Looking closely at a configuration guide for MSSQL with Kerberos authentication, I see this part: https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/register-a-service-principal-name-for-kerberos-connections?view=sql-server-ver16#Manual. It looks like it might be adapted to your question.
--Michael On Mon, Jun 6, 2022 at 10:26 PM Michael van der Kolff < mvanderko...@gmail.com> wrote: > This sounds like your PG service was unable to authenticate itself to AD. > > There's probably a trick to that somewhere - AD doesn't really want to be > a Kerberos server, it just happens to use it 😉 > > On Mon, 6 June 2022, 10:05 pm Niels Jespersen, <n...@dst.dk> wrote: > >> Hello all >> >> >> >> We are running Postgres 14 on Ubuntu. Our Windows users connect >> passwordless using GSSAPI. This works great. >> >> >> >> Now we want users on Linux client to also connect passwordless using >> GSSAPI. Users on Linux log on using their Active Directory credentials, as >> the Linux host (Ubuntu 22.04) is joined to the domain. Logon to Linux works >> fine, access to Windows cifs shares works fine authentication with >> Kerberos. >> >> >> >> But psql won't connect using GSSAPI. It does hit the right pg_hba.conf >> line and the username is translated via pg_ident.conf, just fine. But psql >> says >> >> >> >> psql: error: connection to server at "srvpostgres4.xxx.local" >> (172.30.33.30), port 1609 failed: could not initiate GSSAPI security >> context: Unspecified GSS failure. Minor code may provide more information: >> Server not found in Kerberos database connection to server at >> "srvpostgres4.xxx.local" (172.30.33.30), port 1609 failed: GSSAPI >> continuation error: Unspecified GSS failure. Minor code may provide more >> information: Server not found in Kerberos database >> >> >> >> Server log is like this >> >> >> >> 2022-06-06 08:14:01.176 >> CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-06-06 >> 08:14:01 CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user >> ""yyy""","Connection matched pg_hba.conf line 15: ""host all >> all 172.0.0.0/8 gss map=xxxlocal include_realm=0 >> krb_realm=""XXX.LOCAL""""",,,,,,,,"","client backend",,-3382135431624836920 >> >> >> >> We are a bit lost here. What are we missing? >> >> >> >> Regards Niels Jespersen >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >> >
