On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
Hi!

Sorry for my English. Can you help me. I try to add PostgreSQL
authentication to IPA.

Server of IPA host name - server.my.domain.local
database PostgreSQL host name - database.my.domain.local

1.    pg_hba.conf – add record

host    all        all        192.168.0.0/24        gss

2.    postgresql.conf add records:
# Kerberos and GSSAPI
krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.keytab'
krb_srvname = 'postgres'        # (Kerberos only)

3.    Add PostgreSQL service:
ipa service-add postgres/server.my.domain.local

4.    Create keytab:
ipa-getkeytab -s server.my.domain.local -p
postgres/database.my.domain.local@MY.DOMAIN.LOCAL  -k
/var/lib/pgsql/data/9.2/pg.keytab

5.    Change owner:
chown postgres:postgres /var/lib/pgsql/9.2/data/pg.keytab

6.   restart PostgreSQL service

7.    Try to connect from database host:
psql -h database.my.domain.local

If I try – “psql -h database.my.domain.local” command, I have an error –
“psql: FATAL:  role "rembo" does not exist”
So authentication passes in this case but you don't have proper role
defined. Define a role called 'rembo'.

See http://www.postgresql.org/docs/9.2/static/database-roles.html


If I try –“ psql -h database.my.domain.local -U rembo@MY.DOMAIN.LOCAL”
command, I have an error  “psql: FATAL:  GSSAPI authentication failed for
user rembo@MY.DOMAIN.LOCAL"

database.my.domain.local host’s authentication method – IPA.

This is PostgreSQL log:
DEBUG:  InitPostgres
DEBUG:  my backend ID is 1
DEBUG:  StartTransaction
DEBUG:  checkpointer updated shared memory configuration values
DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
xid/subid/cid: 0/1/0, nestlvl: 1, children:
DEBUG:  CommitTransaction
DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR,
xid/subid/cid: 0/1/0, nestlvl: 1, children:
DEBUG:  forked new backend, pid=17203 socket=11
DEBUG:  postmaster child[17203]: starting with (
DEBUG:    postgres
DEBUG:    rembo@MY.DOMAIN.LOCAL
DEBUG:  )
DEBUG:  InitPostgres
DEBUG:  my backend ID is 2
DEBUG:  StartTransaction
DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
xid/subid/cid: 0/1/0, nestlvl: 1, children:
DEBUG:  Processing received GSS token of length 654
DEBUG:  gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:
1b2
DEBUG:  sending GSS response token of length 156
DEBUG:  sending GSS token of length 156
LOG:  provided user name (rembo@MY.DOMAIN.LOCAL) and authenticated user
name (rembo) do not match
You have this issue because your username and mapped name do not match.


--
/ Alexander Bokovoy

_______________________________________________
Freeipa-devel mailing list
Freeipa-devel@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-devel

Reply via email to