configuration kerberos in Postgre sql

am 11.10.2009 15:36:02 von rahimeh khodadadi

--0015174766d6edc5050475a8e446
Content-Type: text/plain; charset=ISO-8859-1

Hi,

after compling the postgresql --with-krb5 and setting up the krb5-server in
centos, I configured the *postgresql.conf* as bellow:

*krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
*krb_srvname = 'POSTGRES' * # (Kerberos only)
#krb_caseins_users = off

and

my *pg_hba.conf* is :

# "local" is for Unix domain socket connections only
local all postgres trust
# IPv4 local connections:
host all *frank* 0.0.0.0/0 krb5
#host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust

,and kdc.conf

kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
#master_key_type = des3-hmac-sha1
* acl_file = /var/kerberos/krb5kdc/kadm5.acl*
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
}

Then, I created the user frank as :

kadmin.local
Authenticating as principal rahimeh/admin@EXAMPLE.COM with password.
kadmin.local: * ank frank*
WARNING: no policy specified for frank@EXAMPLE.COM; defaulting to no policy
Enter password for principal "frank@EXAMPLE.COM":
Re-enter password for principal "frank@EXAMPLE.COM":

*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
Entry for principal frank with kvno 2, encryption type Triple DES cbc mode
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/md5
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES cbc mode with
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Finally, it gives error like:

[root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
Password for frank@EXAMPLE.COM:
*kinit(v5): Password incorrect while getting initial credentials*

or

in cmd when I run this instruction the below error is shown.

[root@localhost bin]# ./psql -h 127.0.0.1 -U frank
*psql: krb5_sendauth: Bad application version was sent (via sendauth)*

Please help me.

--
With Best Regards
Miss.KHodadadi

--0015174766d6edc5050475a8e446
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,

after compling the postgresql --with-krb5=A0 and setting up the=
krb5-server in centos, I configured the postgresql.conf as bellow:<=
br>
krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab=
9;

krb_srvname =3D 'POSTGRES'=A0     =A0 # (Kerberos on=
ly)
#krb_caseins_users =3D off
=A0
and

my pg_hba.conf<=
/b> is :

# "local" is for Unix domain socket connections o=
nly
local   all         postgres      =
                   trust

# IPv4 local connections:
host   all         fran=
k         =A0=
         krb5
#host  =A0 all      =A0=
=A0 all         127.0.0.1/3=
2    =A0 trust

# IPv6 local connections:
host  =A0 all         all=
         ::1/128               =
trust

,and kdc.conf

kdcdefaults]
=A0v4_mode =3D nopre=
auth
=A0kdc_tcp_ports =3D 88

[realms]
=A0 MPLE.COM">EXAMPLE.COM =3D {

=A0 #master_key_type =3D des3-hmac-sha1
=A0 acl_file =3D /var/kerbero=
s/krb5kdc/kadm5.acl
=A0 dict_file =3D /usr/share/dict/words
=A0 a=
dmin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab
=A0 supported_enctype=
s =3D des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cb=
c-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3

=A0}
=A0
Then, I created the user frank=A0 as :

=A0kadmin.loca=
l
Authenticating as principal rahimeh/ M">admin@EXAMPLE.COM with password.
kadmin.local:=A0 ank frank >
WARNING: no policy specified for =
frank@EXAMPLE.COM; defaulting to no policy

Enter password for principal "fra=
nk@EXAMPLE.COM":
Re-enter password for principal " =3D"mailto:frank@EXAMPLE.COM">frank@EXAMPLE.COM":

kadmi=
n.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank

Entry for principal frank with kvno 2, encryption type Triple DES cbc mode =
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. r>Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/=
md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 a=
dded to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for prin=
cipal frank with kvno 2, encryption type DES cbc mode with RSA-MD5 added to=
keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Finally, it gives error like:

[root@localhost ~]# kinit frank=
-t /var/kerberos/krb5kdc/kadm5.keytab
Password for o:frank@EXAMPLE.COM">frank@EXAMPLE.COM:
kinit(v5): Password inco=
rrect while getting initial credentials

or

in cmd when I run this instruction the below error is shown.=

[root@localhost bin]# ./psql -h 127.0.0.1=A0 -U frank
psql: k=
rb5_sendauth: Bad application version was sent (via sendauth)

Please help me.

