Hi, now we have this keytab
klist -kt pgadmin.keytab -e Keytab name: FILE:pgadmin.keytab KVNO Timestamp Principal ---- ------------------- ------------------------------------------------------ 5 01/01/1970 01:00:00 HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com> (des-cbc-crc) 5 01/01/1970 01:00:00 HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1.<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1.>EXAMPLE.COM (des-cbc-md5) 5 01/01/1970 01:00:00 HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1. EXAMPLE.COM <mailto:HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1.%20EXAMPLE.COM%20> (arcfour-hmac) 5 01/01/1970 01:00:00 HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1. EXAMPLE.COM <mailto:HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1.%20EXAMPLE.COM%20> (aes256-cts-hmac-sha1-96) 5 01/01/1970 01:00:00 HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1. EXAMPLE.COM <mailto:HTTP/pgadmin-dev.aws-ad-ee1.example.com@AWS-AD-EE1.%20EXAMPLE.COM%20> (aes128-cts-hmac-sha1-96) To krb5.conf I've added permitted_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac default_tgs_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac default_tkt_enctypes = aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha384-192 aes128-cts-hmac-sha256-128 des3-cbc-sha1 arcfour-hmac-md5 camellia256-cts-cmac camellia128-cts-cmac but the error is the same 2023-01-09 12:00:30,045: DEBUG pgadmin: Authentication initiated via source: kerberos 2023-01-09 12:00:30,073: ERROR pgadmin: Major (65536): An unsupported mechanism was requested, Minor (0): Unknown error Traceback (most recent call last): File "/pgadmin4/pgadmin/authenticate/kerberos.py", line 237, in negotiate_start out_token = context.step(base64.b64decode(in_token)) File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun return caller(func, *(extras + args), **kw) File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 165, in check_last_err return func(self, *args, **kwargs) File "/venv/lib/python3.10/site-packages/decorator.py", line 232, in fun return caller(func, *(extras + args), **kw) File "/venv/lib/python3.10/site-packages/gssapi/_utils.py", line 131, in catch_and_return_token return func(self, *args, **kwargs) File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 582, in step return self._acceptor_step(token=token or b"") File "/venv/lib/python3.10/site-packages/gssapi/sec_contexts.py", line 590, in _acceptor_step res = rsec_contexts.accept_sec_context(token, self._creds, File "gssapi/raw/sec_contexts.pyx", line 270, in gssapi.raw.sec_contexts.accept_sec_context gssapi.raw.exceptions.BadMechanismError: Major (65536): An unsupported mechanism was requested, Minor (0): Unknown error milanm From: Khushboo Vashi <khushboo.va...@enterprisedb.com> Sent: Monday, January 9, 2023 11:03 AM To: Milan MOLNÁR <milan_mol...@tatrabanka.sk> Cc: pgadmin-supp...@postgresql.org Subject: Re: pgadmin kerberos auth propblem - Delegated credentials not supplied. [EXTERNÝ E-MAIL] Tento e-mail prichádza z prostredia mimo Tatra banka Group. On Mon, Jan 9, 2023 at 3:15 PM Milan MOLNÁR <milan_mol...@tatrabanka.sk<mailto:milan_mol...@tatrabanka.sk>> wrote: Hi, here is the command how the keytab has been regenerated. Unfortunatelly it did not helped. ktpass -out pgadmin-dev-ad-ee1.keytab -mapUser pgadmin-...@aws-ad-ee1.example.com<mailto:pgadmin-...@aws-ad-ee1.example.com> +rndPass -mapOp set +DumpSalt -crypto AES256-SHA1 -ptype KRB5_NT_PRINCIPAL -princ HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example.com.sk@AWS-AD-EE1>. EXAMPLE.COM<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WPFzRz6YqfWiY5EYL%2FzU0J22Xun9krPXrmgJ8xoeSFo%3D&reserved=0> Targeting domain controller: IP-C6130167.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fip-c6130167.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n%2BafWlMs1dMFT4m0NNwwBtXZ%2B82cR0z%2BSXVp03SYOlU%3D&reserved=0> Successfully mapped HTTP/pgadmin-dev.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ssIKqhI3MzC98R0lxiykapMpivWSzVuFGmp6QRoQQE%3D&reserved=0> to pgadmin-dev. Password successfully set! Building salt with principalname HTTP/pgadmin-dev.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Fpgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3ssIKqhI3MzC98R0lxiykapMpivWSzVuFGmp6QRoQQE%3D&reserved=0> and domain AWS-AD-EE1.EXAMPLE.COM.SK<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Faws-ad-ee1.example.com.sk%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=2DUHIIwjoDSppGpWDSnB6Lhtae9twB8XFOsr%2Bo3fNeU%3D&reserved=0> (encryption type 18)... Hashing password with salt "AWS-AD-EE1.EXAMPLE.COMHTTPpgadmin-dev.aws-ad-ee1.example.com<https://eur03.safelinks.protection.outlook.com/?url=http%3A%2F%2Faws-ad-ee1.example.comhttppgadmin-dev.aws-ad-ee1.example.com%2F&data=05%7C01%7Ciskamomi%40rbinternational.onmicrosoft.com%7Ca1f00eb0a989409a351408daf228c022%7C9b511fdaf0b143a5b06e1e720f64520a%7C0%7C0%7C638088554090209653%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HQiRAs77Gobe35SF02s0xyNb7fPmJPPnJUpzwYCPzsA%3D&reserved=0>". Key created. Output keytab to pgadmin-dev-ad-ee1.keytab: Keytab version: 0x502 keysize 117 HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com<mailto:HTTP/pgadmin-dev.aws-ad-ee1.example....@aws-ad-ee1.example.com> ptype 1 (KRB5_NT_PRINCIPAL) vno 4 etype 0x12 (AES256-SHA1) keylength 32 (0x65c0f02ddea2d866d2e792cd125ff1784aa646bb0035ebd2c5fedf7282c7c384) C:\Users\Admin> Do you have any another advice how to find out where is the problem? This is something to do with the keytab file. Can you try applying all the encryptions (-crypto all) while creating the keytab file, just for testing ? Thank you milanm ________________________________________________________________________ Informácie obsiahnuté v tomto dokumente sú určené výlučne pre potreby jeho adresáta. Dokument môže obsahovať informácie chránené bankovým alebo obchodným tajomstvom alebo informácie podliehajúce ochrane podľa iných právnych predpisov. V prípade, že Vám bol tento dokument doručený omylom, vyzývame Vás, aby ste sa zdržali odtajnenia alebo použitia pre vlastnú potrebu. Zároveň si Vás dovoľujeme požiadať, aby ste nás o takomto prípade bez zbytočného odkladu informovali a následne dokument zlikvidovali. The information contained in this document is intended exclusively for the needs of its addressee. The document may contain information protected by banking or trade secrets or information subject to protection under other legal regulations. In the event that this document was delivered to you by mistake, we urge you to refrain from declassifying it or using it for your own purposes. At the same time, we would like to request that you inform us of such a case without undue delay and then dispose of the document. Tatra banka, a.s. Hodžovo námestie 3, 811 06 Bratislava 1 IČO: 00 686 930 Zapísaná v obchodnom registri Okresného sudu Bratislava I Oddiel: Sa, vložka číslo: 71/B https://www.tatrabanka.sk
