On Mon, Jan 9, 2023 at 3:15 PM Milan MOLNÁR <milan_mol...@tatrabanka.sk> wrote:
> Hi, > > > > here is the command how the keytab has been regenerated. Unfortunatelly > it did not helped. > > > > ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser > pgadmin-...@aws-ad-ee1.example.com +rndPass -mapOp set +DumpSalt -crypto > AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ > HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1. EXAMPLE.COM > Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com > > Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com to > pgadmin-dev. > > Password successfully set! > > Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com > and domain AWS-AD-EE1.EXAMPLE.COM.SK (encryption type 18)... > > Hashing password with salt " > AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com". > > Key created. > > Output keytab to pgadmin-dev-ad-ee1.keytab: > > Keytab version: 0x502 > > keysize 117 HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com > ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32 > (0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384) > > > > C:\Users\Admin> > > > > Do you have any another advice how to find out where is the problem? > This is something to do with the keytab file. Can you try applying all the encryptions (-crypto all) while creating the keytab file, just for testing ? > > > Thank you > > milanm > > > > > > *From:* Khushboo Vashi <khushboo.va...@enterprisedb.com> > *Sent:* Monday, January 9, 2023 7:11 AM > *To:* Milan MOLNÁR <milan_mol...@tatrabanka.sk> > *Cc:* pgadmin-supp...@postgresql.org > *Subject:* Re: pgadmin kerberos auth propblem - Delegated credentials not > supplied. > > > > Hi, > > > > On Sat, Jan 7, 2023 at 3:53 PM Milan MOLNÁR <milan_mol...@tatrabanka.sk> > wrote: > > Hello Khushboo, > > > > thnak you for your time and advice. We had to change the concept based on > your recommendation, because as I wrote, we used external kdc on linux to > provide krb ticket for the service and therefore there was not any user on > AD. > > We created service user account on the AD (password never expire, AES > 128/256 encryption), set service SPN to that user, generate keytab via > ktpass command. When we use pgadmin to use this keytab and ask directly AD > for kerberos ticket we ended with the error message > > Have you used any encryption type while creating Keytab ? As it should > match with the AD user account. > > If possible please provide the command you have used to create the keytab > file. > > > > Make sure to generate the new keytab, whenever you do changes in AD user. > > > > Thanks, > > Khushboo > > > ________________________________________________________________________ > Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho > adresáta. > Dokument môže obsahovať informácie chránené bankovým alebo obchodným > tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych > predpisov. > V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás, > aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu. > Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade > bez zbytočného odkladu informovali a následne dokument zlikvidovali. > > The information contained in this document is intended exclusively for the > needs of its addressee. The document may contain information protected > by banking or trade secrets or information subject to protection under > other > legal regulations. In the event that this document was delivered to you by > mistake, > we urge you to refrain from declassifying it or using it for your own > purposes. > At the same time, we would like to request that you inform us of such a > case > without undue delay and then dispose of the document. > > Tatra banka, a.s. > Hodžovo námestie 3, 811 06 Bratislava 1 > IČO: 00 686 930 > Zapísaná v obchodnom registri Okresného sudu Bratislava I > Oddiel: Sa, vložka číslo: 71/B > *https://www.tatrabanka.sk* > <https://eur03.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.tatrabanka.sk%2F&data=05%7C01%7Crastislav_purdek%40tatrabanka.sk%7C00381060a1bf42e1875808daaab3630f%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638009984675941476%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=wkGykBMUSLFM8xVDc50OL3XXDoB%2F31%2FS6tAGW47xgMQ%3D&reserved=0> >
