Re: Kerberos Authentication to Postgres from PGADMIN in IPA REALM

Поиск
Список
Период
Сортировка
От Khushboo Vashi
Тема Re: Kerberos Authentication to Postgres from PGADMIN in IPA REALM
Дата
Msg-id CAFOhELeLwL4J=Co2-mvxUQYCtPZzySYjQmwK-ew9mRm5_Ugq2w@mail.gmail.com
обсуждение исходный текст
Ответ на Kerberos Authentication to Postgres from PGADMIN in IPA REALM  (Gregory McKaige <gmckaige@gmail.com>)
Ответы Re: Kerberos Authentication to Postgres from PGADMIN in IPA REALM
Список pgadmin-support
Дерево обсуждения


On Tue, Apr 11, 2023 at 2:50 PM Gregory McKaige <gmckaige@gmail.com> wrote:
Let me know if I should reply-all or just back to the list (I haven't used a mailing list before).
Yes. you should reply-all. 

Yes, I have the Kerberos Authentication toggle button "enabled".
image.png


Can you confirm whether your credential cache file exists or not (/tmp/krb5cc_5050) while you are trying to connect the server?  

On Tue, Apr 11, 2023 at 3:21 PM Khushboo Vashi <khushboo.vashi@enterprisedb.com> wrote:
Hi,

As you can log in to the pgAdmin web app through Kerberos, you should be able to connect Postgres through Kerberos.
One thing I want to confirm is that when you created the server, you turned on the Kerberos authentication option. 
See the below screen-shot.

Screenshot 2023-04-11 at 1.48.38 PM.png

Thanks,
Khushboo

On Tue, Apr 11, 2023 at 1:17 PM Gregory McKaige <gmckaige@gmail.com> wrote:
Environment:
  VM -  FreeIPA providing LDAP/Kerberos (FreeIPA 4.10.0) on Rocky Linux 9.1
  VM - Rocky Linux 9.1 as Docker Host
         -- PGADMIN (Container) 6.15
  VM - Rocky Linux 9.1 providing Postgres 15

From an IPA joined client Kerberos SSO works to the PGAdmin container (no extra login prompt)
From an IPA joined client with psql installed I can connect to Postgres using Kerberos. I see the  "GSSAPI - Encrypted connection" in the connection.

When I attempt to connect with the same account from the PGAdmin web application I receive the following error in the web interface.
"GSSAPI continuation error. No credentials were supplied, or the credentials were unavailable or inaccessible. No Kerberos credentials available.(Default cache: FILE:/tmp/krb5cc_5050)

On Postgres I checked the logs and it looks like the right user is being sent....but not authenticated:
2023-04-11 13:31:53.364 +07 [3858] FATAL:  GSSAPI authentication failed for user "a01-6"
2023-04-11 13:31:53.364 +07 [3858] DETAIL:  Connection matched pg_hba.conf line 91: "host    all             all             192.168.1.0/24            gss include_realm=0 krb_realm=MY.LAB"

Initially I thought it might be the typical kerberos double-hop issue with Kerberos delegation and I found the following article on Kerberos delelgation.


I configured the delegation (First time in the Linux world I've done this so maybe it's wrong?) using:

ipa servicedelegationtarget-add
ipa servicedelegationtarget-ad-member
ipa servicedelegationrule-add
ipa servicedelegationrule-add-member
ipa servicedelegationrule-add-target

Then rebooted everything, but same results. Is there a way in the PGAdmin container to turn up logging to see what's happening?

Thanks,
Greg

Вложения

В списке pgadmin-support по дате отправления: