Nope. I get this: kinit(v5): Client not found in Kerberos database while getting initial credentials
On Jun 15, 2010, at 10:03 PM, Bryan Montgomery wrote: > I'm not in front of a linux machine, but does > kinit -kt postgres.keytab -S POSTGRES/host.domain.com grant a ticket without > asking for the password? > > On Tue, Jun 15, 2010 at 2:38 PM, <greigw...@comcast.net> wrote: > > As suggested below, I just tried this: > > kinit -S POSTGRES/host.domain.com user > > (where user is my account name in AD). That then asked for my password and > when I entered it, it seemed to work. And now klist shows that I have a > ticket. Doing it this way though, the keytab file doesn't seem to come into > play. Does this point to something in my keytab file being wrong? > > I did this: > > klist -ket postgres.keytab > > and got: > > KVNO Timestamp Principal > ---- ----------------- > -------------------------------------------------------- > 3 12/31/69 19:00:00 POSTGRES/host.domain....@domain.com (DES cbc mode with > RSA-MD5) > > That timestamp seems kinda funky, doesn't it? 12/31/69? That can't be > right, can it? > > > Thanks again. > > Greig > > ----- Original Message ----- > From: "Stephen Frost" <sfr...@snowman.net> > To: "Bryan Montgomery" <mo...@english.net> > Cc: greigw...@comcast.net, pgsql-general@postgresql.org > Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern > Subject: Re: [GENERAL] GSS Authentication > > * Bryan Montgomery (mo...@english.net) wrote: > > I've been trying this as well off and on. In my case I'm not convinced the > > AD configuration is correct (And someone else manages that). > > Yeah, that can be a challenge.. but it's *definitely* possible to get > it set up and working correctly. > > > Can you use kinit with the key tab options to get a good response from the > > server? I think I should be able to do this .. > > $ kinit -V -k -t poe3b.keytab HTTP/poe3b.lab2k.net > > kinit(v5): Preauthentication failed while getting initial credentials > > err, I'm not sure that should be expected to work. > > What does klist -ek <keytab file> return? Also, you should be able to > kinit to *your* princ in the AD, and if you can do that, you should be > able to use your princ to request the service princ ticket from the KDC > by doing kinit -S HTTP/poe3b.lab2k.net your.princ > > Also, provided your *client* is set up/configured correctly, you should > be able to see that it acquires the ticket (by using klist) when you try > to connect to the server, even if the server is misconfigured. > > > I'd be interested to know if you get something different - and the steps you > > went through on the AD side. > > You have to create an account in Active Directory for the PG service and > then use: > > ktpass /princ POSTGRES/myserver.mydomain....@mydomain.com /mapuser > postg...@mydomain.com /pass mypass /crypto AES256-SHA1 /ptype > KRB5_NT_PRINCIPAL /out krb5.keytab > > Then copy that krb5.keytab to the server. Note that you then have to > adjust the server config to have service name set to POSTGRES, and > adjust clients using the environment variables to indiciate they should > ask for POSTGRES (instead of the postgres default). > > Thanks, > > Stephen >
