I am trying to get postgres and kerberos, via GSSAPI, working together. Having trouble at this point. It does not help that I am really a newbie for both technologies. I have both postgres and kerberos working as expected separately, and am using them both (but not together).
I found instructions here: postressql-and-kerberos, and have not really found any thing that explains it greater detail.
I set these two lines in my postgresql.conf file:
krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
krb_srvname = 'postgres'
I have verifyied the this is correct by running a ‘kinit -kt’ with that information. I added these two entries in my pg_hba.conf file:
# TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 10.0.1.0/24 gss include_realm=0 krb_realm=HOTDOG.REALM.COM
I restart the server and try to connect via a remote client…
kinit freddyboy
<enter password>
This is successful, and I can see the detail if I do a ‘klist’.
Then I try to connect to postgres, via:
psql -l -h postgresserver.hotdog.com
I get an error stating:
pgql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
If I look at the server log file (postgresql-Tue.log)… all I see is «FATAL: GSSAPI authentication failed for user «fred».
Well, ‘fred’ is my linux logon… «freddyboy» is my userprincipal. So, it seams like the postgresql client is not sending the kerberos authentication as it should. I have tried to send the user:
psql -l -h postgresserver.hotdog.com -U freddyboy
The log file now says «GSSAPI authentication failed for user «freddyboy», but it is, obviously, still failing. I have a postgres user of ‘freddyboy’ that owns some databases. I can login locally fine, without GSSAPI, but cannot seem to get remotely and securely.
I am suspicious that nowhere on my client have I specified that I want to user GSSAPI. Since this is just a client, the conf files are not present… so that could be an issue, I guess.
One more point, the kerberos server is ActiveDirectory. I have seen some indications that the principal should be UPPERCASE. I have tried making the service principal («POSTGRES») and my user principal «FREDDYBOY’, but still no love.
Any assistance greatly appreciated. I am using Postgres 8.4.13 on client and server.
Fred
I’m trying to connect Postgres server with the gssapi protocol. User accounts have been created in Active Directory.
I used the following commands:
postgres@xxxxx:John $ ktutil
ktutil: add_entry -password -p POSTGRES/myserver.domain.com -k 1 -e aes256-cts-hmac-sha1-96
Password for POSTGRES/myserver.domain.com@myad.domain.com
ktutil: write_kt postgres.keytab
ktutil: quit
postgres@xxxxx:John $ klist -k postgres.keytab
Keytab name: FILE:postgres.keytab
KVNO Principal
---- --------------------------------------------------------------------------
1 POSTGRES/myserver.domain.com@myad.domain.com
postgres@xxxxx:John $ kinit john
Password for john@myad.domain.com
postgres@xxxxx:John $ klist
Ticket cache: KEYRING:persistent:26:26
Default principal: john@myad.domain.com
Valid starting Expires Service principal
09/28/2020 14:45:09 09/29/2020 00:45:09 krbtgt/myad.domain.com@myad.domain.com
renew until 10/05/2020 14:45:00
When I try connecting with my admin user, I got this unsuccessful reply.
psql -d postgres -h pgserver -p 5432 -U john@domain.com
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
What are the missing steps?
asked Sep 28, 2020 at 13:11
Fabrice ChapuisFabrice Chapuis
4101 gold badge5 silver badges16 bronze badges
1
«Server not found in Kerberos database» means the GSSAPI trying to reach the KDC and attempting to login using SPN instead of UPN.
This can be avoided by specifying "isInitiator=false" in JAAS config. Doing this, the incoming token will be decrypted on client side itself (Postgres).
If there is a delegation involved here (which I don’t think is), then "isInitiator=true" needs to be set in JAAS config, and SPN must be equal to the UPN of the account to which the SPN is attached.
Check ktpass on windows, it creates Keytab file and also changes user’s UPN to the SPN value specified. Similar thing should be done on your setup.
answered Sep 30, 2020 at 10:03
I am trying to get postgres and kerberos, via GSSAPI, working together. Having trouble at this point. It does not help that I am really a newbie for both technologies. I have both postgres and kerberos working as expected separately, and am using them both (but not together).
