Sspi continuation error the specified target is unknown or unreachable 80090303

Re: Having trouble with connecting to database via kerberos

Subject: Re: Having trouble with connecting to database via kerberos Date: 2020-08-28 10:03:09 Message-ID: CA+OCxozf8nXX-6Loq5q0K=0SBqz0BP6pHZCUUHQCV_tSRUT-ZA@mail.gmail.com Views: Raw Message | Whole Thread | Download mbox | Resend email Thread: Lists: pgadmin-support

On Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J wrote:

> Hello!
>
> I wonder if you folks can help me. I am having the hardest time location
> documentation on, or otherwise figuring out how to connect to a
> Kerberos-authenticated database using pgAdmin in Amazon RDS.
>
> I can connect to the database just fine with psql + kinit on linux, but
> the rest of my team is on Windows and pgAdmin.
>
> How, in general, do you connect to a Kerberos-authenticated database from
> pgAdmin on Windows? I haven’t been able to find the answer to this question.
>
> In particular, I am connecting to a 12.3 pgsql database hosted on amazon
> RDS. No matter what I try, whenever I try to auth via Kerberos, I get this
> error:
>
> SSPI continuation error: The specified target is unknown or unreachable
> (80090303)
>
> If I connect using a local pg user, the connection succeeds.
> If I connect using kinit + psql on linux, the connection succeeds.
> If I connect using the correct host endpoint, I get the error above.
> If I connect using the AWS alternative method described here[1] of
> connecting to ., I *still* get the error above.
>
> Is there anyone who can help?
>
> 1:
> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html

pgAdmin doesn’t (yet) officially support kerberos authentication. You can
use SSPI if you’re connecting from Windows to a Windows-hosted PostgreSQL
server in a domain or on a the same machine (I actually verified that works
yesterday), or you can in theory use GSSAPI to authenticate to a Linux
hosted server if you’re on a Linux client (I’m working on verifying that at
the moment).

Once I’ve got those scenarios working and verified, I’ll move on to
figuring out how to handle Windows/Mac clients connecting with GSSAPI.

Note that SSPI/GSSAPI will require that you’re running pgAdmin in Desktop
mode. It will not work in Server mode (because the server will typically be
running under a different user account). There’s a feature request for that
in the backlog.

Источник

Hyper-V Live Migration — The specified target is unknown or unreachable (0x80090303)

При попытке выполнить миграцию виртуальных машин на новый хост Hyper-V только что добавленный в System Center 2012 R2 Virtual Machine Manager (VMM) возникли ошибки на этапе предварительной проверки хоста на предмет возможности такого переноса. Как следствие мастер миграции VMM не позволял выполнить перенос виртуальных машин на проблемный хост.

Полностью текст ошибок выглядит следующим образом:

Невозможно выполнить миграцию виртуальной машины KOM-AD01-PS02 на узел kom-ad01-vm08.holding.com в связи с проблемами несовместимости. The Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: The specified target is unknown or unreachable (0x80090303).

Невозможно выполнить миграцию виртуальной машины KOM-AD01-PS02 на узел kom-ad01-vm08.holding.com в связи с проблемами несовместимости. The Virtual Machine Management Service failed to establish a connection for a Virtual Machine migration with host ‘kom-ad01-vm08.holding.com’: The specified target is unknown or unreachable (0x80090303).

Корнем проблемы оказалось отсутствие записей SPN связанных с службами роли Hyper-V, которые должны быть зарегистрированы для учетной записи компьютера – хоста виртуализации. Сверка SPN проблемного хоста (в нашем примере это KOM-AD01-VM08 ) с другим штатно функционирующим хостом виртуализации с помощью команды setspn –L показала соответствующий результат

Выполняем регистрацию недостающих записей SPN последовательностью команд:

После это работоспособность механизма миграции виртуальных машин на проблемный хост средствами VMM была восстановлена.

Интересно то, что эта заметка как и предыдущая описывает проблемы возникшие на одном и том же хосте виртуализации. Отличительным обстоятельством процедуры развёртывания этого хоста было то, что роль Hyper-V на этом сервере была включена до того, как сервер был введён в домен, что, как думается, и привело к возникновению описанных проблем.

Источник

Thread: GSSAPI / Kerberos Authentication

GSSAPI / Kerberos Authentication

I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:

]$ psql -hpglgisprtd001 -dpostgres

psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

or from a windows client

C:Userssweingar>psql -hpglgisprtd001.sempra.com -Usweingar

psql: SSPI continuation error: The specified target is unknown or unreachable

I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.

