Обсуждение: GSSAPI auth issue with windows 7 client, postgresql 9.2.3 linux server
Hi list,
I am able to successfully authenticate a Windows server AD user with
PostgreSQL 9.2.3 version from linux clients but It doesn't work with
Windows client.
First I logon windows 7, using a Active Directory's user, then I tried
to login to postgresql 9.2.3 server with psql:
psql -h hostname -p 5444
psql: SSPI continuation error: The encryption type requested is not
supported by the KDC. (80090342)
postgresql.log :
-1 log: connection received: host = 172.XXX.XXX.XXX port = 61877
-1FATAL: GSSAPI authentication failed for 'userXX' user
userXX exists in our postgresql server and pg_hba.conf applied to
172.XXX.XXX.XXX subnet is:
host all all 172.0.0.0/8 gss
Our postgresql.conf use keytab:
krb_server_keyfile = 'postgres.keytab'
And I have generated keytab with this ktpass command:
ktpass -out postgres.keytab -princ
postgres/hostname@domain -mapUser postgres -pass
XXX -crypto DES-CBC-MD5
The postgres user, exists in the Active Directory and it has a spn
defined:
C:\Users\Administrator>setspn -S postgres/hostname
domain\postgres
Checking domain DC=domain
Registering ServicePrincipalNames for CN=postgres,CN=Users,DC=domain
postgres/hostname
Updated object
If I login from a linux client to linux server, there is no problem:
[root@hostnane datos]# su - userXX
[userXX@hostname ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_503
Default principal: userXX@domain
Valid starting Expires Service principal
12/11/13 08:42:04 12/11/13 18:42:09 krbtgt/domain@domain
renew until 12/18/13 08:42:04
12/11/13 08:42:43 12/11/13 18:42:09 postgres/hostname@domain
renew until 12/18/13 08:42:04
[userXX@u2vbddpg ~]$ psql -h 172.XX.XX.XX
psql (9.2.1.3)
Type "help" for help.
edb=>
Thanks
* jaime soler (jaime.soler@gmail.com) wrote:
> psql: SSPI continuation error: The encryption type requested is not
> supported by the KDC. (80090342)
[...]
> ktpass -out postgres.keytab -princ
> postgres/hostname@domain -mapUser postgres -pass
> XXX -crypto DES-CBC-MD5
Not 100% sure this is it, but it looks like you're using an ancient
encryption algo which is no longer supported by MIT Kerberos (very
intentionally...). Why aren't you using AES256 instead?
Thanks,
Stephen
Вложения
El mar, 14-01-2014 a las 08:19 -0500, Stephen Frost escribió: > * jaime soler (jaime.soler@gmail.com) wrote: > > psql: SSPI continuation error: The encryption type requested is not > > supported by the KDC. (80090342) > > [...] > > > ktpass -out postgres.keytab -princ > > postgres/hostname@domain -mapUser postgres -pass > > XXX -crypto DES-CBC-MD5 > > Not 100% sure this is it, but it looks like you're using an ancient > encryption algo which is no longer supported by MIT Kerberos (very > intentionally...). Why aren't you using AES256 instead? So, should I use ALL as argument to -crypto option as it follows ? ktpass -out postgres.keytab -princ postgres/hostname@domain -mapUser postgres -pass XXX -crypto ALL Thanks, Jaime > > Thanks, > > Stephen
* jaime soler (jaime.soler@gmail.com) wrote:
> So, should I use ALL as argument to -crypto option as it follows ?
>
> ktpass -out postgres.keytab -princ
> postgres/hostname@domain -mapUser postgres -pass
> XXX -crypto ALL
You could, or you could use AES256-SHA1 ...
Thanks,
Stephen