I found instructions here: postressql-and-kerberos, and have not really found any thing that explains it greater detail.
I set these two lines in my postgresql.conf file:
krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
krb_srvname = 'postgres'
I have verifyied the this is correct by running a ‘kinit -kt’ with that information. I added these two entries in my pg_hba.conf file:
# TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 10.0.1.0/24 gss include_realm=0 krb_realm=HOTDOG.REALM.COM
I restart the server and try to connect via a remote client…
kinit freddyboy
<enter password>
This is successful, and I can see the detail if I do a ‘klist’.
Then I try to connect to postgres, via:
psql -l -h postgresserver.hotdog.com
I get an error stating:
pgql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
If I look at the server log file (postgresql-Tue.log)… all I see is «FATAL: GSSAPI authentication failed for user «fred».
Well, ‘fred’ is my linux logon… «freddyboy» is my userprincipal. So, it seams like the postgresql client is not sending the kerberos authentication as it should. I have tried to send the user:
psql -l -h postgresserver.hotdog.com -U freddyboy
The log file now says «GSSAPI authentication failed for user «freddyboy», but it is, obviously, still failing. I have a postgres user of ‘freddyboy’ that owns some databases. I can login locally fine, without GSSAPI, but cannot seem to get remotely and securely.
I am suspicious that nowhere on my client have I specified that I want to user GSSAPI. Since this is just a client, the conf files are not present… so that could be an issue, I guess.
One more point, the kerberos server is ActiveDirectory. I have seen some indications that the principal should be UPPERCASE. I have tried making the service principal («POSTGRES») and my user principal «FREDDYBOY’, but still no love.
Any assistance greatly appreciated. I am using Postgres 8.4.13 on client and server.
Fred
Содержание
- Re: Having trouble with connecting to database via kerberos
- Hyper-V Live Migration — The specified target is unknown or unreachable (0x80090303)
- Thread: GSSAPI / Kerberos Authentication
- GSSAPI / Kerberos Authentication
- Re: GSSAPI / Kerberos Authentication
- Re: GSSAPI / Kerberos Authentication
- Re: GSSAPI / Kerberos Authentication
- Re: GSSAPI / Kerberos Authentication
- Re: GSSAPI / Kerberos Authentication
- Re: GSSAPI / Kerberos Authentication
Re: Having trouble with connecting to database via kerberos
| From: | Dave Page |
|---|---|
| To: | «Haskin, Daniel J» |
| Cc: | «pgadmin-support(at)lists(dot)postgresql(dot)org» |
Subject: Re: Having trouble with connecting to database via kerberos Date: 2020-08-28 10:03:09 Message-ID: CA+OCxozf8nXX-6Loq5q0K=0SBqz0BP6pHZCUUHQCV_tSRUT-ZA@mail.gmail.com Views: Raw Message | Whole Thread | Download mbox | Resend email Thread: Lists: pgadmin-support
On Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J wrote:
> Hello!
>
> I wonder if you folks can help me. I am having the hardest time location
> documentation on, or otherwise figuring out how to connect to a
> Kerberos-authenticated database using pgAdmin in Amazon RDS.
>
> I can connect to the database just fine with psql + kinit on linux, but
> the rest of my team is on Windows and pgAdmin.
>
> How, in general, do you connect to a Kerberos-authenticated database from
> pgAdmin on Windows? I haven’t been able to find the answer to this question.
>
> In particular, I am connecting to a 12.3 pgsql database hosted on amazon
> RDS. No matter what I try, whenever I try to auth via Kerberos, I get this
> error:
>
> SSPI continuation error: The specified target is unknown or unreachable
> (80090303)
>
> If I connect using a local pg user, the connection succeeds.
> If I connect using kinit + psql on linux, the connection succeeds.
> If I connect using the correct host endpoint, I get the error above.
> If I connect using the AWS alternative method described here[1] of
> connecting to ., I *still* get the error above.
>
> Is there anyone who can help?