Re: GSSAPI / Kerberos Authentication

I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:

]$ psql -hpglgisprtd001 -dpostgres

psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

or from a windows client

psql: SSPI continuation error: The specified target is unknown or unreachable

I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.

Re: GSSAPI / Kerberos Authentication

The spn is POSTGRES/, as I set up different servers, the server in the spn changes of course. В The server name resolves, and if I do a klist on the keytab the realm matches.

I am thinking that it has to do with our “vas” & “vasd” systems and how it is configured. But I can’t really say.

From: Bear Giles [mailto:]
Sent: Thursday, June 2, 2016 3:44 PM
To: Weingartner, Steven <>
Cc:
Subject: Re: [ADMIN] GSSAPI / Kerberos Authentication

I was just looking at the Kerberos support. Is your server principal postgres/x.y.z@REALM, where x.y.z is the DNS name for your server? It probably won’t affect you but think it needs to be POSTGRES/x.y.z@REALM for windows networks.

I’ll have to check my notes for more details, e.g., I’m 99% sure it’s ‘postgres’ and not ‘postgresql’.

I know you need to use password authentication from the client — and the username has to be simple (bob@REALM, not bob/postgres@REALM). I’ll be submitting a patch to support a keytab file and compound principals when I have some free time.

On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven wrote:

I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:

]$ psql -hpglgisprtd001 -dpostgres

psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

or from a windows client

psql: SSPI continuation error: The specified target is unknown or unreachable

I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.

This email originated outside of Sempra Energy. Be cautious of attachments, web links, or requests for information.

Re: GSSAPI / Kerberos Authentication

The spn is POSTGRES/, as I set up different servers, the server in the spn changes of course.В The server name resolves, and if I do a klist on the keytab the realm matches.

I am thinking that it has to do with our “vas” & “vasd” systems and how it is configured. But I can’t really say.

From: Bear Giles [mailto: ]
Sent: Thursday, June 2, 2016 3:44 PM
To: Weingartner, Steven
Cc:
Subject: Re: [ADMIN] GSSAPI / Kerberos Authentication

I was just looking at the Kerberos support. Is your server principal postgres/x.y.z@REALM, where x.y.z is the DNS name for your server? It probably won’t affect you but think it needs to be POSTGRES/x.y.z@REALM for windows networks.

I’ll have to check my notes for more details, e.g., I’m 99% sure it’s ‘postgres’ and not ‘postgresql’.

I know you need to use password authentication from the client — and the username has to be simple (bob@REALM, not bob/postgres@REALM). I’ll be submitting a patch to support a keytab file and compound principals when I have some free time.

On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven wrote:

I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:

]$ psql -hpglgisprtd001 -dpostgres

psql: GSSAPI continuation error: Unspecified GSS failure.В Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

or from a windows client

psql: SSPI continuation error: The specified target is unknown or unreachable

I see nothing worthwhile in the postgresql log, nor in /var/log/messages.В I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.

This email originated outside of Sempra Energy. Be cautious of attachments, web links, or requests for information.

Re: GSSAPI / Kerberos Authentication

Attachment

Re: GSSAPI / Kerberos Authentication

All,

* Bear Giles ( ) wrote:
> I remember reading comments in the code that case matters — postgres and
> POSTGRES are not the same — but I’m drawing a blank on the rest. I just
> started looking at the code myself though — others probably have more
> experience.

That’s correct, case absolutely matters and it needs to match.

There are options in postgresql.conf to control what’s expected.В This
is a source of common issue when coming from Windows clients to Linux
servers (or the other way around).

In particular, review section 19.3.3 of the 9.5 docs:

For the client side, review krbsrvname:

Check the klist from the client side and also look at the keytab that’s
on the server and what’s in the KDC database and make sure they all
match.В What the client asks for from the KDC needs to be what the KDC
has and what is installed in the keytab on the server for it all to
work.

Источник

Re: GSSAPI / Kerberos Authentication

Subject: Re: GSSAPI / Kerberos Authentication Date: 2016-06-02 22:49:41 Message-ID: 09818804b4f547eab26ee29fba47932f@MS-EX13RB-P007.corp.SE.sempra.com Views: Raw Message | Whole Thread | Download mbox | Resend email Thread: Lists: pgsql-admin

The spn is POSTGRES/pglgisprtd001(dot)sempra(dot)com(at)CORP(dot)SE(dot)SEMPRA(dot)COM , as I set up different servers, the server in the spn changes of course. The server name resolves, and if I do a klist on the keytab the realm matches.