--
With Best Regards
Miss.KHodada=
di

--0015174766d6edc5050475a8e446--

Re: configuration kerberos in Postgre sql
am 12.10.2009 13:42:23 von rahimeh khodadadi
--000e0cd2378a56b1170475bb6c80
Content-Type: text/plain; charset=ISO-8859-1

nobody could help me?

On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
rahimeh.khodadadi@gmail.com> wrote:

> Hi,
>
> after compling the postgresql --with-krb5 and setting up the krb5-server
> in centos, I configured the *postgresql.conf* as bellow:
>
> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
> *krb_srvname = 'POSTGRES' * # (Kerberos only)
> #krb_caseins_users = off
>
> and
>
> my *pg_hba.conf* is :
>
> # "local" is for Unix domain socket connections only
> local all postgres trust
> # IPv4 local connections:
> host all *frank* 0.0.0.0/0 krb5
> #host all all 127.0.0.1/32 trust
> # IPv6 local connections:
> host all all ::1/128 trust
>
>
> ,and kdc.conf
>
> kdcdefaults]
> v4_mode = nopreauth
> kdc_tcp_ports = 88
>
> [realms]
> EXAMPLE.COM = {
> #master_key_type = des3-hmac-sha1
> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
> des-cbc-crc:afs3
> }
>
> Then, I created the user frank as :
>
> kadmin.local
> Authenticating as principal rahimeh/admin@EXAMPLE.COM with password.
> kadmin.local: * ank frank*
> WARNING: no policy specified for frank@EXAMPLE.COM; defaulting to no
> policy
> Enter password for principal "frank@EXAMPLE.COM":
> Re-enter password for principal "frank@EXAMPLE.COM":
>
> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
> Entry for principal frank with kvno 2, encryption type Triple DES cbc mode
> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
> Entry for principal frank with kvno 2, encryption type ArcFour with
> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
> Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
> Entry for principal frank with kvno 2, encryption type DES cbc mode with
> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>
> Finally, it gives error like:
>
> [root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
> Password for frank@EXAMPLE.COM:
> *kinit(v5): Password incorrect while getting initial credentials*
>
> or
>
> in cmd when I run this instruction the below error is shown.
>
> [root@localhost bin]# ./psql -h 127.0.0.1 -U frank
> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>
>
> Please help me.
>
>
>
> --
> With Best Regards
> Miss.KHodadadi
>

--
With Best Regards
Miss.KHodadadi

--000e0cd2378a56b1170475bb6c80
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

nobody could help me?

On Sun, Oct 11, 200=
9 at 5:06 PM, rahimeh khodadadi < imeh.khodadadi@gmail.com">rahimeh.khodadadi@gmail.com> wrote:=

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,

after=
compling the postgresql --with-krb5=A0 and setting up the krb5-server in c=
entos, I configured the postgresql.conf as bellow:

krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'<=
/b>

krb_srvname =3D 'POSTGRES'=A0     =A0 # (Kerberos on=
ly)
#krb_caseins_users =3D off
=A0
and

my pg_hba.conf<=
/b> is :

# "local" is for Unix domain socket connections o=
nly
local   all         postgres      =
                   trust

# IPv4 local connections:
host   all         fran=
k       0.0.=
0.0/0          =A0 krb5
#host  =A0 all=A0=
      =A0 all         ..1/32" target=3D"_blank">127.0.0.1/32    =A0 trust

# IPv6 local connections:
host  =A0 all         all=
         ::1/128               =
trust

,and kdc.conf

kdcdefaults]
=A0v4_mode =3D nopre=
auth
=A0kdc_tcp_ports =3D 88

[realms]
=A0 MPLE.COM" target=3D"_blank">EXAMPLE.COM =3D {

=A0 #master_key_type =3D des3-hmac-sha1
=A0 acl_file =3D /var/kerbero=
s/krb5kdc/kadm5.acl
=A0 dict_file =3D /usr/share/dict/words
=A0 a=
dmin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab
=A0 supported_enctype=
s =3D des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cb=
c-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3

=A0}
=A0
Then, I created the user frank=A0 as :

=A0kadmin.loca=
l
Authenticating as principal rahimeh/ M" target=3D"_blank">admin@EXAMPLE.COM with password.
kadmin.local:=
=A0 ank frank

WARNING: no policy specified for t=3D"_blank">frank@EXAMPLE.COM; defaulting to no policy

Enter password for principal " get=3D"_blank">frank@EXAMPLE.COM":
Re-enter password for princ=
ipal "frank@EXA=
MPLE.COM":

kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank<=
br>
Entry for principal frank with kvno 2, encryption type Triple DES cbc mode =
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. r>Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/=
md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 a=
dded to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for prin=
cipal frank with kvno 2, encryption type DES cbc mode with RSA-MD5 added to=
keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Finally, it gives error like:

[root@localhost ~]# kinit frank=
-t /var/kerberos/krb5kdc/kadm5.keytab
Password for o:frank@EXAMPLE.COM" target=3D"_blank">frank@EXAMPLE.COM:
kinit(=
v5): Password incorrect while getting initial credentials

or

in cmd when I run this instruction the below error is shown.=

[root@localhost bin]# ./psql -h 127.0.0.1=A0 -U frank
psql: k=
rb5_sendauth: Bad application version was sent (via sendauth)

Please help me.

--
With Best=
Regards
Miss.KHodadadi

--
With Best Regard=
s
Miss.KHodadadi

--000e0cd2378a56b1170475bb6c80--

Re: configuration kerberos in Postgre sql
am 16.10.2009 20:50:00 von rahimeh khodadadi
have never been worked with krb5 in postgresql?

On 10/12/09, rahimeh khodadadi wrote:
> nobody could help me?
>
> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
> rahimeh.khodadadi@gmail.com> wrote:
>
>> Hi,
>>
>> after compling the postgresql --with-krb5 and setting up the krb5-server
>> in centos, I configured the *postgresql.conf* as bellow:
>>
>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>> *krb_srvname = 'POSTGRES' * # (Kerberos only)
>> #krb_caseins_users = off
>>
>> and
>>
>> my *pg_hba.conf* is :
>>
>> # "local" is for Unix domain socket connections only
>> local all postgres trust
>> # IPv4 local connections:
>> host all *frank* 0.0.0.0/0 krb5
>> #host all all 127.0.0.1/32 trust
>> # IPv6 local connections:
>> host all all ::1/128 trust
>>
>>
>> ,and kdc.conf
>>
>> kdcdefaults]
>> v4_mode = nopreauth
>> kdc_tcp_ports = 88
>>
>> [realms]
>> EXAMPLE.COM = {
>> #master_key_type = des3-hmac-sha1
>> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>> dict_file = /usr/share/dict/words
>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
>> des-cbc-crc:afs3
>> }
>>
>> Then, I created the user frank as :
>>
>> kadmin.local
>> Authenticating as principal rahimeh/admin@EXAMPLE.COM with password.
>> kadmin.local: * ank frank*
>> WARNING: no policy specified for frank@EXAMPLE.COM; defaulting to no
>> policy
>> Enter password for principal "frank@EXAMPLE.COM":
>> Re-enter password for principal "frank@EXAMPLE.COM":
>>
>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>> mode
>> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type ArcFour with
>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>
>> Finally, it gives error like:
>>
>> [root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>> Password for frank@EXAMPLE.COM:
>> *kinit(v5): Password incorrect while getting initial credentials*
>>
>> or
>>
>> in cmd when I run this instruction the below error is shown.
>>
>> [root@localhost bin]# ./psql -h 127.0.0.1 -U frank
>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>
>>
>> Please help me.
>>
>>
>>
>> --
>> With Best Regards
>> Miss.KHodadadi
>>
>
>
>
> --
> With Best Regards
> Miss.KHodadadi
>

--
With Best Regards
Miss.KHodadadi

--
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Re: configuration kerberos in Postgre sql
am 16.10.2009 23:12:47 von Geoff Tolley
Hi Rahimeh,

Is PG on the same box as the kadmind?

rahimeh khodadadi wrote:
> have never been worked with krb5 in postgresql?
>=20
> On 10/12/09, rahimeh khodadadi wrote:
>> nobody could help me?
>>
>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>> rahimeh.khodadadi@gmail.com> wrote:
>>
>>> Hi,
>>>
>>> after compling the postgresql --with-krb5 and setting up the krb5-serv=
er
>>> in centos, I configured the *postgresql.conf* as bellow:
>>>
>>> *krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'*
>>> *krb_srvname =3D 'POSTGRES' * # (Kerberos only)
>>> #krb_caseins_users =3D off

I like to specify my krb_server_hostname explicitly here.