>
> 1:
> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html
pgAdmin doesn’t (yet) officially support kerberos authentication. You can
use SSPI if you’re connecting from Windows to a Windows-hosted PostgreSQL
server in a domain or on a the same machine (I actually verified that works
yesterday), or you can in theory use GSSAPI to authenticate to a Linux
hosted server if you’re on a Linux client (I’m working on verifying that at
the moment).
Once I’ve got those scenarios working and verified, I’ll move on to
figuring out how to handle Windows/Mac clients connecting with GSSAPI.
Note that SSPI/GSSAPI will require that you’re running pgAdmin in Desktop
mode. It will not work in Server mode (because the server will typically be
running under a different user account). There’s a feature request for that
in the backlog.
Источник
Hyper-V Live Migration — The specified target is unknown or unreachable (0x80090303)
При попытке выполнить миграцию виртуальных машин на новый хост Hyper-V только что добавленный в System Center 2012 R2 Virtual Machine Manager (VMM) возникли ошибки на этапе предварительной проверки хоста на предмет возможности такого переноса. Как следствие мастер миграции VMM не позволял выполнить перенос виртуальных машин на проблемный хост.
Полностью текст ошибок выглядит следующим образом:
Невозможно выполнить миграцию виртуальной машины KOM-AD01-PS02 на узел kom-ad01-vm08.holding.com в связи с проблемами несовместимости. The Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: The specified target is unknown or unreachable (0x80090303).
Невозможно выполнить миграцию виртуальной машины KOM-AD01-PS02 на узел kom-ad01-vm08.holding.com в связи с проблемами несовместимости. The Virtual Machine Management Service failed to establish a connection for a Virtual Machine migration with host ‘kom-ad01-vm08.holding.com’: The specified target is unknown or unreachable (0x80090303).
Корнем проблемы оказалось отсутствие записей SPN связанных с службами роли Hyper-V, которые должны быть зарегистрированы для учетной записи компьютера – хоста виртуализации. Сверка SPN проблемного хоста (в нашем примере это KOM-AD01-VM08 ) с другим штатно функционирующим хостом виртуализации с помощью команды setspn –L показала соответствующий результат
Выполняем регистрацию недостающих записей SPN последовательностью команд:
После это работоспособность механизма миграции виртуальных машин на проблемный хост средствами VMM была восстановлена.
Интересно то, что эта заметка как и предыдущая описывает проблемы возникшие на одном и том же хосте виртуализации. Отличительным обстоятельством процедуры развёртывания этого хоста было то, что роль Hyper-V на этом сервере была включена до того, как сервер был введён в домен, что, как думается, и привело к возникновению описанных проблем.
Источник
Thread: GSSAPI / Kerberos Authentication
GSSAPI / Kerberos Authentication
I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:
]$ psql -hpglgisprtd001 -dpostgres
psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
or from a windows client
C:Userssweingar>psql -hpglgisprtd001.sempra.com -Usweingar
psql: SSPI continuation error: The specified target is unknown or unreachable
I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.
Re: GSSAPI / Kerberos Authentication
I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:
]$ psql -hpglgisprtd001 -dpostgres
psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
or from a windows client
psql: SSPI continuation error: The specified target is unknown or unreachable
I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.
Re: GSSAPI / Kerberos Authentication
The spn is POSTGRES/, as I set up different servers, the server in the spn changes of course. В The server name resolves, and if I do a klist on the keytab the realm matches.
I am thinking that it has to do with our “vas” & “vasd” systems and how it is configured. But I can’t really say.
From: Bear Giles [mailto:]
Sent: Thursday, June 2, 2016 3:44 PM
To: Weingartner, Steven <>
Cc:
Subject: Re: [ADMIN] GSSAPI / Kerberos Authentication
I was just looking at the Kerberos support. Is your server principal postgres/x.y.z@REALM, where x.y.z is the DNS name for your server? It probably won’t affect you but think it needs to be POSTGRES/x.y.z@REALM for windows networks.
I’ll have to check my notes for more details, e.g., I’m 99% sure it’s ‘postgres’ and not ‘postgresql’.
I know you need to use password authentication from the client — and the username has to be simple (bob@REALM, not bob/postgres@REALM). I’ll be submitting a patch to support a keytab file and compound principals when I have some free time.