I am thinking that it has to do with our “vas” & “vasd” systems and how it is configured. But I can’t really say.

From: Bear Giles [mailto:bgiles(at)coyotesong(dot)com]
Sent: Thursday, June 2, 2016 3:44 PM
To: Weingartner, Steven
Cc: pgsql-admin(at)postgresql(dot)org
Subject: Re: [ADMIN] GSSAPI / Kerberos Authentication

I was just looking at the Kerberos support. Is your server principal postgres/x(dot)y(dot)z(at)REALM , where x.y.z is the DNS name for your server? It probably won’t affect you but think it needs to be POSTGRES/x(dot)y(dot)z(at)REALM for windows networks.

I’ll have to check my notes for more details, e.g., I’m 99% sure it’s ‘postgres’ and not ‘postgresql’.

I know you need to use password authentication from the client — and the username has to be simple (bob(at)REALM, not bob/postgres(at)REALM). I’ll be submitting a patch to support a keytab file and compound principals when I have some free time.

On Thu, Jun 2, 2016 at 4:23 PM, Weingartner, Steven > wrote:
I am currently trying to configure a Centos6.x – postgresql-9.3 server to authenticate using gssapi. I have several servers I have already configured and are working (a combination of Oracle Linux and Centos, all 6.x series with 9.2,3 or 4). Our company use vas for an interface to Kerberos, The errors I am getting are as follows:

]$ psql -hpglgisprtd001 -dpostgres
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database

or from a windows client

C:Userssweingar>psql -hpglgisprtd001.sempra.com -Usweingar
psql: SSPI continuation error: The specified target is unknown or unreachable
(80090303)

I see nothing worthwhile in the postgresql log, nor in /var/log/messages. I have verified the dns record to my kdc works (or at least I can ping), I am sort of at a loss of where to look next.

________________________________
This email originated outside of Sempra Energy. Be cautious of attachments, web links, or requests for information.

Источник

При попытке выполнить миграцию виртуальных машин на новый хост Hyper-V только что добавленный в System Center 2012 R2 Virtual Machine Manager (VMM) возникли ошибки на этапе предварительной проверки хоста на предмет возможности такого переноса. Как следствие мастер миграции VMM не позволял выполнить перенос виртуальных машин на проблемный хост.

Полностью текст ошибок выглядит следующим образом:

Невозможно выполнить миграцию виртуальной машины KOM-AD01-PS02 на узел kom-ad01-vm08.holding.com в связи с проблемами несовместимости. The Virtual Machine Management Service failed to authenticate the connection for a Virtual Machine migration at the source host: The specified target is unknown or unreachable (0x80090303).

Невозможно выполнить миграцию виртуальной машины KOM-AD01-PS02 на узел kom-ad01-vm08.holding.com в связи с проблемами несовместимости. The Virtual Machine Management Service failed to establish a connection for a Virtual Machine migration with host ‘kom-ad01-vm08.holding.com’: The specified target is unknown or unreachable (0x80090303).

Корнем проблемы оказалось отсутствие записей SPN связанных с службами роли Hyper-V, которые должны быть зарегистрированы для учетной записи компьютера – хоста виртуализации. Сверка SPN проблемного хоста (в нашем примере это KOM-AD01-VM08) с другим штатно функционирующим хостом виртуализации с помощью команды setspn –L показала соответствующий результат

Выполняем регистрацию недостающих записей SPN последовательностью команд:

setspn -S "Hyper-V Replica Service/KOM-AD01-VM08" KOM-AD01-VM08
setspn -S "Hyper-V Replica Service/KOM-AD01-VM08.holding.com" KOM-AD01-VM08

setspn -S "Microsoft Virtual System Migration Service/KOM-AD01-VM08" KOM-AD01-VM08
setspn -S "Microsoft Virtual System Migration Service/KOM-AD01-VM08.holding.com" KOM-AD01-VM08

setspn -S "Microsoft Virtual Console Service/KOM-AD01-VM08" KOM-AD01-VM08
setspn -S "Microsoft Virtual Console Service/KOM-AD01-VM08.holding.com" KOM-AD01-VM08

После это работоспособность механизма миграции виртуальных машин на проблемный хост средствами VMM была восстановлена.

