Logon via GSSAPI from Linux fails, but works from Windows

Fri, 13 May 2022 09:25:39 -0700 

Hello all

We have our analysis users log on to Postgres without a password. Instead we 
rely on their Windows identity. 

When the Postgres server is on Windows, we use SSPI. Works great. 

When the Postgres server is on Linux, we use GSSAPI. Works great.

Now, we are introducing Linux for analysts to run their Python/R/SQL/whatever. 

They log onto Linux using their Windows identity. The Linux analysis servers 
are joined to the Windows domain using sssd. 

This gives us a headache. Logging onto Postgres without a password does not 
immediately work when the Windows user is logged onto a Linux server with their 
Windows credentials. 

Linux is Ubuntu 22.04 on the client side, Ubuntu 20.04 on the Postgres server 
side. Postgres server version is server 14.2 (Ubuntu 14.2-1.pgdg20.04+1). psql 
client is psql (PostgreSQL) 14.2 (Ubuntu 14.2-1ubuntu1).

What happens is this

yyy@srvpython8:~$ psql service=bigdata_db1
psql: error: connection to server at "srvpostgres4.xxx.local" (172.30.33.30), 
port 1609 failed: could not initiate GSSAPI security context: Unspecified GSS 
failure.  Minor code may provide more information: Server not found in Kerberos 
database
connection to server at "srvpostgres4.xxx.local" (172.30.33.30), port 1609 
failed: GSSAPI continuation error: Unspecified GSS failure.  Minor code may 
provide more information: Server not found in Kerberos database
yyy@srvpython8:~$

The Postgres server log has this. 

2022-05-13 18:14:01.140 
CEST,,,474093,"172.30.32.213:33554",627e83c9.73bed,1,"",2022-05-13 18:14:01 
CEST,,0,LOG,00000,"connection received: host=172.30.32.213 
port=33554",,,,,,,,,"","not initialized",,0
2022-05-13 18:14:01.159 
CEST,,,474094,"172.30.32.213:33556",627e83c9.73bee,1,"",2022-05-13 18:14:01 
CEST,,0,LOG,00000,"connection received: host=172.30.32.213 
port=33556",,,,,,,,,"","not initialized",,0
2022-05-13 18:14:01.176 
CEST,"yyy","db1",474094,"172.30.32.213:33556",627e83c9.73bee,2,"authentication",2022-05-13
 18:14:01 CEST,2/14544,0,FATAL,28000,"GSSAPI authentication failed for user 
""yyy""","Connection matched pg_hba.conf line 15: ""host    all             all 
            172.0.0.0/8             gss map=xxxlocal include_realm=0 
krb_realm=""XXX.LOCAL""""",,,,,,,,"","client backend",,-3382135431624836920

Are we forgetting to set something up? 

Regards Niels Jespersen

Reply via email to