did you properly reconfigure your pg_hba.conf to accept kerberos auth for the user and network interfaces in question?
that file can be surprisingly fussy about its content. I would also check if the selinux context was set correctly on the file. I see no mention of it in the article and its one of the first things that comes into my mind that could trip you up. running " fixfiles restore /var/lib/pgsql " should fix any missing selinux context on the file an you can confirm it by running ls -lZ against the directory. On Mon, Sep 30, 2013 at 10:26 AM, Gorbachev Ivan <[email protected]> wrote: > > I know about this article, and i made it like He. But, i can't connect to > PostgreSQL =((( > > On Mon, Sep 30, 2013 at 6:21 PM, Rob Crittenden <[email protected]> wrote: >> >> Gorbachev Ivan wrote: >>> >>> Hi! >>> >>> Sorry for my English. Can you help me. I try to add PostgreSQL >>> authentication to IPA. >>> >>> Server of IPA host name - server.my.domain.local >>> database PostgreSQL host name - database.my.domain.local >>> >>> 1. pg_hba.conf – add record >>> >>> host all all 192.168.0.0/24 <http://192.168.0.0/24> gss >>> >>> >>> 2. postgresql.conf add records: >>> # Kerberos and GSSAPI >>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.keytab' >>> krb_srvname = 'postgres' # (Kerberos only) >>> >>> 3. Add PostgreSQL service: >>> ipa service-add postgres/server.my.domain.local >>> >>> 4. Create keytab: >>> ipa-getkeytab -s server.my.domain.local -p >>> postgres/[email protected] -k >>> /var/lib/pgsql/data/9.2/pg.keytab >>> >>> 5. Change owner: >>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.keytab >>> >>> 6. restart PostgreSQL service >>> >>> 7. Try to connect from database host: >>> psql -h database.my.domain.local >>> >>> If I try – “psql -h database.my.domain.local” command, I have an error – >>> “psql: FATAL: role "rembo" does not exist” >>> >>> If I try –“psql -h database.my.domain.local -U [email protected] >>> <mailto:[email protected]>” command, I have an error “psql: FATAL: >>> >>> GSSAPI authentication failed for user [email protected] >>> <mailto:[email protected]>" >>> >>> >>> database.my.domain.local host’s authentication method – IPA. >> >> >> Adam got IPA working with Postgres in OpenStack and wrote a blog post >> about it: >> http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-keystone/ >> >> The steps aren't directly comparable because he used puppet they look >> largely the same to me, but I've never tried to set this up. It may be >> helpful for you though. >> >> rob > > > > > -- > With Best Regards > Gorbachev Ivan > > > _______________________________________________ > Freeipa-devel mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-devel _______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
