Re: GSSAPI/KRB5 and JDBC (again)

On Mon, Jul 28, 2008 at 11:35 PM, Kris Jurka <books@ejurka.com> wrote:
> It tries to use the provided password only if it doesn't find an existing
> set of credentials.  It definitely works for me without a password after
> kinit(ing).  Perhaps your ticket cache or keytab is in a non-standard place?
>  This is the first and only time I've setup a kerberos server, so I may have
> done something unusual on my end too, but I basically just did a stock
> Debian install.  Perhaps you need some additional options from here in your
> login.conf to let it know things particular to your setup?
>
> http://java.sun.com/j2se/1.4.2/docs/guide/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html

Our ticket cache location is somewhat random on each login, but it can
always be reliably found by looking at the environment variable
KRB5CCNAME. I can specify the temporary location, but it would be much
better to somehow be able to grab the auth info from that.

I got this working after a few attempts and reading up on Java auth
configs. It looks like I have to have the line which tells which user
to use, i.e.

        props.setProperty("user", "koczan");

...but it has to be the same as the user/principal in the ticket
cache. It would be nice in the case of web scripts or cron jobs (where
things may run as different or arbitrary users) if I could specify
that elsewhere without having to recompile. I tried specifying the
principal in the config file, and I tried specifying the user on the
command line with -D, but neither worked without the setProperty line
in the .java file.

org.postgresql.util.PSQLException: FATAL: no PostgreSQL user name
specified in startup packet

Still, this is a lot further along compared to where I was a week ago.
Thanks again.

Peter