PG 8.3 and kerberos failures

by pjkoczan@[EMAIL PROTECTED] ("Peter Koczan") Apr 17, 2008 at 11:40 AM

Hi all,

I just upgraded one of my servers and I'm having a bit of trouble
getting some of the kerberos authentication bits working.
Specifically, any Kerberos instance run out of a v5srvtab doesn't work
so well. Using stashed tickets or normal principals worked fine.
Gritty details follow.

Peter

Here are details from the specific v5srvtab's...
[root@[EMAIL PROTECTED]
 postgres]# klist -k -t /etc/v5srvtab.wsbackup
Keytab name: FILE:/etc/v5srvtab.wsbackup
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
  13 12/20/07 15:56:11 wsbackup/sensei.cs.wisc.edu@[EMAIL PROTECTED]
 postgres]# klist -k -t /etc/v5srvtab
Keytab name: FILE:/etc/v5srvtab
KVNO Timestamp         Principal
---- -----------------
--------------------------------------------------------
  13 12/20/07 15:56:11 host/sensei.cs.wisc.edu@[EMAIL PROTECTED]
  13 12/20/07 15:56:11 rcmd/sensei.cs.wisc.edu@[EMAIL PROTECTED]
  13 12/20/07 15:56:11 telnet/sensei.cs.wisc.edu@[EMAIL PROTECTED]
  13 12/20/07 15:56:11 ftp/sensei.cs.wisc.edu@[EMAIL PROTECTED]
  13 12/20/07 15:56:11 pop/sensei.cs.wisc.edu@[EMAIL PROTECTED]
  13 12/20/07 15:56:11 wsbackup/sensei.cs.wisc.edu@[EMAIL PROTECTED]
  12 12/20/07 15:56:11 auth/sensei.cs.wisc.edu@[EMAIL PROTECTED]
   8 12/20/07 15:56:11 postgres/sensei.cs.wisc.edu@[EMAIL PROTECTED]
's the error from the syslog...
Apr 17 11:18:39 sensei postgres[4486]: [3-1] LOG:  connection
received: host=mitchell.cs.wisc.edu ****t=56925
Apr 17 11:18:39 sensei postgres[4486]: [4-1] LOG:  unexpected Kerberos
user name received from client (received "wsbackup", expected
"wsbackup/mitchell.cs.wisc.edu")
Apr 17 11:18:39 sensei postgres[4486]: [5-1] FATAL:  Kerberos 5
authentication failed for user "wsbackup"
Apr 17 11:18:39 sensei postgres[4488]: [3-1] LOG:  connection
received: host=mitchell.cs.wisc.edu ****t=56926
Apr 17 11:18:39 sensei postgres[4488]: [4-1] FATAL:  no pg_hba.conf
entry for host "128.105.207.19", user "wsbackup", database "su****",
SSL off

Here's the relevant bit from my pg_hba.conf. For compatibility, I'm
using krb5 instead of gss until everything is upgraded from 8.2. If
using gss authentication will work, please let me know.
hostssl all         all         128.105.0.0/16     krb5
hostssl all         all         198.133.224.0/24   krb5

And from postgresql.conf...
# - Security & Authentication -

#authentication_timeout = 1min          # 1s-600s
ssl = on                                # (change requires restart)
#ssl_ciphers = 'ALL:!ADH:!LOW:!EXP:!MD5:@[EMAIL PROTECTED]
'      # Allowed SSL
ciphers
                                        # (change requires restart)
#password_encryption = on
krb_realm = 'CS.WISC.EDU'
#db_user_namespace = off

# Kerberos and GSSAPI
krb_server_keyfile = '/etc/v5srvtab.postgres'   # (change requires
restart)
#krb_srvname = 'postgres'               # (change requires restart,
kerberos onl
y)
#krb_server_hostname = ''               # empty string matches any keytab
entry
                                        # (change requires restart,
kerberos onl
y)
#krb_caseins_users = off                # (change requires restart)

-- 
Sent via pgsql-admin mailing list (pgsql-admin@[EMAIL PROTECTED]
)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

3 Posts in Topic:

PG 8.3 and kerberos failures

pjkoczan@[EMAIL PROTECTED

2008-04-17 11:40:22

Re: PG 8.3 and kerberos failures

pjkoczan@[EMAIL PROTECTED

2008-04-18 12:43:20

Re: PG 8.3 and kerberos failures

pjkoczan@[EMAIL PROTECTED

2008-04-22 10:20:56

Post A Reply:

About - Advertising - Contact - Frequently Asked Questions - Privacy Policy - Terms of Use - Signup
tan13V112 Thu Jul 24 13:15:06 CDT 2008.