Hello,
I have trouble to setup kerberos authetication with pgadmin. I run pgadmin in
the docker container and I'd like to use SPENGO SSO to access pgadmin. Pgadmin
fails to authenticate user and the error message is "'Delegated credentials not
supplied." It seem, that credentials does not contain delegated part. Do you
have any suggestion where is the problem with my setup? Do you use kerberos
auth - pls can you share your setup or just explain it a little bit?
We have kdc servers on the linux and there is trust between active directory
(we use kerberos for many other services and it is working properly). I tried
to connect from the PC where I'm loggend in the AD.
Docker container
Dockerfile
FROM dpage/pgadmin4:6.17
COPY krb5.conf /etc/krb5.conf
COPY config.py /pgadmin4/config.py
config.py changed variables (we have reason why to change vars here)
AUTHENTICATION_SOURCES = ['kerberos','internal']
KRB_APP_HOST_NAME = 'fqdn of pgadmin'
KRB_KTNAME = '/var/lib/pgadmin/pgadmin.keytab'
krb5.conf
cat krb5-wsl.conf
[libdefaults]
clockskew = 18000
canonicalize = true
dns_canonicalize_hostname= false
rdns = false
default_realm = EXAMPLE.COM
default_keytab_name=/var/lib/pgadmin/pgadmin.keytab
dns_lookup_kdc = false
#ignore_acceptor_hostname = true
proxiable = true
realm_try_domains = 1
dns_lookup_realm = false
ticket_lifetime = 86400
renew_lifetime = 604800
forwardable = true
#default_tgs_enctypes = aes256-cts-hmac-sha1-96
#default_tkt_enctypes = aes256-cts-hmac-sha1-96
permitted_enctypes = aes256-cts aes128-cts
udp_preference_limit = 1
kdc_timeout = 5000
[realms]
EXAMPLE.COM = {
kdc = kdc01.EXAMPLE.COM
kdc = kdc02.EXAMPLE.COM
admin_server = kdc01.EXAMPLE.COM
default_domain = EXAMPLE.COM
}
[domain_realm]
.EXAMPLE.COM=EXAMPLE.COM
EXAMPLE.COM = EXAMPLE.COM
pgadmin4/pgadmin/authenticate/kerberos.py
def negotiate_start(self, in_token):
svc_princ = gssapi.Name('HTTP@%s' % config.KRB_APP_HOST_NAME,
name_type=gssapi.NameType.hostbased_service)
cname = svc_princ.canonicalize(gssapi.MechType.kerberos)
try:
server_creds = gssapi.Credentials(usage='accept', name=cname)
context = gssapi.SecurityContext(creds=server_creds)
out_token = context.step(base64.b64decode(in_token))
except Exception as e:
current_app.logger.exception(e)
return False, e
if out_token and not context.complete:
return False, out_token
if context.complete:
deleg_creds = context.delegated_creds
if not hasattr(deleg_creds, 'name'):
error_msg = gettext('Delegated credentials not supplied.')
current_app.logger.error(error_msg)
return False, Exception(error_msg)
try:
...
Thank you
Regards
Milanm
________________________________________________________________________
Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho
adresáta.
Dokument môže obsahovať informácie chránené bankovým alebo obchodným
tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych
predpisov.
V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás,
aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu.
Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade
bez zbytočného odkladu informovali a následne dokument zlikvidovali.
The information contained in this document is intended exclusively for the
needs of its addressee. The document may contain information protected
by banking or trade secrets or information subject to protection under other
legal regulations. In the event that this document was delivered to you by
mistake,
we urge you to refrain from declassifying it or using it for your own purposes.
At the same time, we would like to request that you inform us of such a case
without undue delay and then dispose of the document.
Tatra banka, a.s.
Hodžovo námestie 3, 811 06 Bratislava 1
IČO: 00 686 930
Zapísaná v obchodnom registri Okresného sudu Bratislava I
Oddiel: Sa, vložka číslo: 71/B
https://www.tatrabanka.sk
