Thanks Poul, According to official documentation parameters like ldap, and suffix in pg_hba.conf are for LDAP Authentication not for Kerberos/GSSAPI. In fact the authentication through LDAP works fine in our environment but not for Kerberos…
Do you know if the principal in Active Directory KDC must be in uppercase or lowercase? POSTGRES or postgres? Just to confirm. Thanks Jorge From: EXTERNAL:Poul Kristensen [mailto:bcc5...@gmail.com] Sent: martes, 30 de enero de 2018 01:50 p.m. To: HIRTZ Jorge Alberto TENARIS <jhi...@tenaris.com> Cc: pgsql-general@lists.postgresql.org Subject: Re: PostgreSQL Kerberos Authentication you need til tell Postgresql/pg_hba.conf the AD kerberos server name ldap = kerberos.domain.com<http://kerberos.domain.com> and suffix @domain.com<http://domain.com> Then create the users(is in fact a role) as the owner of a database. Hereafter the user could just write psql after login and after password auhtentication the user/role is logged into the database. It has been testet and works! Hope it is usefull. regards Poul 2018-01-30 17:13 GMT+01:00 HIRTZ Jorge Alberto TENARIS <jhi...@tenaris.com<mailto:jhi...@tenaris.com>>: Hello All, I am trying to configure PostgreSQL9.6 (On Centos 7.4) with Kerberos (Active Directory) via GSSAPI authentication and I’m getting the following error: [postgres@hostname data]$ psql -h hostname -U usern...@domain.com<mailto:usern...@domain.com> postgres psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information GSSAPI continuation error: Server not found in Kerberos database I did the following configuration: 1.- Create KeyTab in Active Directory: ktpass -out postgres_instance.keytab -princ postgres/hostnamename.domain....@domain.com<mailto:hostnamename.domain....@domain.com> -mapUser svcPostgres -pass <password> -crypto all -ptype KRB5_NT_PRINCIPAL 2.- Copy the keytab to Linux Server on $PGDATA and change the privileges to postgres:postgres 3.- Configure postgresql.conf krb_server_keyfile = '/<INSTANCA_NAME>/data/postgres_instance.keytab 4.- Configure /etc/krb5.conf 5.- Request a ticket to the KDC server using kinit (this work OK!) [postgres@hostname ~]$ klist Ticket cache: KEYRING:persistent:26:krb_ccache_AO0Y1kx Default principal: usern...@domain.com<mailto:usern...@domain.com> Valid starting Expires Service principal 01/30/2018 11:01:59 01/30/2018 21:01:59 krbtgt/domain....@domain.com<mailto:domain....@domain.com> renew until 02/06/2018 11:01:55 6.- Configure pg_hba.conf host all all 0.0.0.0/0<http://0.0.0.0/0> gss include_realm=1 7.- Create user in PG to test: create user “usern...@domain.com<mailto:usern...@domain.com>” WITH SUPERUSER; 8.- Testing [postgres@hostname data]$ psql -h hostname -U usern...@domain.com<mailto:usern...@domain.com> postgres psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information GSSAPI continuation error: Server not found in Kerberos database I tried generate the Keytab with “postgres” and “POSTGRES” user as a SPN but I get the same error. Any suggestion is welcome! Thanks in advance for your help! Jorge -- Med venlig hilsen / Best regards Poul Kristensen Linux-OS/Virtualizationexpert and Oracle DBA
