you need til tell Postgresql/pg_hba.conf the AD kerberos server name ldap = kerberos.domain.com and suffix @domain.com
Then create the users(is in fact a role) as the owner of a database. Hereafter the user could just write psql after login and after password auhtentication the user/role is logged into the database. It has been testet and works! Hope it is usefull. regards Poul 2018-01-30 17:13 GMT+01:00 HIRTZ Jorge Alberto TENARIS <jhi...@tenaris.com>: > Hello All, > > > > I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos > (Active Directory) via GSSAPI authentication and I’m getting the following > error: > > > > [postgres@hostname data]$ psql -h hostname -U usern...@domain.com > postgres > > psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may > provide more information > > GSSAPI continuation error: Server not found in Kerberos database > > > > I did the following configuration: > > > > 1.- Create KeyTab in Active Directory: > > ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain. > c...@domain.com -mapUser svcPostgres -pass <password> -crypto all -ptype > KRB5_NT_PRINCIPAL > > > > 2.- Copy the keytab to Linux Server on $PGDATA and change the privileges > to postgres:postgres > > 3.- Configure postgresql.conf > > krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab > > > > 4.- Configure /etc/krb5.conf > > > > 5.- Request a ticket to the KDC server using kinit (this work OK!) > > > > [postgres@hostname ~]$ klist > > Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx > > Default principal: usern...@domain.com > > > > Valid starting Expires Service principal > > 01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/domain....@domain.com > > renew until 02/06/2018 11:01:55 > > > > > > 6.- Configure pg_hba.conf > > host all all > 0.0.0.0/0 gss include_realm=1 > > 7.- Create user in PG to test: > > create user “usern...@domain.com” WITH SUPERUSER; > > > > 8.- Testing > > [postgres@hostname data]$ psql -h hostname -U usern...@domain.com > postgres > > psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may > provide more information > > GSSAPI continuation error: Server not found in Kerberos database > > > > I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN > but I get the same error. > > > > Any suggestion is welcome! > > > > Thanks in advance for your help! > > > > Jorge > > > -- Med venlig hilsen / Best regards Poul Kristensen Linux-OS/Virtualizationexpert and Oracle DBA
