Bryan, one thing I did have to do on the Linux side was to set dns_lookup_kdc = true in my krb5.conf file in the libdefaults section. Hope that helps.
Greig ----- Original Message ----- From: greigw...@comcast.net To: "Bryan Montgomery" <mo...@english.net>, sfr...@snowman.net Cc: "pgsql-general" <pgsql-general@postgresql.org> Sent: Wednesday, June 16, 2010 10:17:10 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication OMG!!! I finally got it working. Problem was that on the windows side on the service account within the account options, we needed to check "Use DES encryption types for this account". I had that changed on the AD side and that fixed the whole problem. Bryan, if you're still trying to get this to work I'd be happy to help if I can. Thanks all for the help. Greig ----- Original Message ----- From: "Greig Wise" <greigw...@comcast.net> To: "Bryan Montgomery" <mo...@english.net> Cc: "pgsql-general" <pgsql-general@postgresql.org> Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication Nope. I get this: kinit(v5): Client not found in Kerberos database while getting initial credentials On Jun 15, 2010, at 10:03 PM, Bryan Montgomery wrote: I'm not in front of a linux machine, but does kinit -kt postgres.keytab -S POSTGRES/ host.domain.com grant a ticket without asking for the password? On Tue, Jun 15, 2010 at 2:38 PM, < greigw...@comcast.net > wrote: As suggested below, I just tried this: kinit -S POSTGRES/ host.domain.com user (where user is my account name in AD). That then asked for my password and when I entered it, it seemed to work. And now klist shows that I have a ticket. Doing it this way though, the keytab file doesn't seem to come into play. Does this point to something in my keytab file being wrong? I did this: klist -ket postgres.keytab and got: KVNO Timestamp Principal ---- ----------------- -------------------------------------------------------- 3 12/31/69 19:00:00 POSTGRES/ host.domain.com @ DOMAIN.COM (DES cbc mode with RSA-MD5) That timestamp seems kinda funky, doesn't it? 12/31/69? That can't be right, can it? Thanks again. Greig ----- Original Message ----- From: "Stephen Frost" < sfr...@snowman.net > To: "Bryan Montgomery" < mo...@english.net > Cc: greigw...@comcast.net , pgsql-general@postgresql.org Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication * Bryan Montgomery ( mo...@english.net ) wrote: > I've been trying this as well off and on. In my case I'm not convinced the > AD configuration is correct (And someone else manages that). Yeah, that can be a challenge.. but it's *definitely* possible to get it set up and working correctly. > Can you use kinit with the key tab options to get a good response from the > server? I think I should be able to do this .. > $ kinit -V -k -t poe3b.keytab HTTP/ poe3b.lab2k.net > kinit(v5): Preauthentication failed while getting initial credentials err, I'm not sure that should be expected to work. What does klist -ek <keytab file> return? Also, you should be able to kinit to *your* princ in the AD, and if you can do that, you should be able to use your princ to request the service princ ticket from the KDC by doing kinit -S HTTP/ poe3b.lab2k.net your.princ Also, provided your *client* is set up/configured correctly, you should be able to see that it acquires the ticket (by using klist) when you try to connect to the server, even if the server is misconfigured. > I'd be interested to know if you get something different - and the steps you > went through on the AD side. You have to create an account in Active Directory for the PG service and then use: ktpass /princ POSTGRES/ myserver.mydomain.com @ MYDOMAIN.COM /mapuser postg...@mydomain.com /pass mypass /crypto AES256-SHA1 /ptype KRB5_NT_PRINCIPAL /out krb5.keytab Then copy that krb5.keytab to the server. Note that you then have to adjust the server config to have service name set to POSTGRES, and adjust clients using the environment variables to indiciate they should ask for POSTGRES (instead of the postgres default). Thanks, Stephen
