GSSAPI authentication with AD
Hi,
I am struggling to provide access to the windows Active Directory user into
postgres database.
Am using windows server 2008R2, created forest in AD with 2003
compatibility. postgresql 9.3.1 has been compiled with gssapi and krb5
support on centos both windows server and contos are on vms with static ips.
I walkthrough as follows;
created enterprisedb user in AD with DES encryption type.
Added centos host to AD domain.
C:\Users\Administrator>setspn -S POSTGRES/centos.my.testdomain.lan
my.testdomain.lan\enterprisedb
Checking domain DC=my,DC=testdomain,DC=lan
Registering ServicePrincipalNames for
CN=enterprisedb,CN=Users,DC=my,DC=testdomain,DC=lan
POSTGRES/centos.my.testdomain.lan
Updated object
C:\Users\Administrator>ktpass -out postgres.keytab -princ
POSTGRES/centos@MY.TESTDOMAIN.LAN -mapUser enterprisedb -pass XXXXXX
-crypto DES-CBC-MD5
Targeting domain controller: WIN-UC777GC73I8.my.testdomain.lan
Using legacy password setting method
Successfully mapped POSTGRES/centos to enterprisedb.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to postgres.keytab:
Keytab version: 0x502
keysize 60 POSTGRES/centos@MY.TESTDOMAIN.LAN ptype 0 (KRB5_NT_UNKNOWN) vno
8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x1af1c29ebf252549)
-bash-4.1$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
debug=true
default_realm = MY.TESTDOMAIN.LAN
allow_weak_crypto = 1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
}
MYWIN.MY.TESTDOMAIN.LAN = {
kdc = .my.testdomain.lan
}
MY.TESTDOMAIN.LAN = {
kdc = win-uc777gc73i8.my.testdomain.lan
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
.mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
################
out put klist:
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: POSTGRES/centos@MY.TESTDOMAIN.LAN
Valid starting Expires Service principal
11/25/13 00:41:34 11/25/13 10:41:38
krbtgt/MY.TESTDOMAIN.LAN@MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos@
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos@MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
-bash-4.1$ kinit -V -k -t /opt/PostgreSQL/9.3.1/data/postgres.keytab
POSTGRES/centos@MY.TESTDOMAIN.LAN
Using default cache: /tmp/krb5cc_501
Using principal: POSTGRES/centos@MY.TESTDOMAIN.LAN
Using keytab: /opt/PostgreSQL/9.3.1/data/postgres.keytab
Authenticated to Kerberos v5
-bash-4.1$
-bash-4.1$ klist -k /opt/PostgreSQL/9.3.1/data/postgres.keytab
Keytab name: FILE:/opt/PostgreSQL/9.3.1/data/postgres.keytab
KVNO Principal
----
--------------------------------------------------------------------------
8 POSTGRES/centos@MY.TESTDOMAIN.LAN
postgresql.conf:
# Kerberos and GSSAPI
krb_server_keyfile = '/opt/PostgreSQL/9.3.1/data/postgres.keytab'
krb_srvname = 'POSTGRES' # (Kerberos only)
pg_hba.conf:
host all all 0.0.0.0/0 gss
while I was trying to connect psql client on centos I am getting below
error;
-bash-4.1$ ~/bin/psql -h centos.MY.TESTDOMAIN.LAN -U enterprisedb
psql: FATAL: GSSAPI authentication failed for user "enterprisedb"
-bash-4.1$
pglogs :
LOG: provided user name (enterprisedb) and authenticated user name
(POSTGRES/centos) do not match
FATAL: GSSAPI authentication failed for user "enterprisedb"
DETAIL: Connection matched pg_hba.conf line 86: "host all
all 0.0.0.0/0 gss"
Log output of /tmp/krb5_gp.log
[3947]: 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
principal postgres/centos@
[3947]: 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
POSTGRES/centos@MY.TESTDOMAIN.LAN -> postgres/centos@ using ccache
FILE:/tmp/krb5cc_501
[3947]: 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
postgres/centos@ from FILE:/tmp/krb5cc_501 with result: 0/Unknown code 0
[3947]: 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
POSTGRES/centos@MY.TESTDOMAIN.LAN -> postgres/centos@, seqnum 222559749,
subkey des-cbc-crc/7B63, session key des-cbc-crc/66D8
[3947]: 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
aes256-cts, aes128-cts, des3-cbc-sha1, rc4-hmac, des-cbc-crc, des,
des-cbc-md4
[3947]: 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
principal postgres/centos@
[3947]: 1385322573.418896: Read AP-REP, time 1385322576.407247, subkey aes256-cts/710D, seqnum 574336718
aes256-cts/710D, seqnum 574336718
Please suggest my where am missing.
Thanks in advance.
Abbas
Abbas,
* Abbas (abbas.dba@gmail.com) wrote:
created enterprisedb user in AD with DES encryption type.
Do not use DES- it's not secure and there's no reason to use it. Use
AES instead.
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: POSTGRES/centos@MY.TESTDOMAIN.LAN
This is the problem- with Kerberos and GSSAPI, you need to have a
'service' princ (that's the POSTGRES/my.host.name one) *and* a 'user'
princ (in your case, that should be 'enterprisedb'). The 'service'
princ needs to be exported as a keytab, as you've done, and then made
available to the PostgreSQL server (which I think you've done).
However, the 'user' princ should acquire credentials through a normal
'kinit' (which is what happens when a user logs on to a Windows system
with AD).
-bash-4.1$ ~/bin/psql -h centos.MY.TESTDOMAIN.LAN -U enterprisedb
psql: FATAL: GSSAPI authentication failed for user "enterprisedb"
-bash-4.1$pglogs :
LOG: provided user name (enterprisedb) and authenticated user name
(POSTGRES/centos) do not match
Right, this is telling you that you're using a principal
(POSTGRES/centos) which doesn't match the user that you're trying to
authenticate as ('enterprisedb').
Thanks,
Stephen