kerberos authentication error with Windows 2003 SP1 AD
My operating system is Red Hat Linux AS 4, Kerberos 5, with
postgresql-7.4.14 that I compiled. I can authenticate using ssh, su,
console login, and also have gotten apache mod_auth_kerb to work with AD -
but I am missing something with postgresql. When I try:
[pkoppe01@ipswich ~]$ /usr/local/pgsql/bin/psql -d test -h ipswich
psql: Kerberos 5 authentication failed
For the configure step, I did (needed the include statement to prevent an
error about comm_err.h):
[koppel@ipswich postgresql-7.4.14]$ ./configure --with-java --with-krb5
--with-includes=/usr/include/et
The make proceeded normally.
My pg_hba.conf looks like this (with pkoppe01 defined in Active Directory
but not defined in postgres using "createuser")
local all all
trust
host test pkoppe01 192.168.1.0 255.255.255.0 krb5
Also have "tcpip_socket = true" and the postgres keytab referenced in
postgresql.conf and the keytab file itself owned by postgres.
When I try the psql command above (as pkoppe01) I do get the service
ticket for postgres:
[pkoppe01@ipswich ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501_LCzZ1P
Default principal: pkoppe01@PRIVATE.LAN
Valid starting Expires Service principal
11/13/06 11:17:25 11/13/06 21:17:28 krbtgt/PRIVATE.LAN@PRIVATE.LAN
renew until 11/14/06 11:17:25
11/13/06 11:19:02 11/13/06 21:17:28
postgres/ipswich.private.lan@PRIVATE.LAN
renew until 11/14/06 11:17:25
Any ideas would be greatly appreciated. Thanks in advance. Please feel
free to email me directly as I just joined the list and don't know my way
around yet.
Paul Koppel
Systems Manager
Washington University School of Medicine
St. Louis, MO 63110
My operating system is Red Hat Linux AS 4, Kerberos 5, with
postgresql-7.4.14 that I compiled. I can authenticate using
ssh, su, console login, and also have gotten apache
mod_auth_kerb to work with AD - but I am missing something
with postgresql. When I try:[pkoppe01@ipswich ~]$ /usr/local/pgsql/bin/psql -d test -h ipswich
psql: Kerberos 5 authentication failedFor the configure step, I did (needed the include statement
to prevent an error about comm_err.h):[koppel@ipswich postgresql-7.4.14]$ ./configure --with-java
--with-krb5 --with-includes=/usr/include/etThe make proceeded normally.
My pg_hba.conf looks like this (with pkoppe01 defined in
Active Directory but not defined in postgres using "createuser")local all all trust
host test pkoppe01 192.168.1.0 255.255.255.0 krb5Also have "tcpip_socket = true" and the postgres keytab
referenced in postgresql.conf and the keytab file itself
owned by postgres.When I try the psql command above (as pkoppe01) I do get the
service ticket for postgres:[pkoppe01@ipswich ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501_LCzZ1P Default principal:
pkoppe01@PRIVATE.LANValid starting Expires Service principal
11/13/06 11:17:25 11/13/06 21:17:28
krbtgt/PRIVATE.LAN@PRIVATE.LAN renew until 11/14/06 11:17:25
11/13/06 11:19:02 11/13/06 21:17:28
postgres/ipswich.private.lan@PRIVATE.LAN
renew until 11/14/06 11:17:25Any ideas would be greatly appreciated. Thanks in advance.
Please feel free to email me directly as I just joined the
list and don't know my way around yet.
The server log from postgresql should give some more information.
//Magnus
Magnus Hagander wrote:
My pg_hba.conf looks like this (with pkoppe01 defined in
Active Directory but not defined in postgres using "createuser")
You need to createuser with the AD username - this allows that user to
connect to PostgreSQL and to own and have various permissions in
PostgreSQL but uses the kerberos password authentication instead of
internal password storage.
--
Shane Ambler
pgSQL@007Marketing.com
Get Sheeky @ http://Sheeky.Biz