>>> and
>>>
>>> my *pg_hba.conf* is :
>>>
>>> # "local" is for Unix domain socket connections only
>>> local all postgres trust
>>> # IPv4 local connections:
>>> host all *frank* 0.0.0.0/0 krb5
>>> #host all all 127.0.0.1/32 trust
>>> # IPv6 local connections:
>>> host all all ::1/128 trust
>>>
>>>
>>> ,and kdc.conf
>>>
>>> kdcdefaults]
>>> v4_mode =3D nopreauth
>>> kdc_tcp_ports =3D 88
>>>
>>> [realms]
>>> EXAMPLE.COM =3D {
>>> #master_key_type =3D des3-hmac-sha1
>>> * acl_file =3D /var/kerberos/krb5kdc/kadm5.acl*
>>> dict_file =3D /usr/share/dict/words
>>> admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab

If this is the same machine as PG, I'm not sure why you have the same file =
here as=20
for the keytab to keep the PG service principal in. My manpage for kdc.con=
f says=20
that admin_keytab specifies the keytab to be used by kadmin to authenticate=
to the=20
database, so really shouldn't be kept very distinct from the keytab with th=
e PG=20
service principal.

>>> supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal
>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:=
v4
>>> des-cbc-crc:afs3
>>> }
>>>
>>> Then, I created the user frank as :
>>>
>>> kadmin.local
>>> Authenticating as principal rahimeh/admin@EXAMPLE.COM with password.
>>> kadmin.local: * ank frank*
>>> WARNING: no policy specified for frank@EXAMPLE.COM; defaulting to no
>>> policy
>>> Enter password for principal "frank@EXAMPLE.COM":
>>> Re-enter password for principal "frank@EXAMPLE.COM":
>>>
>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>> mode
>>> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keyta=
b.
>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>> Entry for principal frank with kvno 2, encryption type DES with HMAC/sh=
a1
>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

But for PG you'll need a keytab with the service principal you've defined t=
o be=20
POSTGRES/@EXAMPLE.COM in it.

>>> Finally, it gives error like:
>>>
>>> [root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>>> Password for frank@EXAMPLE.COM:
>>> *kinit(v5): Password incorrect while getting initial credentials*

I've never had much joy myself when getting tickets from a -t keytab, I usu=
ally just=20
kinit and enter a password instead.

>>> or
>>>
>>> in cmd when I run this instruction the below error is shown.
>>>
>>> [root@localhost bin]# ./psql -h 127.0.0.1 -U frank
>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*

To construct the service principal the library takes the the -h argument, t=
hen gets=20
the A record for it (if applicable), then gets the PTR record for the A rec=
ord to get=20
the hostname for the service principal name (unless you're using Windows I =
have=20
found, in which case it just stops and takes the originally given hostname =
if an A=20
record exists). Just use a non-127 address instead, it'll make things a lo=
t easier=20
to keep straight. For that matter, /etc/hostname and /etc/resolv.conf woul=
d be good=20
to see too because of their importance here.

HTH,
Geoff

=20
---------
Geoff Tolley
DBA/Systems Administrator
=20
YouGovPolimetrix
285 Hamilton Avenue Suite 200
Palo Alto, CA 94301
geoff.tolley@yougov.com
http://www.yougov.com/
=20
=20

--=20
Sent via pgsql-admin mailing list (pgsql-admin@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Fwd: configuration kerberos in Postgre sql
am 26.10.2009 08:54:14 von rahimeh khodadadi
--0016e6d7ee572947030476d1de33
Content-Type: text/plain; charset=ISO-8859-1

---------- Forwarded message ----------
From: rahimeh khodadadi
Date: Sun, Oct 25, 2009 at 4:55 PM
Subject: Re: [ADMIN] configuration kerberos in Postgre sql
To: Geoff Tolley

I am new to kerberos. I need help

Whether we define ank username for every users of postgresql in
kadmin.local? or we just define for sevice of PG.

