I should add the role every time then add ipa users ? For example, i have one role for PostgreSQL, and after add a new IPA user, i should add mapping for this new user ? Or it would be made automaticaly ?
On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <[email protected]>wrote: > On Mon, 30 Sep 2013, Gorbachev Ivan wrote: > >> Hi! >> >> Sorry for my English. Can you help me. I try to add PostgreSQL >> authentication to IPA. >> >> Server of IPA host name - server.my.domain.local >> database PostgreSQL host name - database.my.domain.local >> >> 1. pg_hba.conf – add record >> >> host all all 192.168.0.0/24 gss >> >> 2. postgresql.conf add records: >> # Kerberos and GSSAPI >> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.**keytab' >> krb_srvname = 'postgres' # (Kerberos only) >> >> 3. Add PostgreSQL service: >> ipa service-add postgres/server.my.domain.**local >> >> 4. Create keytab: >> ipa-getkeytab -s server.my.domain.local -p >> postgres/database.my.domain.**[email protected] -k >> /var/lib/pgsql/data/9.2/pg.**keytab >> >> 5. Change owner: >> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.**keytab >> >> 6. restart PostgreSQL service >> >> 7. Try to connect from database host: >> psql -h database.my.domain.local >> >> If I try – “psql -h database.my.domain.local” command, I have an error – >> “psql: FATAL: role "rembo" does not exist” >> > So authentication passes in this case but you don't have proper role > defined. Define a role called 'rembo'. > > See > http://www.postgresql.org/**docs/9.2/static/database-**roles.html<http://www.postgresql.org/docs/9.2/static/database-roles.html> > > > >> If I try –“ psql -h database.my.domain.local -U [email protected]” >> command, I have an error “psql: FATAL: GSSAPI authentication failed for >> user [email protected]" >> >> database.my.domain.local host’s authentication method – IPA. >> >> This is PostgreSQL log: >> DEBUG: InitPostgres >> DEBUG: my backend ID is 1 >> DEBUG: StartTransaction >> DEBUG: checkpointer updated shared memory configuration values >> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR, >> xid/subid/cid: 0/1/0, nestlvl: 1, children: >> DEBUG: CommitTransaction >> DEBUG: name: unnamed; blockState: STARTED; state: INPROGR, >> xid/subid/cid: 0/1/0, nestlvl: 1, children: >> DEBUG: forked new backend, pid=17203 socket=11 >> DEBUG: postmaster child[17203]: starting with ( >> DEBUG: postgres >> DEBUG: [email protected] >> DEBUG: ) >> DEBUG: InitPostgres >> DEBUG: my backend ID is 2 >> DEBUG: StartTransaction >> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR, >> xid/subid/cid: 0/1/0, nestlvl: 1, children: >> DEBUG: Processing received GSS token of length 654 >> DEBUG: gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags: >> 1b2 >> DEBUG: sending GSS response token of length 156 >> DEBUG: sending GSS token of length 156 >> LOG: provided user name ([email protected]) and authenticated user >> name (rembo) do not match >> > You have this issue because your username and mapped name do not match. > > > -- > / Alexander Bokovoy > -- With Best Regards Gorbachev Ivan
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
