On Fri, Apr 18, 2008 at 12:43 PM, Peter Koczan <[EMAIL PROTECTED]> wrote: > On Thu, Apr 17, 2008 at 11:40 AM, Peter Koczan <[EMAIL PROTECTED]> wrote: > > Hi all, > > > > I just upgraded one of my servers and I'm having a bit of trouble > > getting some of the kerberos authentication bits working. > > Specifically, any Kerberos instance run out of a v5srvtab doesn't work > > so well. Using stashed tickets or normal principals worked fine. > > Gritty details follow. > > > > Peter > > > > Here are details from the specific v5srvtab's... > > [EMAIL PROTECTED] postgres]# klist -k -t /etc/v5srvtab.wsbackup > > Keytab name: FILE:/etc/v5srvtab.wsbackup > > KVNO Timestamp Principal > > ---- ----------------- > -------------------------------------------------------- > > 13 12/20/07 15:56:11 wsbackup/[EMAIL PROTECTED] > > Here's what happens when I do this (it's on a different machine but > it's the same mechanism). > > [EMAIL PROTECTED] ~ $ su - wsbackup > ator(1)% kinit -f -k -t /etc/v5srvtab.wsbackup -l 1d > wsbackup/[EMAIL PROTECTED] > ator(2)% klist > Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_28528 > Default principal: wsbackup/[EMAIL PROTECTED] > > Valid starting Expires Service principal > 04/18/08 12:25:00 04/19/08 12:25:00 krbtgt/[EMAIL PROTECTED] > > > Kerberos 4 ticket cache: /tmp/tkt28528 > klist: You have no tickets cached
One more thing to note, I said before that stashed tickets and login principals "just work." Here might be something... [EMAIL PROTECTED] koczan $ klist Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_ZtKJNK Default principal: [EMAIL PROTECTED] ... [EMAIL PROTECTED] ~]# export KRB5CCNAME=/var/adm/krb5/tmp/stash/krb5cc_25555.stash [EMAIL PROTECTED] ~]# klist Ticket cache: FILE:/var/adm/krb5/tmp/stash/krb5cc_25555.stash Default principal: [EMAIL PROTECTED] ... They don't contain hostname data in the default principal like the keytab principal does, and yet they both connect fine. There could be something to this, but I don't know what, or how to take advantage of it. Peter -- Sent via pgsql-admin mailing list ([email protected]) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-admin