When I define principle for every user then I wat to connect to psql, I get
faced to error.

I will be happy, if you reply.

On Sun, Oct 25, 2009 at 3:15 PM, rahimeh khodadadi <
rahimeh.khodadadi@gmail.com> wrote:

> Hi Geoff,
>
> Can you tell me what is your PG version?
> Because, If I define server-name in postgresql.conf, it gives a error.
>
> Thanks in advance
>
> On Sat, Oct 17, 2009 at 3:48 PM, rahimeh khodadadi <
> rahimeh.khodadadi@gmail.com> wrote:
>
>> Hi Geoff,
>>
>> Ofcourse, krb server is same system that PG has been installed.
>> When I compiled the PG, there was not any option like
>> "krb_server_hostname" in conf file.
>>
>> So, I donot know, what to do?
>> And, I create the POSTGRES/@EXAMPLE.COM too.
>>
>> On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley wrote:
>>
>>> Hi Rahimeh,
>>>
>>> Is PG on the same box as the kadmind?
>>>
>>>
>>> rahimeh khodadadi wrote:
>>>
>>>> have never been worked with krb5 in postgresql?
>>>>
>>>> On 10/12/09, rahimeh khodadadi wrote:
>>>>
>>>>> nobody could help me?
>>>>>
>>>>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>>>>> rahimeh.khodadadi@gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>>
>>>>>> after compling the postgresql --with-krb5 and setting up the
>>>>>> krb5-server
>>>>>> in centos, I configured the *postgresql.conf* as bellow:
>>>>>>
>>>>>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>>>>>> *krb_srvname = 'POSTGRES' * # (Kerberos only)
>>>>>> #krb_caseins_users = off
>>>>>>
>>>>>
>>> I like to specify my krb_server_hostname explicitly here.
>>>
>>>
>>> and
>>>>>>
>>>>>> my *pg_hba.conf* is :
>>>>>>
>>>>>> # "local" is for Unix domain socket connections only
>>>>>> local all postgres trust
>>>>>> # IPv4 local connections:
>>>>>> host all *frank* 0.0.0.0/0 krb5
>>>>>> #host all all 127.0.0.1/32 trust
>>>>>> # IPv6 local connections:
>>>>>> host all all ::1/128 trust
>>>>>>
>>>>>>
>>>>>> ,and kdc.conf
>>>>>>
>>>>>> kdcdefaults]
>>>>>> v4_mode = nopreauth
>>>>>> kdc_tcp_ports = 88
>>>>>>
>>>>>> [realms]
>>>>>> EXAMPLE.COM = {
>>>>>> #master_key_type = des3-hmac-sha1
>>>>>> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>>>>>> dict_file = /usr/share/dict/words
>>>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>>>>
>>>>>
>>> If this is the same machine as PG, I'm not sure why you have the same
>>> file here as for the keytab to keep the PG service principal in. My manpage
>>> for kdc.conf says that admin_keytab specifies the keytab to be used by
>>> kadmin to authenticate to the database, so really shouldn't be kept very
>>> distinct from the keytab with the PG service principal.
>>>
>>>
>>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
>>>>>> des-cbc-crc:v4
>>>>>> des-cbc-crc:afs3
>>>>>> }
>>>>>>
>>>>>> Then, I created the user frank as :
>>>>>>
>>>>>> kadmin.local
>>>>>> Authenticating as principal rahimeh/admin@EXAMPLE.COM with password.
>>>>>> kadmin.local: * ank frank*
>>>>>> WARNING: no policy specified for frank@EXAMPLE.COM; defaulting to no
>>>>>> policy
>>>>>> Enter password for principal "frank@EXAMPLE.COM":
>>>>>> Re-enter password for principal "frank@EXAMPLE.COM":
>>>>>>
>>>>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>>>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>>>>> mode
>>>>>> with HMAC/sha1 added to keytab
>>>>>> WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>>>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>> Entry for principal frank with kvno 2, encryption type DES with
>>>>>> HMAC/sha1
>>>>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>> Entry for principal frank with kvno 2, encryption type DES cbc mode
>>>>>> with
>>>>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>>
>>>>>
>>> But for PG you'll need a keytab with the service principal you've defined
>>> to be POSTGRES/@EXAMPLE.COM in it.
>>>
>>>
>>> Finally, it gives error like:
>>>>>>
>>>>>> [root@localhost ~]# *kinit frank* -t
>>>>>> /var/kerberos/krb5kdc/kadm5.keytab
>>>>>> Password for frank@EXAMPLE.COM:
>>>>>> *kinit(v5): Password incorrect while getting initial credentials*
>>>>>>
>>>>>
>>> I've never had much joy myself when getting tickets from a -t keytab, I
>>> usually just kinit and enter a password instead.
>>>
>>>
>>> or
>>>>>>
>>>>>> in cmd when I run this instruction the below error is shown.
>>>>>>
>>>>>> [root@localhost bin]# ./psql -h 127.0.0.1 -U frank
>>>>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>>>>>
>>>>>
>>> To construct the service principal the library takes the the -h argument,
>>> then gets the A record for it (if applicable), then gets the PTR record for
>>> the A record to get the hostname for the service principal name (unless
>>> you're using Windows I have found, in which case it just stops and takes the
>>> originally given hostname if an A record exists). Just use a non-127
>>> address instead, it'll make things a lot easier to keep straight. For that
>>> matter, /etc/hostname and /etc/resolv.conf would be good to see too because
>>> of their importance here.
>>>
>>> HTH,
>>> Geoff
>>>
>>>
>>> ---------
>>> Geoff Tolley
>>> DBA/Systems Administrator
>>>
>>> YouGovPolimetrix
>>> 285 Hamilton Avenue Suite 200
>>> Palo Alto, CA 94301
>>> geoff.tolley@yougov.com
>>> http://www.yougov.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Miss.KHodadadi
>>
>
>
>
> --
> With Best Regards
> Miss.KHodadadi
>

