Обсуждение: pgadmin kerberos auth propblem - Delegated credentials not supplied.

                Hello Khushboo,

 

thnak you for your time and advice. We had to change the concept based on your recommendation, because as I wrote, we used external kdc on linux to provide krb ticket for the service and therefore there was not any user on AD.

We created service user account on the AD (password never expire, AES 128/256 encryption), set service SPN to that user, generate keytab via ktpass command. When we use pgadmin to use this keytab and ask directly AD for kerberos ticket we ended with the error message

 

„ERROR pgadmin: Major (65536): An unsupported mechanism was requested, Minor (0): Unknown error“

 

When I tried to get ticket for the service via kinit command a can get it, but default principal is not service SPN but the windows 2000 logon name of the user of AD which is this SPN mapped to?

 

Do you have any idea/advice hot to solve this problem?

 

Logs from the container

 

2023-01-07 10:16:44,252: DEBUG pgadmin: Authentication initiated via source: kerberos

::ffff:10.238.6.198 - - [07/Jan/2023:10:16:44 +0000] "GET /login?next=%2Fbrowser%2F HTTP/1.1" 401 4725 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 Edg/108.0.1462.54"

2023-01-07 10:16:44,388: DEBUG pgadmin: Authentication initiated via source: kerberos

2023-01-07 10:16:44,407: ERROR pgadmin: Major (65536): An unsupported mechanism was requested, Minor (0): Unknown error

Traceback (most recent call last):

File "/pgadmin4/pgadmin/authenticate/kerberos.py", line 237, in negotiate_start

out_token = context.step(base64.b64decode(in_token))

File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun

return caller(func, *(extras + args), **kw)

File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 165, in check_last_err

return func(self, *args, **kwargs)

File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun

return caller(func, *(extras + args), **kw)

File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 131, in catch_and_return_token

return func(self, *args, **kwargs)

File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 582, in step

return self._acceptor_step(token=token or b"")

File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 590, in _acceptor_step

res = rsec_contexts.accept_sec_context(token, self._creds,

File "gssapi/raw/sec_contexts.pyx", line 270, in gssapi.raw.sec_contexts.accept_sec_context

gssapi.raw.exceptions.BadMechanismError: Major (65536): An unsupported mechanism was requested, Minor (0): Unknown error

 

Thank you very much for your time and investigation

Ragards

milanm

From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Sent: Wednesday, January 4, 2023 5:43 AM
To: Milan MOLNÁR <milan_molnar@tatrabanka.sk>
Cc: pgadmin-support@postgresql.org
Subject: Re: pgadmin kerberos auth propblem - Delegated credentials not supplied.

 

[EXTERNÝ E-MAIL] Tento e-mail prichádza z prostredia mimo Tatra banka Group.

 

Hi,

 

As you are using AD, there are 2 things you need to check.

 

1. Configure the AD server in a way that the UPN associated with HTTP should be able to delegate the tickets to the client.

2. Your browser should be able to support the kerberos ticket negotiation and delegation.

 

Reference:

https://www.pgadmin.org/docs/pgadmin4/6.18/kerberos.html

https://www.youtube.com/watch?v=EDg6I21kCak

 

Thanks,

Khushboo

 

 

 

On Tue, Jan 3, 2023 at 2:32 PM Milan MOLNÁR <milan_molnar@tatrabanka.sk> wrote:

Hello,

 

I have trouble to setup kerberos authetication with pgadmin. I run pgadmin in the docker container and I’d like to use SPENGO SSO to access pgadmin. Pgadmin fails to authenticate user and the error message is „'Delegated credentials not supplied.“ It seem, that credentials does not contain delegated part. Do you have any suggestion where is the problem with my setup? Do you use kerberos auth – pls can you share your setup or just explain it a little bit?

 

We have kdc servers on the linux and there is trust between active directory (we use kerberos for many other services and it is working properly). I tried to connect from the PC where I’m loggend in the AD.

 

Docker container

Dockerfile

FROM dpage/pgadmin4:6.17

 

COPY krb5.conf /etc/krb5.conf

COPY config.py /pgadmin4/config.py

 

config.py changed variables (we have reason why to change vars here)

AUTHENTICATION_SOURCES = ['kerberos','internal']

KRB_APP_HOST_NAME = ‚fqdn of pgadmin‘

KRB_KTNAME = '/var/lib/pgadmin/pgadmin.keytab'

 

krb5.conf

cat krb5-wsl.conf

[libdefaults]

clockskew = 18000

canonicalize = true

dns_canonicalize_hostname= false

rdns = false

default_realm = EXAMPLE.COM

default_keytab_name=/var/lib/pgadmin/pgadmin.keytab

dns_lookup_kdc = false

#ignore_acceptor_hostname = true

proxiable = true

realm_try_domains = 1

 

dns_lookup_realm = false

ticket_lifetime = 86400

renew_lifetime = 604800

forwardable = true

#default_tgs_enctypes = aes256-cts-hmac-sha1-96

#default_tkt_enctypes = aes256-cts-hmac-sha1-96

permitted_enctypes =  aes256-cts aes128-cts

udp_preference_limit = 1

kdc_timeout = 5000

 

