Обсуждение: Fwd: psql+krb5
---------- Forwarded message ----------
From: rahimeh khodadadi <rahimeh.khodadadi@gmail.com>
Date: 2009/11/29
Subject: Re: psql+krb5
To: Denis Feklushkin <denis.feklushkin@gmail.com>
These items have added after my sending.
I repeat again my configurations:
2) Then, I created principal as " postgres/star@EXAMPLE.COM " and its password is saved in '/usr/local/pgsql/data/postgresql.keytab' .
(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93 star)
3) I setup postgresql.conf as below:
krb_server_keyfile = '/usr/local/pgsql/data/
From: rahimeh khodadadi <rahimeh.khodadadi@gmail.com>
Date: 2009/11/29
Subject: Re: psql+krb5
To: Denis Feklushkin <denis.feklushkin@gmail.com>
These items have added after my sending.
I repeat again my configurations:
1) The configuration of krb5.conf is:
[realms]
EXAMPLE.COM ={.....[realms]
2) Then, I created principal as " postgres/star@EXAMPLE.COM " and its password is saved in '/usr/local/pgsql/data/postgresql.keytab' .
(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93 star)
3) I setup postgresql.conf as below:
krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/star@EXAMPLE.COM'
krb_server_hostname = 'star' # empty string matches any keytab entry
krb_caseins_users = off
4) I create user "frank" in Psql .
5) Then I set up hba.conf :
host all all 0.0.0.0/0 krb5
host all all 127.0.0.1/32 krb5
When I want to connect to Postgresql, it gives error.
# kinit frank
[root@star bin]# ./psql -h star -U frank -d test
psql: krb5_sendauth: Bad application version was sent (via sendauth)
krb_srvname = 'postgres/star@EXAMPLE.COM'
krb_server_hostname = 'star' # empty string matches any keytab entry
krb_caseins_users = off
4) I create user "frank" in Psql .
5) Then I set up hba.conf :
host all all 127.0.0.1/32 krb5
When I want to connect to Postgresql, it gives error.
# kinit frank
[root@star bin]# ./psql -h star -U frank -d test
psql: krb5_sendauth: Bad application version was sent (via sendauth)
I should mention that both postgresql server and krb-server are in same system and my IP is acquring from dhcp server of university. Where is wrong.
2009/11/29 Denis Feklushkin <denis.feklushkin@gmail.com>
On Sun, 29 Nov 2009 14:23:52 +0330> Thanks for your replying. My detail of configuration is:> EXAMPLE.COM <http://example.com/><http://EXAMPLE.COM
>
> I try to setup kerberos authentication in Postgresql 8.1.18 on centos.
>
> But I have some problem.
>
> 1) The configuration of krb5.conf is:
> [realms]
> <http://example.com/>> ={^^^^^^^^^^^^^^^^ !!!>
> kdc=star :88
> admin_server=star:749
> default_domain= example.com<http://example.com
> >
> > >
> > }
> > .....
> >
> > 2) Then, I created principal as " postgres/star@EXAMPLE.COM<mailto:
> > star@EXAMPLE.COM> " and its password is saved in
> > '/usr/local/pgsql/data/postgresql.keytab' .
> >
> >
> > (star is localhost IP, but in hosts.conf I configure like:
> > 213.233.169.93 star)
> >
> > 3) I setup postgresql.conf as below:
> >
> > krb_server_keyfile = '/usr/local/pgsql/data/
> > postgresql.keytab'
> > krb_srvname = 'postgres/star@EXAMPLE.COM<mailto:star@EXAMPLE.COM>'
> >
> > krb_server_hostname = 'star' # empty string matches any
> > keytab entry
> > krb_caseins_users = off
> >
> > 4) I create user "frank" in Psql .
> >
> > 5) Then I set up hba.conf :
> >
> > host all all 0.0.0.0/0<http://0.0.0.0/0>
> > krb5
> > host all all 127.0.0.1/32<http://127.0.0.1/32>
> > krb5
> >
> >
> > When I want to connect to Postgresql, it gives error.
