCAL@MYDOMAIN.LOCAL > renew until 31/05/2013 15:36, Etype (skey, tkt): > arcfour-hmac, arcfour-hmac > 31/05/2013 07:38 31/05/2013 15:36 postgres/ss-sv-tmp40.mydomain.local@ > renew until 31/05/2013 15:36, Etype (skey, tkt): > des-cbc-crc, des-cbc-crc > 31/05/2013 07:38 31/05/2013 15:36 > postgres/ss-sv-tmp40.mydomain.local@MYDOMAIN.LOCAL > renew until 31/05/2013 15:36, Etype (skey, tkt): > des-cbc-crc, des-cbc-crc > > > root@ss-sv-tmp40:~# tail /var/log/postgresql/postgresql-9.1-main.log > 2013-05-31 07:38:07 EDT LOG: Kerberos recvauth returned error -1765328240 > postgres: Wrong principal in request from krb5_recvauth > 2013-05-31 07:38:07 EDT FATAL: Kerberos 5 authentication failed for > user "jdt" > > > root@ss-sv-tmp40:~# cat /etc/krb5.conf > [libdefaults] > default_realm = MYDOMAIN.LOCAL > allow_weak_crypto = true > <snip> > > > -- > Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-admin
Вложения
Re: 8.4 to 9.1 Upgrade Kerberos Auth Stops Working "Wrong principal in request"
От
Josh Tanski
Дата:
On 5/31/2013 8:46 AM, Stephen Frost wrote: > That key type (des-cbc-md5) has looonngggg been deprecated and has > been actively disabled and disallowed from use in modern Kerberos > libraries. > > Please go get an AES256 key and install that instead. > Thanks - that was one of my fears - I just double checked and ktpass on Windows 2000 only gives me DES-CBC-CRC and DES-CBC-MD5 as crypto options, it won't accept AES256-SHA1. I already did have allow_weak_crypto on and a Group Policy for Windows 7 clients which did get it to work & cannot migrate from Windows 2000 just yet... Josh >> root@ss-sv-tmp40:~# cat /etc/krb5.conf >> [libdefaults] >> default_realm = MYDOMAIN.LOCAL >> allow_weak_crypto = true >> <snip> >>