[realms]

EXAMPLE.COM = {

kdc = kdc01.EXAMPLE.COM

kdc = kdc02.EXAMPLE.COM

admin_server = kdc01.EXAMPLE.COM

default_domain = EXAMPLE.COM

}

[domain_realm]

.EXAMPLE.COM=EXAMPLE.COM

EXAMPLE.COM = EXAMPLE.COM

 

 

pgadmin4/pgadmin/authenticate/kerberos.py

 

    def negotiate_start(self, in_token):

        svc_princ = gssapi.Name('HTTP@%s' % config.KRB_APP_HOST_NAME,

                                name_type=gssapi.NameType.hostbased_service)

        cname = svc_princ.canonicalize(gssapi.MechType.kerberos)

 

        try:

            server_creds = gssapi.Credentials(usage='accept', name=cname)

            context = gssapi.SecurityContext(creds=server_creds)

            out_token = context.step(base64.b64decode(in_token))

        except Exception as e:

            current_app.logger.exception(e)

            return False, e

 

        if out_token and not context.complete:

            return False, out_token

        if context.complete:

            deleg_creds = context.delegated_creds

            if not hasattr(deleg_creds, 'name'):

                error_msg = gettext('Delegated credentials not supplied.')

                current_app.logger.error(error_msg)

                return False, Exception(error_msg)

            try:

...

 

 

Thank you

Regards

Milanm 

________________________________________________________________________
Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho adresáta.
Dokument môže obsahovať informácie chránené bankovým alebo obchodným
tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych predpisov.
V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
bez zbytočného odkladu informovali a následne dokument zlikvidovali.

The information contained in this document is intended exclusively for the
needs of its addressee. The document may contain information protected
by banking or trade secrets or information subject to protection under other
legal regulations. In the event that this document was delivered to you by mistake,
we urge you to refrain from declassifying it or using it for your own purposes.
At the same time, we would like to request that you inform us of such a case
without undue delay and then dispose of the document.

Tatra banka, a.s.
Hodžovo námestie 3, 811 06 Bratislava 1
IČO: 00 686 930
Zapísaná v obchodnom registri Okresného sudu Bratislava I
Oddiel: Sa, vložka číslo: 71/B
https://www.tatrabanka.sk

Hi,

 

here  is  the command how the keytab has been regenerated. Unfortunatelly it did not helped.

 

ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser pgadmin-dev@AWS-AD-EE1.EXAMPLE.COM +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1. EXAMPLE.COM

Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com

Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com to pgadmin-dev.

Password successfully set!

Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com and domain AWS-AD-EE1.EXAMPLE.COM.SK (encryption type 18)...

Hashing password with salt "AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com".

Key created.

Output keytab to pgadmin-dev-ad-ee1.keytab:

Keytab version: 0x502

keysize 117 HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1.EXAMPLE.COM ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32 (0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384)

 

C:\Users\Admin>

 

Do you have any another advice how to find out where is the problem?

 

Thank you

milanm

 

 

From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Sent: Monday, January 9, 2023 7:11 AM
To: Milan MOLNÁR <milan_molnar@tatrabanka.sk>
Cc: pgadmin-support@postgresql.org
Subject: Re: pgadmin kerberos auth propblem - Delegated credentials not supplied.

 

Hi,

 

On Sat, Jan 7, 2023 at 3:53 PM Milan MOLNÁR <milan_molnar@tatrabanka.sk> wrote:

                Hello Khushboo,

 

thnak you for your time and advice. We had to change the concept based on your recommendation, because as I wrote, we used external kdc on linux to provide krb ticket for the service and therefore there was not any user on AD.

We created service user account on the AD (password never expire, AES 128/256 encryption), set service SPN to that user, generate keytab via ktpass command. When we use pgadmin to use this keytab and ask directly AD for kerberos ticket we ended with the error message

Have you used any encryption type while creating Keytab ? As it should match with the AD user account.

If possible please provide the command you have used to create the keytab file.

 

Make sure to generate the new keytab, whenever you do changes in AD user.

 

Thanks,

Khushboo

________________________________________________________________________
Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho adresáta.
Dokument môže obsahovať informácie chránené bankovým alebo obchodným
tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych predpisov.
V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
bez zbytočného odkladu informovali a následne dokument zlikvidovali.

The information contained in this document is intended exclusively for the
needs of its addressee. The document may contain information protected
by banking or trade secrets or information subject to protection under other
legal regulations. In the event that this document was delivered to you by mistake,
we urge you to refrain from declassifying it or using it for your own purposes.
At the same time, we would like to request that you inform us of such a case
without undue delay and then dispose of the document.

Tatra banka, a.s.
Hodžovo námestie 3, 811 06 Bratislava 1
IČO: 00 686 930
Zapísaná v obchodnom registri Okresného sudu Bratislava I
Oddiel: Sa, vložka číslo: 71/B
https://www.tatrabanka.sk