> >
> > # kinit frank
> >
> > [root@star bin]# ./psql -h star -U frank -d test
> >
> > psql: krb5_sendauth: Bad application version was sent (via sendauth)
> >
>
> some changes in users gives below error :
> "[root@www bin]# ./psql -h 213.233.168.249 -U postgres
> psql: Kerberos 5 authentication rejected: Wrong principal in
> request"
>
>
> > I should mention that both postgresql server and krb-server are in
> > same system and my IP is acquring from dhcp server of university.
> > Where is wrong.
> >
>
>
>
> 2009/11/29 Denis Feklushkin <denis.feklushkin@gmail.com>
>
> > On Sun, 29 Nov 2009 10:48:30 +0330
> > rahimeh khodadadi <rahimeh.khodadadi@gmail.com> wrote:
> >
> > > Hi,
> > >
> > > When I want to connect to psql via krb5 in Linux, it gives me
> > > error like: "[root@www bin]# ./psql -h 213.233.168.249 -U
> > > postgres psql: Kerberos 5 authentication rejected: Wrong
> > > principal in request"
> >
> > Что в логах KDC?
И ещё, в тексте который Вы дали встречаются пробелы в именах
принципалов и странные записи "<mailto:star@EXAMPLE.COM>"
При настройке важно чтобы ничего этого небыло
--
With Best Regards
Miss.KHodadadi
With Best Regards
Miss.KHodadadi
--
With Best Regards
Miss.KHodadadi
2009/11/30 rahimeh khodadadi <rahimeh.khodadadi@gmail.com>: > > > ---------- Forwarded message ---------- > From: rahimeh khodadadi <rahimeh.khodadadi@gmail.com> > Date: 2009/11/29 > Subject: Re: psql+krb5 > To: Denis Feklushkin <denis.feklushkin@gmail.com> Please review the guidelines for reporting a problem, which you can find here: http://wiki.postgresql.org/wiki/Guide_to_reporting_problems It seems to me that you've done the exact opposite of nearly everything suggested there, starting with cross-posting your email to four mailing lists at least three of which are irrelevant to the problem that you're attempting to solve. ...Robert
Except that he posted a month ago and got no answers... On Tue, Dec 1, 2009 at 8:22 AM, Robert Haas <robertmhaas@gmail.com> wrote: > 2009/11/30 rahimeh khodadadi <rahimeh.khodadadi@gmail.com>: >> >> >> ---------- Forwarded message ---------- >> From: rahimeh khodadadi <rahimeh.khodadadi@gmail.com> >> Date: 2009/11/29 >> Subject: Re: psql+krb5 >> To: Denis Feklushkin <denis.feklushkin@gmail.com> > > Please review the guidelines for reporting a problem, which you can find here: > > http://wiki.postgresql.org/wiki/Guide_to_reporting_problems > > It seems to me that you've done the exact opposite of nearly > everything suggested there, starting with cross-posting your email to > four mailing lists at least three of which are irrelevant to the > problem that you're attempting to solve. > > ...Robert > > -- > Sent via pgsql-general mailing list (pgsql-general@postgresql.org) > To make changes to your subscription: > http://www.postgresql.org/mailpref/pgsql-general > -- When fascism comes to America, it will be intolerance sold as diversity.
