Hello all
We have our analysis users log on to Postgres without a password. Instead we
rely on their Windows identity.
When the Postgres server is on Windows, we use SSPI. Works great.
When the Postgres server is on Linux, we use GSSAPI. Works great.
Now, we are introducing Linux for analysts to run their Python/R/SQL/whatever.
They log onto Linux using their Windows identity. The Linux analysis servers
are joined to the Windows domain using sssd.
This gives us a headache. Logging onto Postgres without a password does not
immediately work when the Windows user is logged onto a Linux server with their
Windows credentials.
Linux is Ubuntu 22.04 on the client side, Ubuntu 20.04 on the Postgres server
side. Postgres server version is server 14.2 (Ubuntu 14.2-1.pgdg20.04+1). psql
client is psql (PostgreSQL) 14.2 (Ubuntu 14.2-1ubuntu1).
What happens is this
yyy@srvpython8:~$ psql service=bigdata_db1
psql: error: connection to server at "srvpostgres4.xxx.local" (172.30.33.30),
port 1609 failed: could not initiate GSSAPI security context: Unspecified GSS
failure. Minor code may provide more information: Server not found in Kerberos
database
connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609
failed: GSSAPI continuation error: Unspecified GSS failure. Minor code may
provide more information: Server not found in Kerberos database
yyy@srvpython8:~$
The Postgres server log has this.
2022-05-13 18:14:01.140
CEST,,,474093,"172.30.32.213:33554",627e83c9.73bed,1,"",2022-05-13 18:14:01
CEST,,0,LOG,00000,"connection received: host=172.30.32.213
port=33554",,,,,,,,,"","not initialized",,0
2022-05-13 18:14:01.159
CEST,,,474094,"172.30.32.213:33556",627e83c9.73bee,1,"",2022-05-13 18:14:01
CEST,,0,LOG,00000,"connection received: host=172.30.32.213
port=33556",,,,,,,,,"","not initialized",,0
2022-05-13 18:14:01.176
CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-05-13
18:14:01 CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user
""yyy""","Connection matched pg_hba.conf line 15: ""host all all
172.0.0.0/8 gss map=xxxlocal include_realm=0
krb_realm=""XXX.LOCAL""""",,,,,,,,"","client backend",,-3382135431624836920
Are we forgetting to set something up?
Regards Niels Jespersen
