SEO

My operating system is Red Hat Linux AS 4, Kerberos 5, with
postgresql-7.4.14 that I compiled. I can authenticate using ssh, su,
console login, and also have gotten apache mod_auth_kerb to work with AD -
but I am missing something with postgresql. When I try:

[pkoppe01@ipswich ~]$ /usr/local/pgsql/bin/psql -d test -h ipswich
psql: Kerberos 5 authentication failed

For the configure step, I did (needed the include statement to prevent an
error about comm_err.h):

[koppel@ipswich postgresql-7.4.14]$ ./configure --with-java --with-krb5
--with-includes=/usr/include/et

The make proceeded normally.

My pg_hba.conf looks like this (with pkoppe01 defined in Active Directory
but not defined in postgres using "createuser")

local all all
trust
host test pkoppe01 192.168.1.0 255.255.255.0 krb5

Also have "tcpip_socket = true" and the postgres keytab referenced in
postgresql.conf and the keytab file itself owned by postgres.

When I try the psql command above (as pkoppe01) I do get the service
ticket for postgres:

[pkoppe01@ipswich ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_501_LCzZ1P
Default principal: pkoppe01@PRIVATE.LAN

Valid starting Expires Service principal
11/13/06 11:17:25 11/13/06 21:17:28 krbtgt/PRIVATE.LAN@PRIVATE.LAN
renew until 11/14/06 11:17:25
11/13/06 11:19:02 11/13/06 21:17:28
postgres/ipswich.private.lan@PRIVATE.LAN
renew until 11/14/06 11:17:25

Any ideas would be greatly appreciated. Thanks in advance. Please feel
free to email me directly as I just joined the list and don't know my way
around yet.

Paul Koppel
Systems Manager
Washington University School of Medicine
St. Louis, MO 63110

> My operating system is Red Hat Linux AS 4, Kerberos 5, with
> postgresql-7.4.14 that I compiled. I can authenticate using
> ssh, su, console login, and also have gotten apache
> mod_auth_kerb to work with AD - but I am missing something
> with postgresql. When I try:
>
> [pkoppe01@ipswich ~]$ /usr/local/pgsql/bin/psql -d test -h ipswich
> psql: Kerberos 5 authentication failed
>
> For the configure step, I did (needed the include statement
> to prevent an error about comm_err.h):
>
> [koppel@ipswich postgresql-7.4.14]$ ./configure --with-java
> --with-krb5 --with-includes=/usr/include/et
>
> The make proceeded normally.
>
> My pg_hba.conf looks like this (with pkoppe01 defined in
> Active Directory but not defined in postgres using "createuser")
>
> local all all trust
> host test pkoppe01 192.168.1.0 255.255.255.0 krb5
>
> Also have "tcpip_socket = true" and the postgres keytab
> referenced in postgresql.conf and the keytab file itself
> owned by postgres.
>
> When I try the psql command above (as pkoppe01) I do get the
> service ticket for postgres:
>
> [pkoppe01@ipswich ~]$ klist
> Ticket cache: FILE:/tmp/krb5cc_501_LCzZ1P Default principal:
> pkoppe01@PRIVATE.LAN
>
> Valid starting Expires Service principal
> 11/13/06 11:17:25 11/13/06 21:17:28
> krbtgt/PRIVATE.LAN@PRIVATE.LAN renew until 11/14/06 11:17:25
> 11/13/06 11:19:02 11/13/06 21:17:28
> postgres/ipswich.private.lan@PRIVATE.LAN
> renew until 11/14/06 11:17:25
>
> Any ideas would be greatly appreciated. Thanks in advance.
> Please feel free to email me directly as I just joined the
> list and don't know my way around yet.

The server log from postgresql should give some more information.

//Magnus

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

Magnus Hagander wrote:

>> My pg_hba.conf looks like this (with pkoppe01 defined in
>> Active Directory but not defined in postgres using "createuser")

You need to createuser with the AD username - this allows that user to
connect to PostgreSQL and to own and have various permissions in
PostgreSQL but uses the kerberos password authentication instead of
internal password storage.



--

Shane Ambler
pgSQL@007Marketing.com

Get Sheeky @ http://Sheeky.Biz

---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
choose an index scan if your joining column's datatypes do not
match