--
With Best Regards
Miss.KHodadadi

--
With Best Regards
Miss.KHodadadi

--0016e6d7ee572947030476d1de33
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

---------- Forwarded message ----------<=
br>From: rahimeh khodadadi tr"><rahimeh.khodadadi@gm=
ail.com>

Date: Sun, Oct 25, 2009 at 4:55 PM
Subject: Re: [ADMIN] configuration ke=
rberos in Postgre sql
To: Geoff Tolley < y@yougov.com">geoff.tolley@yougov.com>

I am new to kerber=
os. I need help

Whether=A0 we define ank username for every users of postgresql in kadm=
in.local?=A0 or we just define for sevice of PG.

When I define princ=
iple for every user then I wat to connect to psql, I get faced to error. r>

I will be happy, if you reply.
r>

On Sun, Oct 25, 2009 at 3:15 PM, rahimeh khodadadi < href=3D"mailto:rahimeh.khodadadi@gmail.com" target=3D"_blank">rahimeh.khod=
adadi@gmail.com> wrote:
style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8=
ex; padding-left: 1ex;">

Hi Geoff,

Can you tell me what is your PG version?
Because, If I =
define server-name in postgresql.conf, it gives a error.

Thanks in a=
dvance=A0

On Sat, Oct 17, 2009 at 3:48 PM, rahimeh khodadadi < href=3D"mailto:rahimeh.khodadadi@gmail.com" target=3D"_blank">rahimeh.khod=
adadi@gmail.com> wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Geoff,

=
Ofcourse, krb server is same system that PG has been installed.
When I =
compiled the PG, there was not any option like "krb_server_hostname&qu=
ot; in conf file.

So, I donot know, what to do?

And, I create the POSTGRES/<hostname>@ target=3D"_blank">EXAMPLE.COM too.=A0

v class=3D"gmail_quote">On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley n dir=3D"ltr">< nk">geoff.tolley@yougov.com> wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Rahimeh,

Is PG on the same box as the kadmind?

rahimeh khodadadi wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
have never been worked =A0with krb5 in postgresql?

On 10/12/09, rahimeh khodadadi < l.com" target=3D"_blank">rahimeh.khodadadi@gmail.com> wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
nobody could help me?

