The following bug has been logged on the website:
Bug reference: 17523
Logged by: Alex
Email address: alexander@kopylov.us
PostgreSQL version: 13.6
Operating system: Centos
Description:
Hi,
pam_krb5 module (pam with kerberos5) can be used to communicate any service
with FreeIPA for Kerberos (authentication) and Host-based access policy
(authorization)
pam_krb5 doesn't work with PostgreSQL but any web or app server understand
this pam module correctly.
When I have an active TGT ticket then my request authenticated successfully
by credential cache is filled of TGS postgres/hostname@REALM
However postgres authorization is failed.
pam_sss.so module works well but it is only password authentication that
doesn't use kerberos tickets.
For example apache web server can use pam_sss for Kerberos (mod_auth_gssapi)
and PAM (mod_authnz_pam) but postgres server cannot do this
error message:
2022-06-18 03:49:02.346 EDT [71176] LOG: pam_authenticate failed: Module is
unknown
2022-06-18 03:49:02.346 EDT [71176] FATAL: PAM authentication failed for
user "username"
2022-06-18 03:49:02.346 EDT [71176] DETAIL: Connection matched pg_hba.conf
line 90: "host all username 0.0.0.0/0 pam pamservice=postgresql"
cat /etc/pam.d/postgresql
auth sufficient pam_krb5.so
account pam_krb5.so
password sufficient pam_krb5.so use_authtok
session optional pam_krb5.so