I am trying to get postgres and kerberos, via GSSAPI, working together. Having trouble at this point. It does not help that I am really a newbie for both technologies. I have both postgres and kerberos working as expected separately, and am using them both (but not together).
I found instructions here: postressql-and-kerberos, and have not really found any thing that explains it greater detail.
I set these two lines in my postgresql.conf file:
krb_server_keyfile = '/var/lib/pgsql/data/krb5.keytab'
krb_srvname = 'postgres'
I have verifyied the this is correct by running a 'kinit -kt' with that information. I added these two entries in my pg_hba.conf file:
# TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 10.0.1.0/24 gss include_realm=0 krb_realm=HOTDOG.REALM.COM
I restart the server and try to connect via a remote client...
kinit freddyboy
<enter password>
This is successful, and I can see the detail if I do a 'klist'.
Then I try to connect to postgres, via:
psql -l -h postgresserver.hotdog.com
I get an error stating:
pgql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
If I look at the server log file (postgresql-Tue.log)... all I see is "FATAL: GSSAPI authentication failed for user "fred".
Well, 'fred' is my linux logon... "freddyboy" is my userprincipal. So, it seams like the postgresql client is not sending the kerberos authentication as it should. I have tried to send the user:
psql -l -h postgresserver.hotdog.com -U freddyboy
The log file now says "GSSAPI authentication failed for user "freddyboy", but it is, obviously, still failing. I have a postgres user of 'freddyboy' that owns some databases. I can login locally fine, without GSSAPI, but cannot seem to get remotely and securely.
I am suspicious that nowhere on my client have I specified that I want to user GSSAPI. Since this is just a client, the conf files are not present... so that could be an issue, I guess.
One more point, the kerberos server is ActiveDirectory. I have seen some indications that the principal should be UPPERCASE. I have tried making the service principal ("POSTGRES") and my user principal "FREDDYBOY', but still no love.
Any assistance greatly appreciated. I am using Postgres 8.4.13 on client and server.
Fred