The following bug has been logged online:
Bug reference: 4126
Logged by: Peter Koczan
Email address: pjkoczan@[EMAIL PROTECTED]
version: 8.3.1
Operating system: Red Hat Enterprise Linux 5
Description: KRB5/GSSAPI authenication fails for multipart kerberos
principals
Details:
When trying to connect to an 8.3 server using a multipart Kerberos
principal
(e.g. ator/wsbackup.cs.wisc.edu@[EMAIL PROTECTED]
or koczan/mail@[EMAIL PROTECTED]
of wsbackup@[EMAIL PROTECTED]
or koczan@[EMAIL PROTECTED]
), the connection
fails, claiming a name mismatch. This is a change from 8.2 and I found
nothing in the changelog or do***entation to suggest this change or offer
a
workaround.
This happens no matter what client libraries I'm using (I'll connect using
8.3 clients only to illustrate this point).
Here's what happens with a normal login principal:
[koczan@[EMAIL PROTECTED]
~ $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_zWQIbO
Default principal: koczan@[EMAIL PROTECTED]
koczan $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 su****
Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
WARNING: You are connected to a server with major version 8.2,
but your psql client is major version 8.3. Some backslash commands,
such as \d, might not work properly.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
su****=> select version();
version
----------------------------------------------------------------------------
PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC)
3.4.4
(1 row)
su****=> select current_user;
current_user
--------------
koczan
(1 row)
[koczan@[EMAIL PROTECTED]
~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 su****
Welcome to psql 8.3.1, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
su****=> select version();
version
----------------------------------------------------------------------------
PostgreSQL 8.3.1 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC)
3.4.4
(1 row)
su****=> select current_user;
current_user
--------------
koczan
(1 row)
And what happens with my "mail" instance:
[root@[EMAIL PROTECTED]
~]# su - koczan
[koczan@[EMAIL PROTECTED]
~ $ klist
klist: No credentials cache found (ticket cache
FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc)
....
[koczan@[EMAIL PROTECTED]
~ $ kinit -f -k -t /var/adm/krb5/quickauth/kt/koczan.mail.kt
-l 1d koczan/mail@[EMAIL PROTECTED]
~ $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc
Default principal: koczan/mail@[EMAIL PROTECTED]
to an 8.2 server works just fine...
[koczan@[EMAIL PROTECTED]
~ $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 su****
Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit
WARNING: You are connected to a server with major version 8.2,
but your psql client is major version 8.3. Some backslash commands,
such as \d, might not work properly.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
su****=> select version();
version
----------------------------------------------------------------------------
PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC)
3.4.4
(1 row)
su****=> select current_user;
current_user
--------------
koczan
(1 row)
However, connecting to an 8.3 server...
[koczan@[EMAIL PROTECTED]
~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 su****
psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user
"koczan",
database "su****", SSL off
And this shows up in the syslog...
Apr 23 12:02:41 sensei postgres[23100]: [3-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49188
Apr 23 12:02:41 sensei postgres[23100]: [4-1] LOG: unexpected Kerberos
user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:02:41 sensei postgres[23100]: [5-1] FATAL: Kerberos 5
authentication failed for user "koczan"
Apr 23 12:02:41 sensei postgres[23101]: [3-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49189
Apr 23 12:02:41 sensei postgres[23101]: [4-1] FATAL: no pg_hba.conf entry
for host "128.105.162.36", user "koczan", database "su****", SSL off
The appropriate line in pg_hba.conf shows
hostssl all all 128.105.0.0/16 krb5
I'm connecting via native krb5, but this problem (or a variant of it)
occurs
when using GSSAPI authentication...
[koczan@[EMAIL PROTECTED]
~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 su****
psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user
"koczan",
database "su****", SSL off
Apr 23 12:08:02 sensei postgres[23257]: [4-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49409
Apr 23 12:08:02 sensei postgres[23257]: [5-1] FATAL: GSSAPI
authentication
failed for user "koczan"
Apr 23 12:08:02 sensei postgres[23258]: [4-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49410
Apr 23 12:08:02 sensei postgres[23258]: [5-1] FATAL: no pg_hba.conf entry
for host "128.105.162.36", user "koczan", database "su****", SSL off
Different things happen when I turn SSL off, but it's still failing to
connect...
Native krb5 / SSL off:
[koczan@[EMAIL PROTECTED]
~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 su****
psql: FATAL: Kerberos 5 authentication failed for user "koczan"
Apr 23 12:12:10 sensei postgres[23327]: [6-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49525
Apr 23 12:12:11 sensei postgres[23327]: [7-1] LOG: unexpected Kerberos
user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:12:11 sensei postgres[23327]: [8-1] FATAL: Kerberos 5
authentication failed for user "koczan"
Apr 23 12:12:11 sensei postgres[23328]: [6-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49526
Apr 23 12:12:11 sensei postgres[23328]: [7-1] LOG: unexpected Kerberos
user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:12:11 sensei postgres[23328]: [8-1] FATAL: Kerberos 5
authentication failed for user "koczan"
GSSAPI / SSL off:
[koczan@[EMAIL PROTECTED]
~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 su****
psql: duplicate GSS authentication request
Apr 23 12:10:21 sensei postgres[23287]: [5-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49462
Apr 23 12:10:22 sensei postgres[23287]: [6-1] FATAL: GSSAPI
authentication
failed for user "koczan"
Apr 23 12:10:22 sensei postgres[23288]: [5-1] LOG: connection received:
host=ator.cs.wisc.edu ****t=49463
Apr 23 12:10:22 sensei postgres[23288]: [6-1] FATAL: GSSAPI
authentication
failed for user "koczan"
--
Sent via pgsql-bugs mailing list (pgsql-bugs@[EMAIL PROTECTED]
)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-bugs
|
