I have subsequence discovered that the psql command running from remote Windows (server/client) and RHEL8 works as expected using GSS. PGAdmin4 also works via Kerberos (was on my list of things to get working). It's just locally on the server psql will not work to postgresql running on the same server.
I really don't get it, but have decided I can live without it working on the server. R -----Original Message----- From: Stephen Frost <sfr...@snowman.net> Sent: Monday, February 26, 2024 7:33 PM To: Matthew Dennison <m...@matty-uk.co.uk> Cc: pgsql-general@lists.postgresql.org Subject: Re: Unable to get PostgreSQL 15 with Kerberos (GSS) working Greetings, * Matthew Dennison (m...@matty-uk.co.uk) wrote: > No matter what I try I don't seem to be able to get the psl command locally > to work using Kerberos. I receive for following message: > FATAL: GSSAPI authentication failed for user "postgres" > FATAL: GSSAPI authentication failed for user > myad.usern...@mydomain.net [...] > kinit -kt /pgcluster/data/postgres.keytab > POSTGRES/hostname.mydomain....@mydomain.net<mailto:POSTGRES/hostname.m > ydomain....@mydomain.net> > klist > Ticket cache: KCM:0:20151 > Default principal: POSTGRES/hostname.mydomain....@mydomain.net > > Valid starting Expires Service principal > 23/02/24 10:19:12 23/02/24 20:19:12 krbtgt/mydomain....@mydomain.net > renew until 23/02/24 20:19:12 Doesn't look like you're actually getting a PG tickets ... > psql -h localhost -U postgres -d postgres And this might be why. Don't use '-h localhost' because that'll, by default anyway, cause the Kerberos library to try to do reverse DNS on the address you are trying to connect to (::1/128, for example) ... and that possibly just resolves to 'localhost', which isn't the server's name that you're trying to connect to. If the rDNS lookup fails then we'll use what you provided- but again, that's just 'localhost' and isn't the server's name in the AD realm. Try doing: psql -h hostname.mydomain.net -U postgres -d postgres instead, and update your pg_hba.conf to match those connections which are coming into the system's actual IP address instead of only matching loaclhost connection attempts. You're definitely not going to have any succcess until you can do a 'klist' and see a POSTGRES/hostname.mydomain.net ticket listed after doing your psql attempt. Thanks, Stephen
