Обсуждение: Postgresql v9.2.4 Kerberos Client Authentication

Hello PG Admins,

I am new to postgres and also to the list. I am glad I found this domain list for help.

I am setting up streaming replication using Virtaul IP.

Server1 is primary which has its own server IP address

Server2 is standby which has its own server IP address

We created a virtual IP (say pgvip) which is different from server IPs. This IP will move between server1 and server2 to help provide application transparency. Application uses “pgvip”, so when the standby is converted to serve as primary, we move the virtual IP from server1 to server2 and simply bring up the application with no changes. That is the idea.

Everything works fine EXCEPT Kerberos client authentication. We put both server key (postgres/server1@fnal.gov) and VIP key (postgres/pgvip@fnal.gov) in the keytab but it still doesn’t work. When I specify physical hostname in the connect string of the client, Kerberos is able to authenticate. But when “pgvip” is used it fails.

Following is what I have in my postgresql.conf:

krb_server_keyfile = '/home/postgres/krb5/keytab'

krb_srvname = 'postgres’

I also tried krb_server_hostname in pg_hba file as below. It didn’t work either. May be this is supposed to work but it may be wrong syntactically.

host   all         mnunna              0.0.0.0/0          krb5 krb_server_hostname='minos-ecl-pgvip'

Please help. Is what we are trying supported in postgres? If so, please help me point in the right direction.

Thanks in advance for your help!

Murthy Nunna

Hello PG Admins,

I am new to postgres and also to the list. I am glad I found this domain list for help.

I am setting up streaming replication using Virtaul IP.

Server1 is primary which has its own server IP address

Server2 is standby which has its own server IP address

We created a virtual IP (say pgvip) which is different from server IPs. This IP will move between server1 and server2 to help provide application transparency. Application uses “pgvip”, so when the standby is converted to serve as primary, we move the virtual IP from server1 to server2 and simply bring up the application with no changes. That is the idea.

Everything works fine EXCEPT Kerberos client authentication. We put both server key (postgres/server1@fnal.gov) and VIP key (postgres/pgvip@fnal.gov) in the keytab but it still doesn’t work. When I specify physical hostname in the connect string of the client, Kerberos is able to authenticate. But when “pgvip” is used it fails.

Following is what I have in my postgresql.conf:

krb_server_keyfile = '/home/postgres/krb5/keytab'

krb_srvname = 'postgres’

I also tried krb_server_hostname in pg_hba file as below. It didn’t work either. May be this is supposed to work but it may be wrong syntactically.

host   all         mnunna              0.0.0.0/0          krb5 krb_server_hostname='minos-ecl-pgvip'

Please help. Is what we are trying supported in postgres? If so, please help me point in the right direction.

Thanks in advance for your help!

Murthy Nunna

Hi Scott,

Thanks for your quick response.

Since client access is working fine with md5 access connecting from remote machines, I don’t think it is firewall or IP table issue.

Thanks,

Murthy

I don't have a lot of experience in that, specifically, but I _do_ have a lot lf experience getting screwed by firewalls and IP tables (and SE Linux) in particular. You might double check those.


-------- Original message --------
From: Murthy Nunna <mnunna@fnal.gov>
Date: 01/17/2014 4:02 PM (GMT-06:00)
To: pgsql-admin@postgresql.org
Subject: [ADMIN] Postgresql v9.2.4 Kerberos Client Authentication

Hi,

I am able to connect from a remote machine using virtual IP and md5 but I am unable to connect using virtual IP using krb5 or gss.

If this worked for you, would you please share your pg settings relevant to this?

I appreciate your help.

Thanks,

Murthy

Hello PG Admins,

I am new to postgres and also to the list. I am glad I found this domain list for help.

I am setting up streaming replication using Virtaul IP.

Server1 is primary which has its own server IP address

Server2 is standby which has its own server IP address

We created a virtual IP (say pgvip) which is different from server IPs. This IP will move between server1 and server2 to help provide application transparency. Application uses “pgvip”, so when the standby is converted to serve as primary, we move the virtual IP from server1 to server2 and simply bring up the application with no changes. That is the idea.

Everything works fine EXCEPT Kerberos client authentication. We put both server key (postgres/server1@fnal.gov) and VIP key (postgres/pgvip@fnal.gov) in the keytab but it still doesn’t work. When I specify physical hostname in the connect string of the client, Kerberos is able to authenticate. But when “pgvip” is used it fails.

Following is what I have in my postgresql.conf:

krb_server_keyfile = '/home/postgres/krb5/keytab'

krb_srvname = 'postgres’

I also tried krb_server_hostname in pg_hba file as below. It didn’t work either. May be this is supposed to work but it may be wrong syntactically.

host   all         mnunna              0.0.0.0/0          krb5 krb_server_hostname='minos-ecl-pgvip'

Please help. Is what we are trying supported in postgres? If so, please help me point in the right direction.

Thanks in advance for your help!

Murthy Nunna