Интересно то, что эта заметка как и предыдущая описывает проблемы возникшие на одном и том же хосте виртуализации. Отличительным обстоятельством процедуры развёртывания этого хоста было то, что роль Hyper-V на этом сервере была включена до того, как сервер был введён в домен, что, как думается, и привело к возникновению описанных проблем.

On Fri, Aug 28, 2020 at 11:03 AM Dave Page <dpage(at)pgadmin(dot)org> wrote:

> Hi
>
> On Fri, Aug 28, 2020 at 9:59 AM Haskin, Daniel J <DHaskin(at)verisk(dot)com>
> wrote:
>
>> Hello!
>>
>> I wonder if you folks can help me. I am having the hardest time location
>> documentation on, or otherwise figuring out how to connect to a
>> Kerberos-authenticated database using pgAdmin in Amazon RDS.
>>
>> I can connect to the database just fine with psql + kinit on linux, but
>> the rest of my team is on Windows and pgAdmin.
>>
>> How, in general, do you connect to a Kerberos-authenticated database from
>> pgAdmin on Windows? I haven’t been able to find the answer to this question.
>>
>> In particular, I am connecting to a 12.3 pgsql database hosted on amazon
>> RDS. No matter what I try, whenever I try to auth via Kerberos, I get this
>> error:
>>
>> SSPI continuation error: The specified target is unknown or unreachable
>> (80090303)
>>
>> If I connect using a local pg user, the connection succeeds.
>> If I connect using kinit + psql on linux, the connection succeeds.
>> If I connect using the correct host endpoint, I get the error above.
>> If I connect using the AWS alternative method described here[1] of
>> connecting to <endpoint>.<aws-ad-domain>, I *still* get the error above.
>>
>> Is there anyone who can help?
>>
>> 1:
>> https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/postgresql-kerberos-connecting.html
>
>
> pgAdmin doesn’t (yet) officially support kerberos authentication. You can
> use SSPI if you’re connecting from Windows to a Windows-hosted PostgreSQL
> server in a domain or on a the same machine (I actually verified that works
> yesterday), or you can in theory use GSSAPI to authenticate to a Linux
> hosted server if you’re on a Linux client (I’m working on verifying that at
> the moment).
>
> Once I’ve got those scenarios working and verified, I’ll move on to
> figuring out how to handle Windows/Mac clients connecting with GSSAPI.
>
> Note that SSPI/GSSAPI will require that you’re running pgAdmin in Desktop
> mode. It will not work in Server mode (because the server will typically be
> running under a different user account). There’s a feature request for that
> in the backlog.
>

FYI, I’ve also confirmed that Linux — Linux works with GSSAPI.

—
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EDB: http://www.enterprisedb.com

@andrewpong Hi, Andrew. This is my first time using pi_web_api_client to connect the PI-Server.
client = PIWebApiClient(
baseUrl=baseUrl,
useKerberos=True,
username=username,
password=password,
verifySsl=False
)
client.home.get()

I also got the GSSError when I tried to connect PI-Server on Windows. I saw your comment said that this error would be received on Windows but it works on MacOS.
May I ask which path should I put the CA on MacOS/Linux when I try to connect PI-Server?

GSSError Traceback (most recent call last)
C:ProgramDataAnaconda3libsite-packagesrequests_kerberoskerberos_.py in generate_request_header(self, response, host, is_preemptive)
229 result = kerberos.authGSSClientStep(self.context[host],
—> 230 negotiate_resp_value)
231

GSSError: SSPI: InitializeSecurityContext: �����εL�k�F�쪺���w�ؼ�

During handling of the above exception, another exception occurred:

KerberosExchangeError Traceback (most recent call last)
in ()
1 # Get the home infomation of the client
—-> 2 client.home.get()

C:ProgramDataAnaconda3libsite-packagesosisoftpidevclubpiwebapiapihome_api.py in get(self, **kwargs)
27 return self.get_with_http_info(**kwargs)
28 else:
—> 29 (data) = self.get_with_http_info(**kwargs)
30 return data
31

C:ProgramDataAnaconda3libsite-packagesosisoftpidevclubpiwebapiapihome_api.py in get_with_http_info(self, **kwargs)
80 _preload_content =params.get(‘_preload_content’, True),
81 _request_timeout=params.get(‘_request_timeout’),
—> 82 collection_formats =collection_formats)
83

