Hi,

here  is  the command how the keytab has been regenerated. Unfortunatelly it 
did not helped.

ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser 
pgadmin-...@aws-ad-ee1.example.com<mailto:pgadmin-...@aws-ad-ee1.example.com> 
+rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL 
-princ 
HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1>.
 EXAMPLE.COM
Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com
Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com to pgadmin-dev.
Password successfully set!
Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com and 
domain AWS-AD-EE1.EXAMPLE.COM.SK (encryption type 18)...
Hashing password with salt 
"AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com".
Key created.
Output keytab to pgadmin-dev-ad-ee1.keytab:
Keytab version: 0x502
keysize 117 
HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com>
 ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32 
(0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384)

C:\Users\Admin>

Do you have any another advice how to find out where is the problem?

Thank you
milanm


From: Khushboo Vashi <khushboo.va...@enterprisedb.com>
Sent: Monday, January 9, 2023 7:11 AM
To: Milan MOLNÁR <milan_mol...@tatrabanka.sk>
Cc: pgadmin-supp...@postgresql.org
Subject: Re: pgadmin kerberos auth propblem - Delegated credentials not 
supplied.

Hi,

On Sat, Jan 7, 2023 at 3:53 PM Milan MOLNÁR 
<milan_mol...@tatrabanka.sk<mailto:milan_mol...@tatrabanka.sk>> wrote:
                Hello Khushboo,

thnak you for your time and advice. We had to change the concept based on your 
recommendation, because as I wrote, we used external kdc on linux to provide 
krb ticket for the service and therefore there was not any user on AD.
We created service user account on the AD (password never expire, AES 128/256 
encryption), set service SPN to that user, generate keytab via ktpass command. 
When we use pgadmin to use this keytab and ask directly AD for kerberos ticket 
we ended with the error message
Have you used any encryption type while creating Keytab ? As it should match 
with the AD user account.
If possible please provide the command you have used to create the keytab file.

Make sure to generate the new keytab, whenever you do changes in AD user.

Thanks,
Khushboo


________________________________________________________________________
Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho 
adresáta. 
Dokument môže obsahovať informácie chránené bankovým alebo obchodným 
tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych 
predpisov. 
V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás, 
aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu. 
Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
bez zbytočného odkladu informovali a následne dokument zlikvidovali.

The information contained in this document is intended exclusively for the
needs of its addressee. The document may contain information protected
by banking or trade secrets or information subject to protection under other
legal regulations. In the event that this document was delivered to you by 
mistake,
we urge you to refrain from declassifying it or using it for your own purposes. 
At the same time, we would like to request that you inform us of such a case
 without undue delay and then dispose of the document.

Tatra banka, a.s.
Hodžovo námestie 3, 811 06 Bratislava 1 
IČO: 00 686 930
Zapísaná v obchodnom registri Okresného sudu Bratislava I
Oddiel: Sa, vložka číslo: 71/B
https://www.tatrabanka.sk

Reply via email to