Hope you don't mind me resurrecting this thread - but I have made a fair bit of headway in my endeavours.
So, the big issue I had was a bug in Microsoft's ktpass ( http://support.microsoft.com/kb/919557) that was on the server. After that I spent a bit of time on my windows client fiddling trying to get it to work. I had set PGSRVKRBNAME, tried setting PGGSSAPI however, I wasn't using the FQDN of my database server. When I went from dbhost to dbhost.lab2k.net, I was able to connect. Hopefully this may help someone else in the future. Now my next step is to see if I can make a connection from a Java application with JDBC. Bryan. On Wed, Jun 16, 2010 at 10:17 AM, <greigw...@comcast.net> wrote: > OMG!!! > > I finally got it working. Problem was that on the windows side on the > service account within the account options, we needed to check "Use DES > encryption types for this account". I had that changed on the AD side and > that fixed the whole problem. > > Bryan, if you're still trying to get this to work I'd be happy to help if I > can. > > Thanks all for the help. > > Greig > > > ----- Original Message ----- > From: "Greig Wise" <greigw...@comcast.net> > To: "Bryan Montgomery" <mo...@english.net> > Cc: "pgsql-general" <pgsql-general@postgresql.org> > Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern > Subject: Re: [GENERAL] GSS Authentication > > Nope. I get this: > > kinit(v5): Client not found in Kerberos database while getting initial > credentials > > > On Jun 15, 2010, at 10:03 PM, Bryan Montgomery wrote: > > I'm not in front of a linux machine, but does > kinit -kt postgres.keytab -S POSTGRES/host.domain.com grant a ticket > without asking for the password? > > On Tue, Jun 15, 2010 at 2:38 PM, <greigw...@comcast.net> wrote: > >> >> As suggested below, I just tried this: >> >> kinit -S POSTGRES/host.domain.com user >> >> (where user is my account name in AD). That then asked for my password >> and when I entered it, it seemed to work. And now klist shows that I have a >> ticket. Doing it this way though, the keytab file doesn't seem to come into >> play. Does this point to something in my keytab file being wrong? >> >> I did this: >> >> klist -ket postgres.keytab >> >> and got: >> >> KVNO Timestamp Principal >> ---- ----------------- >> -------------------------------------------------------- >> 3 12/31/69 19:00:00 >> POSTGRES/host.domain....@domain.com<http://domain.com/>(DES cbc mode with >> RSA-MD5) >> >> That timestamp seems kinda funky, doesn't it? 12/31/69? That can't be >> right, can it? >> >> >> Thanks again. >> >> Greig >> >> ----- Original Message ----- >> From: "Stephen Frost" <sfr...@snowman.net> >> To: "Bryan Montgomery" <mo...@english.net> >> Cc: greigw...@comcast.net, pgsql-general@postgresql.org >> Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern >> Subject: Re: [GENERAL] GSS Authentication >> >> * Bryan Montgomery (mo...@english.net) wrote: >> > I've been trying this as well off and on. In my case I'm not convinced >> the >> > AD configuration is correct (And someone else manages that). >> >> Yeah, that can be a challenge.. but it's *definitely* possible to get >> it set up and working correctly. >> >> > Can you use kinit with the key tab options to get a good response from >> the >> > server? I think I should be able to do this .. >> > $ kinit -V -k -t poe3b.keytab HTTP/poe3b.lab2k.net >> > kinit(v5): Preauthentication failed while getting initial credentials >> >> err, I'm not sure that should be expected to work. >> >> What does klist -ek <keytab file> return? Also, you should be able to >> kinit to *your* princ in the AD, and if you can do that, you should be >> able to use your princ to request the service princ ticket from the KDC >> by doing kinit -S HTTP/poe3b.lab2k.net your.princ >> >> Also, provided your *client* is set up/configured correctly, you should >> be able to see that it acquires the ticket (by using klist) when you try >> to connect to the server, even if the server is misconfigured. >> >> > I'd be interested to know if you get something different - and the steps >> you >> > went through on the AD side. >> >> You have to create an account in Active Directory for the PG service and >> then use: >> >> ktpass /princ >> POSTGRES/myserver.mydomain....@mydomain.com<http://mydomain.com/>/mapuser >> postg...@mydomain.com /pass mypass /crypto AES256-SHA1 /ptype >> KRB5_NT_PRINCIPAL /out krb5.keytab >> >> Then copy that krb5.keytab to the server. Note that you then have to >> adjust the server config to have service name set to POSTGRES, and >> adjust clients using the environment variables to indiciate they should >> ask for POSTGRES (instead of the postgres default). >> >> Thanks, >> >> Stephen >> > > >
