Thank you! And one more question, what does error mean - "GSSAPI continuation error: No credentials found with supported encryption types". This error appears when I try to log in from another computer within the domain IPA.
On Mon, Sep 30, 2013 at 7:58 PM, Alexander Bokovoy <[email protected]>wrote: > On Mon, 30 Sep 2013, Gorbachev Ivan wrote: > >> I should add the role every time then add ipa users ? For example, i have >> one role for PostgreSQL, and after add a new IPA user, i should add >> mapping >> for this new user ? Or it would be made automaticaly ? >> > This is PostgreSQL-specific question, nothing specific to IPA at all. > Answer to it depends on your model of a database access since PostgreSQL > users are not the same as system users -- you need to map the to each > other. By default mapping is 1:1, i.e. for each system user there should > exist the same user entry in PostgreSQL. > > In general, if you have a single database user (or role) and want to > allow multiple system level users to access it, you need to supply user > maps: http://www.postgresql.org/**docs/9.2/static/auth-username-** > maps.html<http://www.postgresql.org/docs/9.2/static/auth-username-maps.html> > > In Adam's case I guess puppet's recipe automatically sets up PostgreSQL > user named 'keystone' and therefore connection to PostgreSQL with > principal 'keystone' matches it automatically. > > >> On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <[email protected] >> >wrote: >> >> On Mon, 30 Sep 2013, Gorbachev Ivan wrote: >>> >>> Hi! >>>> >>>> Sorry for my English. Can you help me. I try to add PostgreSQL >>>> authentication to IPA. >>>> >>>> Server of IPA host name - server.my.domain.local >>>> database PostgreSQL host name - database.my.domain.local >>>> >>>> 1. pg_hba.conf – add record >>>> >>>> host all all 192.168.0.0/24 gss >>>> >>>> 2. postgresql.conf add records: >>>> # Kerberos and GSSAPI >>>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.****keytab' >>>> >>>> krb_srvname = 'postgres' # (Kerberos only) >>>> >>>> 3. Add PostgreSQL service: >>>> ipa service-add postgres/server.my.domain.****local >>>> >>>> >>>> 4. Create keytab: >>>> ipa-getkeytab -s server.my.domain.local -p >>>> postgres/database.my.domain.****[email protected] -k >>>> /var/lib/pgsql/data/9.2/pg.****keytab >>>> >>>> 5. Change owner: >>>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.****keytab >>>> >>>> >>>> 6. restart PostgreSQL service >>>> >>>> 7. Try to connect from database host: >>>> psql -h database.my.domain.local >>>> >>>> If I try – “psql -h database.my.domain.local” command, I have an error – >>>> “psql: FATAL: role "rembo" does not exist” >>>> >>>> So authentication passes in this case but you don't have proper role >>> defined. Define a role called 'rembo'. >>> >>> See http://www.postgresql.org/****docs/9.2/static/database-**** >>> roles.html<http://www.postgresql.org/**docs/9.2/static/database-**roles.html> >>> <http://www.**postgresql.org/docs/9.2/**static/database-roles.html<http://www.postgresql.org/docs/9.2/static/database-roles.html> >>> > >>> >>> >>> >>> >>> If I try –“ psql -h database.my.domain.local -U [email protected]” >>>> command, I have an error “psql: FATAL: GSSAPI authentication failed >>>> for >>>> user [email protected]" >>>> >>>> database.my.domain.local host’s authentication method – IPA. >>>> >>>> This is PostgreSQL log: >>>> DEBUG: InitPostgres >>>> DEBUG: my backend ID is 1 >>>> DEBUG: StartTransaction >>>> DEBUG: checkpointer updated shared memory configuration values >>>> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR, >>>> xid/subid/cid: 0/1/0, nestlvl: 1, children: >>>> DEBUG: CommitTransaction >>>> DEBUG: name: unnamed; blockState: STARTED; state: INPROGR, >>>> xid/subid/cid: 0/1/0, nestlvl: 1, children: >>>> DEBUG: forked new backend, pid=17203 socket=11 >>>> DEBUG: postmaster child[17203]: starting with ( >>>> DEBUG: postgres >>>> DEBUG: [email protected] >>>> DEBUG: ) >>>> DEBUG: InitPostgres >>>> DEBUG: my backend ID is 2 >>>> DEBUG: StartTransaction >>>> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR, >>>> xid/subid/cid: 0/1/0, nestlvl: 1, children: >>>> DEBUG: Processing received GSS token of length 654 >>>> DEBUG: gss_accept_sec_context major: 0, minor: 0, outlen: 156, >>>> outflags: >>>> 1b2 >>>> DEBUG: sending GSS response token of length 156 >>>> DEBUG: sending GSS token of length 156 >>>> LOG: provided user name ([email protected]) and authenticated user >>>> name (rembo) do not match >>>> >>>> You have this issue because your username and mapped name do not match. >>> >>> >>> -- >>> / Alexander Bokovoy >>> >>> >> >> >> -- >> With Best Regards >> Gorbachev Ivan >> > > > > -- > / Alexander Bokovoy > -- With Best Regards Gorbachev Ivan
_______________________________________________ Freeipa-devel mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-devel
