Обсуждение: kerberos pg_ident different behavior in psql vs. jdbc
I have installed PostgreSQL 9.4 and MIT Kerberos 5 on an Ubuntu 15.10 system.
I have added the following entries:
pg_hba.conf:
- # TYPE DATABASE USER ADDRESS METHOD OPTIONS
pg_ident.conf:
- # MAPNAME SYSTEM-USERNAME PG-USERNAME
- gss /^([^/]+)\/postgres@INVARIANTPROPERTIES\.COM$ \1
If I kinit the principal 'bgiles/postgres@INVARIANTPROPERTIES.COM' I can successfully connect to the database as the 'bgiles' user. I have confidence is the PostgreSQL configuration.
I can take the keytab file containing the key, add a JAAS configuration file, and successfully authenticate to the KDC. I have confidence that that's correct although there might be small tweaks possible. (E.g., should the JAAS principal field include @REALM?)
However when I try to connect via JDBC (using JAAS and a keytab file) I seem to fail at the pg_ident.conf step.
2016-04-21 19:36:22 UTC [10992-2] bgiles/postgres@SNAPLOGIC.COM@bgiles LOG: no match in usermap "gss" for user "bgiles/postgres" authenticated as "bgiles/postgres@SNAPLOGIC.COM"2016-04-21 19:36:22 UTC [10992-3] bgiles/postgres@SNAPLOGIC.COM@bgiles FATAL: GSSAPI authentication failed for user "bgiles/postgres@SNAPLOGIC.COM"2016-04-21 19:36:22 UTC [10992-4] bgiles/postgres@SNAPLOGIC.COM@bgiles DETAIL: Connection matched pg_hba.conf line 100: "host all all 75.144.16.201/32 gss include_realm=1 map=gss krb_realm=SNAPLOGIC.COM"
That happens with a jdbc username of 'bgiles', 'bgiles/postgres', or 'bgiles/postgres@SNAPLOGIC.COM'.
Have other people looked at Kerberos + JDBC? I'm also looking at the JDBC driver code and I might have noticed something that would cause problems but I wanted to check with others before I tried hacking on it.
Thanks,
Bear
I've finally tracked down the code in question. Kerberos authentication currently only supports (username, password) authentication and not keytab authentication. The username can't be a compound name (e.g., bob/postgres) either.
I'll pencil in some time to work on a patch to the PostgreSQL JDBC driver.
Bear
On Thu, Apr 21, 2016 at 1:27 PM, Bear Giles <bgiles@coyotesong.com> wrote:
I have installed PostgreSQL 9.4 and MIT Kerberos 5 on an Ubuntu 15.10 system.
I have added the following entries:pg_hba.conf:
# TYPE DATABASE USER ADDRESS METHOD OPTIONSpg_ident.conf:
# MAPNAME SYSTEM-USERNAME PG-USERNAME gss /^([^/]+)\/postgres@INVARIANTPROPERTIES\.COM$ \1If I kinit the principal 'bgiles/postgres@INVARIANTPROPERTIES.COM' I can successfully connect to the database as the 'bgiles' user. I have confidence is the PostgreSQL configuration.I can take the keytab file containing the key, add a JAAS configuration file, and successfully authenticate to the KDC. I have confidence that that's correct although there might be small tweaks possible. (E.g., should the JAAS principal field include @REALM?)However when I try to connect via JDBC (using JAAS and a keytab file) I seem to fail at the pg_ident.conf step.2016-04-21 19:36:22 UTC [10992-2] bgiles/postgres@SNAPLOGIC.COM@bgiles LOG: no match in usermap "gss" for user "bgiles/postgres" authenticated as "bgiles/postgres@SNAPLOGIC.COM"2016-04-21 19:36:22 UTC [10992-3] bgiles/postgres@SNAPLOGIC.COM@bgiles FATAL: GSSAPI authentication failed for user "bgiles/postgres@SNAPLOGIC.COM"2016-04-21 19:36:22 UTC [10992-4] bgiles/postgres@SNAPLOGIC.COM@bgiles DETAIL: Connection matched pg_hba.conf line 100: "host all all 75.144.16.201/32 gss include_realm=1 map=gss krb_realm=SNAPLOGIC.COM"That happens with a jdbc username of 'bgiles', 'bgiles/postgres', or 'bgiles/postgres@SNAPLOGIC.COM'.Have other people looked at Kerberos + JDBC? I'm also looking at the JDBC driver code and I might have noticed something that would cause problems but I wanted to check with others before I tried hacking on it.Thanks,Bear