C:ProgramDataAnaconda3libsite-packagesosisoftpidevclubpiwebapiapi_client.py in call_api(self, resource_path, method, path_params, query_params, header_params, body, post_params, files, response_type, callback, _return_http_data_only, collection_formats, _preload_content, _request_timeout)
309 body, post_params, files,
310 response_type, callback,
—> 311 _return_http_data_only, collection_formats, _preload_content, _request_timeout)
312 else:
313 thread = threading.Thread(target=self.__call_api,

C:ProgramDataAnaconda3libsite-packagesosisoftpidevclubpiwebapiapi_client.py in __call_api(self, resource_path, method, path_params, query_params, header_params, body, post_params, files, response_type, callback, _return_http_data_only, collection_formats, _preload_content, _request_timeout)
137 query_params=query_params,
138 headers=header_params,
—> 139 body=body)
140
141 return_data = response_data

C:ProgramDataAnaconda3libsite-packagesosisoftpidevclubpiwebapiapi_client.py in request(self, method, url, query_params, headers, body)
327 body=body,
328 query_params=query_params,
—> 329 headers=headers)
330
331

C:ProgramDataAnaconda3libsite-packagesosisoftpidevclubpiwebapirest.py in send_request(self, url, method, body, headers, query_params)
55
56 if method == «GET»:
—> 57 response = requests.get(url, auth=self.auth, headers=headers, verify=self.verifySsl)
58 elif method == «HEAD»:
59 response = requests.head(url, auth=self.auth, headers=headers, verify=self.verifySsl)

C:ProgramDataAnaconda3libsite-packagesrequestsapi.py in get(url, params, **kwargs)
70
71 kwargs.setdefault(‘allow_redirects’, True)
—> 72 return request(‘get’, url, params=params, **kwargs)
73
74

C:ProgramDataAnaconda3libsite-packagesrequestsapi.py in request(method, url, **kwargs)
56 # cases, and look like a memory leak in others.
57 with sessions.Session() as session:
—> 58 return session.request(method=method, url=url, **kwargs)
59
60

C:ProgramDataAnaconda3libsite-packagesrequestssessions.py in request(self, method, url, params, data, headers, cookies, files, auth, timeout, allow_redirects, proxies, hooks, stream, verify, cert, json)
496 hooks=hooks,
497 )
—> 498 prep = self.prepare_request(req)
499
500 proxies = proxies or {}

C:ProgramDataAnaconda3libsite-packagesrequestssessions.py in prepare_request(self, request)
439 auth=merge_setting(auth, self.auth),
440 cookies=merged_cookies,
—> 441 hooks=merge_hooks(request.hooks, self.hooks),
442 )
443 return p

C:ProgramDataAnaconda3libsite-packagesrequestsmodels.py in prepare(self, method, url, headers, files, data, params, auth, cookies, hooks, json)
311 self.prepare_cookies(cookies)
312 self.prepare_body(data, files, json)
—> 313 self.prepare_auth(auth, url)
314
315 # Note that prepare_auth must be last to enable authentication schemes

C:ProgramDataAnaconda3libsite-packagesrequestsmodels.py in prepare_auth(self, auth, url)
542
543 # Allow auth to make its changes.
—> 544 r = auth(self)
545
546 # Update self to reflect the auth changes.

C:ProgramDataAnaconda3libsite-packagesrequests_kerberoskerberos_.py in call(self, request)
435 host = urlparse(request.url).hostname
436
—> 437 auth_header = self.generate_request_header(None, host, is_preemptive=True)
438
439 log.debug(«HTTPKerberosAuth: Preemptive Authorization header: {0}».format(auth_header))

C:ProgramDataAnaconda3libsite-packagesrequests_kerberoskerberos_.py in generate_request_header(self, response, host, is_preemptive)
242 «generate_request_header(): {0} failed:».format(kerb_stage))
243 log.exception(error)
—> 244 raise KerberosExchangeError(«%s failed: %s» % (kerb_stage, str(error.args)))
245
246 except EnvironmentError as error:

KerberosExchangeError: authGSSClientStep() failed: (‘SSPI: InitializeSecurityContext: �����εL�k�F�쪺���w�ؼ�rn’,)

Same problem, could you resolve?