Fwd: psql+krb5
---------- Forwarded message ----------
From: rahimeh khodadadi <rahimeh.khodadadi@gmail.com>
Date: 2009/11/29
Subject: Re: psql+krb5
To: Denis Feklushkin <denis.feklushkin@gmail.com>
These items have added after my sending.
I repeat again my configurations:
*
1) The configuration of krb5.conf is:
[realms]
EXAMPLE.COM <http://example.com/> ={
kdc=star :88
admin_server=star:749
default_domain= example.com
}
.....*
2) Then, I created principal as* " postgres/star@EXAMPLE.COM "* and its
password is saved in* '/usr/local/pgsql/data/postgresql.keytab' .*
(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93
star)
3) I setup *postgresql.conf *as below:
krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/star@EXAMPLE.COM'
krb_server_hostname = 'star' # empty string matches any keytab entry
krb_caseins_users = off
4) I *create user "frank"* in Psql .
5) Then I set up* hba.conf :*
host all all 0.0.0.0/0 krb5
host all all 127.0.0.1/32 krb5
When I want to connect to Postgresql, it gives error.
# *kinit frank*
[root@star bin]# *./psql -h star -U frank -d test*
psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
I should mention that * both postgresql server and krb-server are in same
system* and* my IP is acquring from dhcp server of university*. Where is
wrong.
2009/11/29 Denis Feklushkin <denis.feklushkin@gmail.com>
On Sun, 29 Nov 2009 14:23:52 +0330
rahimeh khodadadi <rahimeh.khodadadi@gmail.com> wrote:Thanks for your replying. My detail of configuration is:
I try to setup kerberos authentication in Postgresql 8.1.18 on centos.
But I have some problem.
1) The configuration of krb5.conf is:
[realms]
EXAMPLE.COM <http://example.com/><http://EXAMPLE.COM
<http://example.com/>> ={kdc=star :88
admin_server=star:749
default_domain= example.com<http://example.com}
.....2) Then, I created principal as " postgres/star@EXAMPLE.COM<mailto:
star@EXAMPLE.COM> " and its password is saved in
'/usr/local/pgsql/data/postgresql.keytab' .(star is localhost IP, but in hosts.conf I configure like:
213.233.169.93 star)3) I setup postgresql.conf as below:
krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/star@EXAMPLE.COM<mailto:star@EXAMPLE.COM>'krb_server_hostname = 'star' # empty string matches any
keytab entry
krb_caseins_users = off4) I create user "frank" in Psql .
5) Then I set up hba.conf :
host all all 0.0.0.0/0<http://0.0.0.0/0>
krb5
host all all 127.0.0.1/32<http://127.0.0.1/32>
krb5When I want to connect to Postgresql, it gives error.
# kinit frank
[root@star bin]# ./psql -h star -U frank -d test
psql: krb5_sendauth: Bad application version was sent (via sendauth)
some changes in users gives below error :
"[root@www bin]# ./psql -h 213.233.168.249 -U postgres
psql: Kerberos 5 authentication rejected: Wrong principal in
request"I should mention that both postgresql server and krb-server are in
same system and my IP is acquring from dhcp server of university.
Where is wrong.2009/11/29 Denis Feklushkin <denis.feklushkin@gmail.com>
On Sun, 29 Nov 2009 10:48:30 +0330
rahimeh khodadadi <rahimeh.khodadadi@gmail.com> wrote:Hi,
When I want to connect to psql via krb5 in Linux, it gives me
error like: "[root@www bin]# ./psql -h 213.233.168.249 -U
postgres psql: Kerberos 5 authentication rejected: Wrong
principal in request"Что в логах KDC?
^^^^^^^^^^^^^^^^ !!!
И ещё, в тексте который Вы дали встречаются пробелы в именах
принципалов и странные записи "<mailto:star@EXAMPLE.COM>"При настройке важно чтобы ничего этого небыло
--
With Best Regards
Miss.KHodadadi
--
With Best Regards
Miss.KHodadadi
Import Notes
Reply to msg id not found: bbeb3140911290325tc8870eamd6dd9fe8961bdba2@mail.gmail.comReference msg id not found: bbeb3140911282318p7ee124efm80da7c4029c10c91@mail.gmail.comReference msg id not found: 20091129174504.545219cc@dbReference msg id not found: bbeb3140911290253u59ef66e9tb6791f37b21765c9@mail.gmail.comReference msg id not found: 20091129181833.5e00ce2e@dbReference msg id not found: bbeb3140911290325tc8870eamd6dd9fe8961bdba2@mail.gmail.com
2009/11/30 rahimeh khodadadi <rahimeh.khodadadi@gmail.com>:
---------- Forwarded message ----------
From: rahimeh khodadadi <rahimeh.khodadadi@gmail.com>
Date: 2009/11/29
Subject: Re: psql+krb5
To: Denis Feklushkin <denis.feklushkin@gmail.com>
Please review the guidelines for reporting a problem, which you can find here:
http://wiki.postgresql.org/wiki/Guide_to_reporting_problems
It seems to me that you've done the exact opposite of nearly
everything suggested there, starting with cross-posting your email to
four mailing lists at least three of which are irrelevant to the
problem that you're attempting to solve.