On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <

rahimeh.kh=
odadadi@gmail.com> wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,

after compling the postgresql --with-krb5 =A0and setting up the krb5-server=

in centos, I configured the *postgresql.conf* as bellow:

*krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'*

*krb_srvname =3D 'POSTGRES' * =A0 =A0 =A0 # (Kerberos only)

#krb_caseins_users =3D off

I like to specify my krb_server_hostname explicitly here.

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
and

my *pg_hba.conf* is :

# "local" is for Unix domain socket connections only

local =A0 all =A0 =A0 =A0 =A0 postgres =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 trust

# IPv4 local connections:

host =A0 all =A0 =A0 =A0 =A0 *frank* =A0 =A0 =A0 0" target=3D"_blank">0.0.0.0/0 =A0 =A0 =A0 =A0 =A0 =A0krb5

#host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 0.0.1/32" target=3D"_blank">127.0.0.1/32 =A0 =A0 =A0trust

# IPv6 local connections:

host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 ::1/128 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 trust

,and kdc.conf

kdcdefaults]

=A0v4_mode =3D nopreauth

=A0kdc_tcp_ports =3D 88

[realms]

=A0 =3D { r>
=A0#master_key_type =3D des3-hmac-sha1

=A0* acl_file =3D /var/kerberos/krb5kdc/kadm5.acl*

=A0dict_file =3D /usr/share/dict/words

=A0admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab

If this is the same machine as PG, I'm not sure why you have the same f=
ile here as for the keytab to keep the PG service principal in. =A0My manpa=
ge for kdc.conf says that admin_keytab specifies the keytab to be used by k=
admin to authenticate to the database, so really shouldn't be kept very=
distinct from the keytab with the PG service principal.

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=A0supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal

des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 r>
des-cbc-crc:afs3

=A0}

Then, I created the user frank =A0as :

=A0kadmin.local

Authenticating as principal rahimeh/ rget=3D"_blank">admin@EXAMPLE.COM with password.

kadmin.local: * ank frank*

WARNING: no policy specified for t=3D"_blank">frank@EXAMPLE.COM; defaulting to no

policy

Enter password for principal " get=3D"_blank">frank@EXAMPLE.COM":

Re-enter password for principal " target=3D"_blank">frank@EXAMPLE.COM":

*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*

Entry for principal frank with kvno 2, encryption type Triple DES cbc

mode

with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. r>
Entry for principal frank with kvno 2, encryption type ArcFour with

HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 r>
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Entry for principal frank with kvno 2, encryption type DES cbc mode with >
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

But for PG you'll need a keytab with the service principal you've d=
efined to be POSTGRES/<hostname>@ t=3D"_blank">EXAMPLE.COM in it.

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Finally, it gives error like:

[root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab

Password for frank@E=
XAMPLE.COM:

*kinit(v5): Password incorrect while getting initial credentials*

I've never had much joy myself when getting tickets from a -t keytab, I=
usually just kinit and enter a password instead.

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
or

in cmd when I run this instruction the below error is shown.

[root@localhost bin]# ./psql -h 127.0.0.1 =A0-U frank

*psql: krb5_sendauth: Bad application version was sent (via sendauth)*

To construct the service principal the library takes the the -h argument, t=
hen gets the A record for it (if applicable), then gets the PTR record for =
the A record to get the hostname for the service principal name (unless you=
're using Windows I have found, in which case it just stops and takes t=
he originally given hostname if an A record exists). =A0Just use a non-127 =
address instead, it'll make things a lot easier to keep straight. =A0Fo=
r that matter, /etc/hostname and /etc/resolv.conf would be good to see too =
because of their importance here.

HTH,

Geoff

---------

Geoff Tolley

DBA/Systems Administrator

YouGovPolimetrix

285 Hamilton Avenue Suite 200

Palo Alto, CA 94301

geoff.tolley@y=
ougov.com

http://www.yougov.com/=

--
>
With Best Regards
Miss.KHodadadi

--
With Best R=
egards
Miss.KHodadadi

--
With Best R=
egards
Miss.KHodadadi

--
With Best Regards
Mis=
s.KHodadadi

--0016e6d7ee572947030476d1de33--

Re: configuration kerberos in Postgre sql
am 09.11.2009 07:16:40 von rahimeh khodadadi
--0016e6d644d0099a2e0477ea2382
Content-Type: text/plain; charset=ISO-8859-1

Hi,

I try to setup kerberos authentication in Postgresql 8.1.18 on centos.

