Hi,
I try to setup kerberos authentication in Postgresql 8.1.18 on centos.
But I have some problem.
I setup postgresql.conf as below:
krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/s...@example.com'
krb_server_hostname = 'star' # empty string matches any keytab entry
krb_caseins_users = off
(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93
star)
Then hba.conf
host all all 0.0.0.0/0 krb5
host all all 127.0.0.1/32 krb5
When I want to conne
ct postgresql, it give error.
# kinit frank
[r...@star bin]# ./psql -h star -U frank -d test
psql: krb5_sendauth: Bad application version was sent (via sendauth)
and both postgresql server and krb-server are in same system. Where is
wrong.
Please help me.
On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley <geoff.tol...@yougov.com>wrote:
> Hi Rahimeh,
>
> Is PG on the same box as the kadmind?
>
>
> rahimeh khodadadi wrote:
>
>> have never been worked with krb5 in postgresql?
>>
>> On 10/12/09, rahimeh khodadadi <rahimeh.khodad...@gmail.com> wrote:
>>
>>> nobody could help me?
>>>
>>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>>> rahimeh.khodad...@gmail.com> wrote:
>>>
>>> Hi,
>>>>
>>>> after compling the postgresql --with-krb5 and setting up the
>>>> krb5-server
>>>> in centos, I configured the *postgresql.conf* as bellow:
>>>>
>>>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>>>> *krb_srvname = 'POSTGRES' * # (Kerberos only)
>>>> #krb_caseins_users = off
>>>>
>>>
> I like to specify my krb_server_hostname explicitly here.
>
>
> and
>>>>
>>>> my *pg_hba.conf* is :
>>>>
>>>> # "local" is for Unix domain socket connections only
>>>> local all postgres trust
>>>> # IPv4 local connections:
>>>> host all *frank* 0.0.0.0/0 krb5
>>>> #host all all 127.0.0.1/32 trust
>>>> # IPv6 local connections:
>>>> host all all ::1/128 trust
>>>>
>>>>
>>>> ,and kdc.conf
>>>>
>>>> kdcdefaults]
>>>> v4_mode = nopreauth
>>>> kdc_tcp_ports = 88
>>>>
>>>> [realms]
>>>> EXAMPLE.COM = {
>>>> #master_key_type = des3-hmac-sha1
>>>> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>>>> dict_file = /usr/share/dict/words
>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>>
>>>
> If this is the same machine as PG, I'm not sure why you have the same file
> here as for the keytab to keep the PG service principal in. My manpage for
> kdc.conf says that admin_keytab specifies the keytab to be used by kadmin to
> authenticate to the database, so really shouldn't be kept very distinct from
> the keytab with the PG service principal.
>
>
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
>>>> des-cbc-crc:v4
>>>> des-cbc-crc:afs3
>>>> }
>>>>
>>>> Then, I created the user frank as :
>>>>
>>>> kadmin.local
>>>> Authenticating as principal rahimeh/ad...@example.com with password.
>>>> kadmin.local: * ank frank*
>>>> WARNING: no policy specified for fr...@example.com; defaulting to no
>>>> policy
>>>> Enter password for principal "fr...@example.com":
>>>> Re-enter password for principal "fr...@example.com":
>>>>
>>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>>> mode
>>>> with HMAC/sha1 added to keytab
>>>> WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type DES with
>>>> HMAC/sha1
>>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>
>>>
> But for PG you'll need a keytab with the service principal you've defined
> to be POSTGRES/<hostname>@EXAMPLE.COM in it.
>
>
> Finally, it gives error like:
>>>>
>>>> [r...@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>>>> Password for fr...@example.com:
>>>> *kinit(v5): Password incorrect while getting initial credentials*
>>>>
>>>
> I've never had much joy myself when getting tickets from a -t keytab, I
> usually just kinit and enter a password instead.
>
>
> or
>>>>
>>>> in cmd when I run this instruction the below error is shown.
>>>>
>>>> [r...@localhost bin]# ./psql -h 127.0.0.1 -U frank
>>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>>>
>>>
> To construct the service principal the library takes the the -h argument,
> then gets the A record for it (if applicable), then gets the PTR record for
> the A record to get the hostname for the service principal name (unless
> you're using Windows I have found, in which case it just stops and takes the
> originally given hostname if an A record exists). Just use a non-127
> address instead, it'll make things a lot easier to keep straight. For that
> matter, /etc/hostname and /etc/resolv.conf would be good to see too because
> of their importance here.
>
> HTH,
> Geoff
>
>
> ---------
> Geoff Tolley
> DBA/Systems Administrator
>
> YouGovPolimetrix
> 285 Hamilton Avenue Suite 200
> Palo Alto, CA 94301
> geoff.tol...@yougov.com
> http://www.yougov.com/
>
>
>
>
--
With Best Regards
Miss.KHodadadi