On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven wrote:
I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:
]$ psql -hpglgisprtd001 -dpostgres
psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
or from a windows client
psql: SSPI continuation error: The specified target is unknown or unreachable
I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.
This email originated outside of Sempra Energy. Be cautious of attachments, web links, or requests for information.
Re: GSSAPI / Kerberos Authentication
The spn is POSTGRES/, as I set up different servers, the server in the spn changes of course.В The server name resolves, and if I do a klist on the keytab the realm matches.
I am thinking that it has to do with our “vas” & “vasd” systems and how it is configured. But I can’t really say.
From: Bear Giles [mailto: ]
Sent: Thursday, June 2, 2016 3:44 PM
To: Weingartner, Steven
Cc:
Subject: Re: [ADMIN] GSSAPI / Kerberos Authentication
I was just looking at the Kerberos support. Is your server principal postgres/x.y.z@REALM, where x.y.z is the DNS name for your server? It probably won’t affect you but think it needs to be POSTGRES/x.y.z@REALM for windows networks.
I’ll have to check my notes for more details, e.g., I’m 99% sure it’s ‘postgres’ and not ‘postgresql’.
I know you need to use password authentication from the client — and the username has to be simple (bob@REALM, not bob/postgres@REALM). I’ll be submitting a patch to support a keytab file and compound principals when I have some free time.
On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven wrote:
I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:
]$ psql -hpglgisprtd001 -dpostgres
psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
or from a windows client
psql: SSPI continuation error: The specified target is unknown or unreachable
I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.
This email originated outside of Sempra Energy. Be cautious of attachments, web links, or requests for information.
Re: GSSAPI / Kerberos Authentication
Attachment
Re: GSSAPI / Kerberos Authentication
All,
* Bear Giles ( ) wrote:
> I remember reading comments in the code that case matters — postgres and
> POSTGRES are not the same — but I’m drawing a blank on the rest. I just
> started looking at the code myself though — others probably have more
> experience.
That’s correct, case absolutely matters and it needs to match.
There are options in postgresql.conf to control what’s expected.В This
is a source of common issue when coming from Windows clients to Linux
servers (or the other way around).
In particular, review section 19.3.3 of the 9.5 docs:
For the client side, review krbsrvname:
Check the klist from the client side and also look at the keytab that’s
on the server and what’s in the KDC database and make sure they all
match.В What the client asks for from the KDC needs to be what the KDC
has and what is installed in the keytab on the server for it all to
work.
Источник
Re: GSSAPI / Kerberos Authentication
| From: | «Weingartner, Steven» |
|---|---|
| To: | Bear Giles |
| Cc: | «pgsql-admin(at)postgresql(dot)org» |
Subject: Re: GSSAPI / Kerberos Authentication Date: 2016-06-02 22:49:41 Message-ID: 09818804b4f547eab26ee29fba47932f@MS-EX13RB-P007.corp.SE.sempra.com Views: Raw Message | Whole Thread | Download mbox | Resend email Thread: Lists: pgsql-admin
The spn is POSTGRES/pglgisprtd001(dot)sempra(dot)com(at)CORP(dot)SE(dot)SEMPRA(dot)COM , as I set up different servers, the server in the spn changes of course. The server name resolves, and if I do a klist on the keytab the realm matches.
I am thinking that it has to do with our “vas” & “vasd” systems and how it is configured. But I can’t really say.
From: Bear Giles [mailto:bgiles(at)coyotesong(dot)com]
Sent: Thursday, June 2, 2016 3:44 PM
To: Weingartner, Steven
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: [ADMIN] GSSAPI / Kerberos Authentication
I was just looking at the Kerberos support. Is your server principal postgres/x(dot)y(dot)z(at)REALM , where x.y.z is the DNS name for your server? It probably won’t affect you but think it needs to be POSTGRES/x(dot)y(dot)z(at)REALM for windows networks.
I’ll have to check my notes for more details, e.g., I’m 99% sure it’s ‘postgres’ and not ‘postgresql’.
I know you need to use password authentication from the client — and the username has to be simple (bob(at)REALM, not bob/postgres(at)REALM). I’ll be submitting a patch to support a keytab file and compound principals when I have some free time.
