Can't get postgres and kerberos (gss) working together

I am trying to get postgres and kerberos, via GSSAPI, working together. Having trouble at this point. It does not help that I am really a newbie for both technologies. I have both postgres and kerberos working as expected separately, and am using them both (but not together).

I found instructions here: postressql-and-kerberos, and have not really found any thing that explains it greater detail.

I set these two lines in my postgresql.conf file:

krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab' 
krb_srvname = 'postgres'

I have verifyied the this is correct by running a 'kinit -kt' with that information. I added these two entries in my pg_hba.conf file:

# TYPE  DATABASE  USER    CIDR-ADDRESS   METHOD
host    all       all     10.0.1.0/24    gss include_realm=0 krb_realm=HOTDOG.REALM.COM

I restart the server and try to connect via a remote client...

kinit freddyboy
<enter password>

This is successful, and I can see the detail if I do a 'klist'.

Then I try to connect to postgres, via:

psql -l -h postgresserver.hotdog.com

I get an error stating:

pgql: GSSAPI continuation error:  Unspecified GSS failure.  Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database

If I look at the server log file (postgresql-Tue.log)... all I see is "FATAL: GSSAPI authentication failed for user "fred".

Well, 'fred' is my linux logon... "freddyboy" is my userprincipal. So, it seams like the postgresql client is not sending the kerberos authentication as it should. I have tried to send the user:

 psql -l -h postgresserver.hotdog.com -U freddyboy

The log file now says "GSSAPI authentication failed for user "freddyboy", but it is, obviously, still failing. I have a postgres user of 'freddyboy' that owns some databases. I can login locally fine, without GSSAPI, but cannot seem to get remotely and securely.

I am suspicious that nowhere on my client have I specified that I want to user GSSAPI. Since this is just a client, the conf files are not present... so that could be an issue, I guess.

One more point, the kerberos server is ActiveDirectory. I have seen some indications that the principal should be UPPERCASE. I have tried making the service principal ("POSTGRES") and my user principal "FREDDYBOY', but still no love.

Any assistance greatly appreciated. I am using Postgres 8.4.13 on client and server.

Fred


Solution 1:

The error suggests that you did not create a service principal for the Postgres server. This is the principal that is stored in they krb5.keytab file on the server itself.

How to do this can be found in PostgreSQL documentation, 20.3.3. GSSAPI Authentication method.

If you have created this principal properly, what likely could have happened is that your DNS reversal doesn't work correctly. If you run host on the IP address of the Postgres server, you are supposed to get postgresserver.hotdog.com back. If you don't, the Kerberos authentication won't work.