Обсуждение: Can postgres be configure for GSS/Kerberos authentication without a keyfile?
Can postgres be configure for GSS/Kerberos authentication without a keyfile?
I have Kerberos working
I compiled postgres with –with-gssapi
I’ve setup the pg_hba.conf with gss and my IP address
I’m not sure what to put in the postgres.conf
I can do a kinit buckwheat.johnson@SOME_EXAMPLE.COM – and it correctly validates against an AD server
My klist is as follows
-------------------------------------------
[root@mbr01 postgresql-9.1.3]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: buckwheat.johnson@SOME_EXAMPLE.COM
Valid starting Expires Service principal
04/04/12 08:41:28 04/04/12 15:21:28 krbtgt/SOME_EXAMPLE.COM@SOME_EXAMPLE.COM
Kerberos 4 ticket cache: /tmp/tkt0
klist: You have no tickets cached
-----------------------------------------------------
I’m getting a error on the Linus CentOS server side
FATAL: GSSAPI authentication failed for user "buckwheat.johnson"
The error I’m getting on my windoz client is
psql: SSPI continuation error: The specified target is unknown or unreachable
(80090303)
Do I have to set the “krb_server_keyfile” in the postgres.conf? If not do I have to set any krb5 postgres.conf parameters?
--
Thank you for your time
Eric (alias buckwheat)
CONFIDENTIALITY: This email (including any attachments) may contain confidential, proprietary
and privileged information, and unauthorized disclosure or use is prohibited. If you received this
email in error, please notify the sender and delete this email from your system.
Thank you
Re: Can postgres be configure for GSS/Kerberos authentication without a keyfile?
Eric,
* Eric.Kamradt (Eric.Kamradt@accessdevelopment.com) wrote:
> Can postgres be configure for GSS/Kerberos authentication without a keyfile?
I'd say 'probably not'.
You have to have a princ for postgres and that princ needs to exist in a
keytab file on the PostgreSQL server. By default, the Kerberos
libraries should look in /etc/krb5.keytab for that princ, but if you've
configured your system correctly, that file is owned by root and only
readable by root. Services that run as root can still load the file
(eg: ssh), but PostgreSQL doesn't run as root (and shouldn't), so it
can't and it won't be able to find the princ.
My suggestion for how to do this 'correctly' is to create a keytab just
for the PostgreSQL server with only the postgres/my.host.name@REALM
princ in that file. Then put that file somewhere that the PostgreSQL
server can get at it, make it owned by the postgres user, and readable
by ONLY the postgres user. Then update your postgresql.conf by setting
the krb_server_keyfile to that keytab file.
Here's what that looks like on one of our systems:
===# l /etc/postgresql-common/krb5.keytab
-rw------- 1 postgres root 273 2011-08-16 07:01 /etc/postgresql-common/krb5.keytab
===# klist -k /etc/postgresql-common/krb5.keytab
Keytab name: FILE:/etc/postgresql-common/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 postgres/host.fqdn.org@OUR.REALM.ORG
===# grep krb_server /etc/postgresql/9.1/main/postgresql.conf
krb_server_keyfile = '/etc/postgresql-common/krb5.keytab'
Thanks,
Stephen