Environment:
VM - FreeIPA providing LDAP/Kerberos (FreeIPA 4.10.0) on Rocky Linux 9.1
VM - Rocky Linux 9.1 as Docker Host
-- PGADMIN (Container) 6.15
VM - Rocky Linux 9.1 providing Postgres 15
>From an IPA joined client Kerberos SSO works to the PGAdmin container (no
extra login prompt)
>From an IPA joined client with psql installed I can connect to Postgres
using Kerberos. I see the "GSSAPI - Encrypted connection" in the
connection.
When I attempt to connect with the same account from the PGAdmin web
application I receive the following error in the web interface.
"GSSAPI continuation error. No credentials were supplied, or the
credentials were unavailable or inaccessible. No Kerberos credentials
available.(Default cache: FILE:/tmp/krb5cc_5050)
On Postgres I checked the logs and it looks like the right user is being
sent....but not authenticated:
2023-04-11 13:31:53.364 +07 [3858] FATAL: GSSAPI authentication failed for
user "a01-6"
2023-04-11 13:31:53.364 +07 [3858] DETAIL: Connection matched pg_hba.conf
line 91: "host all all 192.168.1.0/24
gss include_realm=0 krb_realm=MY.LAB"
Initially I thought it might be the typical kerberos double-hop issue with
Kerberos delegation and I found the following article on Kerberos
delelgation.
https://access.redhat.com/documentation/en%02us/red_hat_enterprise_linux/8/html/configuring_and_managing_identity_management/assembly_using-constrained-delegation-in-idm_configuring-and-managing-idm#con_constrained-delegation-in-identity-management_assembly_using-constrained-delegation-in-idm
I configured the delegation (First time in the Linux world I've done this
so maybe it's wrong?) using:
ipa servicedelegationtarget-add
ipa servicedelegationtarget-ad-member
ipa servicedelegationrule-add
ipa servicedelegationrule-add-member
ipa servicedelegationrule-add-target
Then rebooted everything, but same results. Is there a way in the PGAdmin
container to turn up logging to see what's happening?
Thanks,
Greg