On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven > wrote:
I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:
]$ psql -hpglgisprtd001 -dpostgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
or from a windows client
C:Userssweingar>psql -hpglgisprtd001.sempra.com -Usweingar
psql: SSPI continuation error: The specified target is unknown or unreachable
(80090303)
I see nothing worthwhile in the postgresql log, nor in /var/log/messages. I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.
________________________________
This email originated outside of Sempra Energy. Be cautious of attachments, web links, or requests for information.
Источник
I’ve recently set up a new Samba4 Active Directory to handle centralized authentication for my small office network. On this server is also a postgresql-9.5 instance, and I’m trying to have it authenticate against the AD. Recognizing the difference between authentication (this is what I need) and authorization (I believe this is handled entirely within postgresql once the user has been authenticated), I’m running into problems.
The AD is rather vanilla at the moment, closely following this howto. I’ve set up some users and the basic kerberos authentication appears to be working (done with kinit myusername@SAMDOM.MYDOMAIN.TLD, verified with klist). Similarly, smbclient //myhost.samdom.mydomain.tld/netlogon -U 'myusername' works.
The localhost is resolving to the samba AD and DNS forwarding is going upstream correctly. These work:
$ host -t SRV _ldap._tcp.samdom.mydomain.tld
$ host -t SRV _kerberos._udp.samdom.mydomain.tld
$ host -t A myhost.samdom.mydomain.tld
BTW: ubuntu-16.04 server, postgresql-9.5, samba-4.3.9
Question:
What am I missing in the configuration of samba and/or postgres to enable authentication against the AD?
DB Setup
Basic connectivity with postgresql appears to be good: it’s listening on the appropriate interfaces (all for now), the postgres user can access things locally without a problem. I set up a simple database, output from list:
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+------------+----------+-------------+-------------+-----------------------
pgtest2 | myusername | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
with users listed (per this query):
User name | User ID | Attributes
------------+---------+-------------------
myusername | 16384 | create database
postgres | 10 | superuser, create+
| | database
Failing Auth
However, when I try on the console:
$ psql -h myhost.samdom.mydomain.tld -U myusername@SAMDOM.MYDOMAIN.TLD -d pgtest2
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: No Kerberos credentials available
From /var/log/postgresql/postgresql-9.5-main.log:
myusername@SAMDOM.MYDOMAIN.TLD@pgtest2 LOG: could not receive data from client: Connection reset by peer
myusername@SAMDOM.MYDOMAIN.TLD@pgtest2 FATAL: GSSAPI authentication failed for user "myusername@SAMDOM.MYDOMAIN.TLD"
myusername@SAMDOM.MYDOMAIN.TLD@pgtest2 DETAIL: Connection matched pg_hba.conf line 92: "host all all 0.0.0.0/0 gss krb_realm=SAMDOM.MYDOMAIN.TLD include_realm=1 map=krb"
Config Files
The config file (portions) that I think are appropriate and necessary:
-
/etc/postgresql/9.5/main/pg_hba.conf:local all postgres peer local all all peer host all all 0.0.0.0/0 gss krb_realm=SAMDOM.MYDOMAIN.TLD include_realm=1 map=krb host all all 127.0.0.1/32 md5 host all all ::1/128 md5 -
/etc/postgresql/9.5/main/postgres.conf:krb_server_keyfile = '/var/lib/postgresql/9.5/main/postgres.keytab'(The keytab was generated with:
samba-tool domain exportkeytab postgres.keytab -U postgres/myhost.samdom.mydomain.tld@SAMDOM.MYDOMAIN.TLD, is mode 400, and owned bypostgres:postgres.) -
/etc/samba/smb.conf:# Global parameters [global] workgroup = SAMDOM realm = SAMDOM.MYDOMAIN.TLD netbios name = MYHOST interfaces = lo eno1 bind interfaces only = Yes server role = active directory domain controller dns forwarder = 11.22.33.254 idmap_ldb:use rfc2307 = yes tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem [netlogon] path = /var/lib/samba/sysvol/samdom.mydomain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No