...Robert
Except that he posted a month ago and got no answers...
On Tue, Dec 1, 2009 at 8:22 AM, Robert Haas <robertmhaas@gmail.com> wrote:
2009/11/30 rahimeh khodadadi <rahimeh.khodadadi@gmail.com>:
---------- Forwarded message ----------
From: rahimeh khodadadi <rahimeh.khodadadi@gmail.com>
Date: 2009/11/29
Subject: Re: psql+krb5
To: Denis Feklushkin <denis.feklushkin@gmail.com>Please review the guidelines for reporting a problem, which you can find here:
http://wiki.postgresql.org/wiki/Guide_to_reporting_problems
It seems to me that you've done the exact opposite of nearly
everything suggested there, starting with cross-posting your email to
four mailing lists at least three of which are irrelevant to the
problem that you're attempting to solve....Robert
--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
--
When fascism comes to America, it will be intolerance sold as diversity.
On Tue, Dec 1, 2009 at 11:26 AM, Scott Marlowe <scott.marlowe@gmail.com> wrote:
Except that he posted a month ago and got no answers...
Gee, I wonder why.
...Robert
I've dropped all your cross-posts; this is just going to PgSQL-general.
On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:
psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
Have you verified that your Kerberos setup is otherwise working
correctly - it's handling logins, other apps work, etc?
Also: a search for your error message finds this post, which, while
related to a Windows kerberos server, seems to apply:
http://www.mail-archive.com/pgsql-general@postgresql.org/msg80403.html
That is: Make sure that the Kerberos service name matches everywhere.
I don't know much about Kerberos, not I suspect do all that many people
on the list, so I can't be of any more help.
--
Craig Ringer
* Craig Ringer (craig@postnewspapers.com.au) wrote:
I've dropped all your cross-posts; this is just going to PgSQL-general.
Thanks for that.
On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:
psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
Also: a search for your error message finds this post, which, while
related to a Windows kerberos server, seems to apply:
It's the same kind of issue (wrong service name), but I think the real
problem is this:
krb_srvname = 'postgres/star@EXAMPLE.COM'
The documentation, I think, is pretty clear:
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
PostgreSQL operates like a normal Kerberos service. The name of the
service principal is servicename/hostname@realm.
servicename can be set on the server side using the krb_srvname
configuration parameter
The above should just be:
krb_srvname = 'postgres'
Or, better, just removed. Unless you're running under a Microsoft
Active Directory Kerberos environment, the default should 'just work'.
Additionally, this is also almost certainly wrong:
krb_server_hostname = 'star'
Again, referring to the same documentation:
hostname is the fully qualified host name of the server machine.
You really should have a proper FQDN set for this system. I would also
recommend using a real domain rather than 'EXAMPLE.COM'. Also, I didn't
see the version of PostgreSQL, but if you're using something recent your
auth method should really be 'gss' instead of 'krb5'.
I don't know much about Kerberos, not I suspect do all that many people
on the list, so I can't be of any more help.
Unfortunately, I don't pay as close attention to the lists as I wish I
could. Kerberos with PG is actually a solution I typically recommend.
Thanks,
Stephen
I thanks from Stephen and Craig for their replying.
I am sorry for doing cross posting, But I did not know about it before. I
had to do for solving the problem, because no one did me answer .
On Wed, Dec 2, 2009 at 5:15 AM, Stephen Frost <sfrost@snowman.net> wrote:
* Craig Ringer (craig@postnewspapers.com.au) wrote:
I've dropped all your cross-posts; this is just going to PgSQL-general.
Thanks for that.
On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:
psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
Also: a search for your error message finds this post, which, while
related to a Windows kerberos server, seems to apply:It's the same kind of issue (wrong service name), but I think the real
problem is this:krb_srvname = 'postgres/star@EXAMPLE.COM'
The documentation, I think, is pretty clear:
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
PostgreSQL operates like a normal Kerberos service. The name of the
service principal is servicename/hostname@realm.servicename can be set on the server side using the krb_srvname
configuration parameterThe above should just be:
krb_srvname = 'postgres'
Or, better, just removed. Unless you're running under a Microsoft
Active Directory Kerberos environment, the default should 'just work'.Additionally, this is also almost certainly wrong:
krb_server_hostname = 'star'
Again, referring to the same documentation:
hostname is the fully qualified host name of the server machine.
You really should have a proper FQDN set for this system. I would also
recommend using a real domain rather than 'EXAMPLE.COM'. Also, I didn't
see the version of PostgreSQL, but if you're using something recent your
auth method should really be 'gss' instead of 'krb5'.I don't know much about Kerberos, not I suspect do all that many people
on the list, so I can't be of any more help.Unfortunately, I don't pay as close attention to the lists as I wish I
could. Kerberos with PG is actually a solution I typically recommend.Thanks,
Stephen
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)iEYEARECAAYFAksVxtQACgkQrzgMPqB3kihTAwCfYonsLsS1EirM+LQ89NbU+lXz
loQAn0dK1N6xco7Wdtq4m5SVPjMWaC9G
=zeD5
-----END PGP SIGNATURE-----
--
With Best Regards
Miss.KHodadadi