On Tue, Dec 1, 2009 at 11:26 AM, Scott Marlowe <scott.marlowe@gmail.com> wrote: > Except that he posted a month ago and got no answers... Gee, I wonder why. ...Robert
I've dropped all your cross-posts; this is just going to PgSQL-general. On 30/11/2009 3:29 PM, rahimeh khodadadi wrote: > psql: *krb5_sendauth: Bad application version was sent (via sendauth)* Have you verified that your Kerberos setup is otherwise working correctly - it's handling logins, other apps work, etc? Also: a search for your error message finds this post, which, while related to a Windows kerberos server, seems to apply: http://www.mail-archive.com/pgsql-general@postgresql.org/msg80403.html That is: Make sure that the Kerberos service name matches everywhere. I don't know much about Kerberos, not I suspect do all that many people on the list, so I can't be of any more help. -- Craig Ringer
* Craig Ringer (craig@postnewspapers.com.au) wrote: > I've dropped all your cross-posts; this is just going to PgSQL-general. Thanks for that. > On 30/11/2009 3:29 PM, rahimeh khodadadi wrote: > >> psql: *krb5_sendauth: Bad application version was sent (via sendauth)* > > Also: a search for your error message finds this post, which, while > related to a Windows kerberos server, seems to apply: It's the same kind of issue (wrong service name), but I think the real problem is this: krb_srvname = 'postgres/star@EXAMPLE.COM' The documentation, I think, is pretty clear: http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH PostgreSQL operates like a normal Kerberos service. The name of the service principal is servicename/hostname@realm. servicename can be set on the server side using the krb_srvname configuration parameter The above should just be: krb_srvname = 'postgres' Or, better, just removed. Unless you're running under a Microsoft Active Directory Kerberos environment, the default should 'just work'. Additionally, this is also almost certainly wrong: krb_server_hostname = 'star' Again, referring to the same documentation: hostname is the fully qualified host name of the server machine. You really should have a proper FQDN set for this system. I would also recommend using a real domain rather than 'EXAMPLE.COM'. Also, I didn't see the version of PostgreSQL, but if you're using something recent your auth method should really be 'gss' instead of 'krb5'. > I don't know much about Kerberos, not I suspect do all that many people > on the list, so I can't be of any more help. Unfortunately, I don't pay as close attention to the lists as I wish I could. Kerberos with PG is actually a solution I typically recommend. Thanks, Stephen
Вложения
I thanks from Stephen and Craig for their replying.
I am sorry for doing cross posting, But I did not know about it before. I had to do for solving the problem, because no one did me answer .
--
With Best Regards
Miss.KHodadadi
I am sorry for doing cross posting, But I did not know about it before. I had to do for solving the problem, because no one did me answer .
On Wed, Dec 2, 2009 at 5:15 AM, Stephen Frost <sfrost@snowman.net> wrote:
* Craig Ringer (craig@postnewspapers.com.au) wrote:Thanks for that.
> I've dropped all your cross-posts; this is just going to PgSQL-general.
> On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:
>
>> psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
>> Also: a search for your error message finds this post, which, whileIt's the same kind of issue (wrong service name), but I think the real
> related to a Windows kerberos server, seems to apply:
problem is this:
The documentation, I think, is pretty clear:
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
PostgreSQL operates like a normal Kerberos service. The name of the
service principal is servicename/hostname@realm.
servicename can be set on the server side using the krb_srvname
configuration parameter
The above should just be:
krb_srvname = 'postgres'
Or, better, just removed. Unless you're running under a Microsoft
Active Directory Kerberos environment, the default should 'just work'.
Additionally, this is also almost certainly wrong:
krb_server_hostname = 'star'
Again, referring to the same documentation:
hostname is the fully qualified host name of the server machine.
You really should have a proper FQDN set for this system. I would also
recommend using a real domain rather than 'EXAMPLE.COM'. Also, I didn't
see the version of PostgreSQL, but if you're using something recent your
auth method should really be 'gss' instead of 'krb5'.Unfortunately, I don't pay as close attention to the lists as I wish I
> I don't know much about Kerberos, not I suspect do all that many people
> on the list, so I can't be of any more help.
could. Kerberos with PG is actually a solution I typically recommend.
Thanks,
Stephen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAksVxtQACgkQrzgMPqB3kihTAwCfYonsLsS1EirM+LQ89NbU+lXz
loQAn0dK1N6xco7Wdtq4m5SVPjMWaC9G
=zeD5
-----END PGP SIGNATURE-----
--
With Best Regards
Miss.KHodadadi