But I have some problem.

I setup postgresql.conf as below:

krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/star@EXAMPLE.COM'
krb_server_hostname = 'star' # empty string matches any keytab entry
krb_caseins_users = off

(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93
star)

Then hba.conf

host all all 0.0.0.0/0 krb5
host all all 127.0.0.1/32 krb5

When I want to conne
ct postgresql, it give error.

# kinit frank

[root@star bin]# ./psql -h star -U frank -d test
psql: krb5_sendauth: Bad application version was sent (via sendauth)

and both postgresql server and krb-server are in same system. Where is
wrong.
Please help me.

On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley wrote:

> Hi Rahimeh,
>
> Is PG on the same box as the kadmind?
>
>
> rahimeh khodadadi wrote:
>
>> have never been worked with krb5 in postgresql?
>>
>> On 10/12/09, rahimeh khodadadi wrote:
>>
>>> nobody could help me?
>>>
>>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>>> rahimeh.khodadadi@gmail.com> wrote:
>>>
>>> Hi,
>>>>
>>>> after compling the postgresql --with-krb5 and setting up the
>>>> krb5-server
>>>> in centos, I configured the *postgresql.conf* as bellow:
>>>>
>>>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>>>> *krb_srvname = 'POSTGRES' * # (Kerberos only)
>>>> #krb_caseins_users = off
>>>>
>>>
> I like to specify my krb_server_hostname explicitly here.
>
>
> and
>>>>
>>>> my *pg_hba.conf* is :
>>>>
>>>> # "local" is for Unix domain socket connections only
>>>> local all postgres trust
>>>> # IPv4 local connections:
>>>> host all *frank* 0.0.0.0/0 krb5
>>>> #host all all 127.0.0.1/32 trust
>>>> # IPv6 local connections:
>>>> host all all ::1/128 trust
>>>>
>>>>
>>>> ,and kdc.conf
>>>>
>>>> kdcdefaults]
>>>> v4_mode = nopreauth
>>>> kdc_tcp_ports = 88
>>>>
>>>> [realms]
>>>> EXAMPLE.COM = {
>>>> #master_key_type = des3-hmac-sha1
>>>> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>>>> dict_file = /usr/share/dict/words
>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>>
>>>
> If this is the same machine as PG, I'm not sure why you have the same file
> here as for the keytab to keep the PG service principal in. My manpage for
> kdc.conf says that admin_keytab specifies the keytab to be used by kadmin to
> authenticate to the database, so really shouldn't be kept very distinct from
> the keytab with the PG service principal.
>
>
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
>>>> des-cbc-crc:v4
>>>> des-cbc-crc:afs3
>>>> }
>>>>
>>>> Then, I created the user frank as :
>>>>
>>>> kadmin.local
>>>> Authenticating as principal rahimeh/admin@EXAMPLE.COM with password.
>>>> kadmin.local: * ank frank*
>>>> WARNING: no policy specified for frank@EXAMPLE.COM; defaulting to no
>>>> policy
>>>> Enter password for principal "frank@EXAMPLE.COM":
>>>> Re-enter password for principal "frank@EXAMPLE.COM":
>>>>
>>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>>> mode
>>>> with HMAC/sha1 added to keytab
>>>> WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type DES with
>>>> HMAC/sha1
>>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>
>>>
> But for PG you'll need a keytab with the service principal you've defined
> to be POSTGRES/@EXAMPLE.COM in it.
>
>
> Finally, it gives error like:
>>>>
>>>> [root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>>>> Password for frank@EXAMPLE.COM:
>>>> *kinit(v5): Password incorrect while getting initial credentials*
>>>>
>>>
> I've never had much joy myself when getting tickets from a -t keytab, I
> usually just kinit and enter a password instead.
>
>
> or
>>>>
>>>> in cmd when I run this instruction the below error is shown.
>>>>
>>>> [root@localhost bin]# ./psql -h 127.0.0.1 -U frank
>>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>>>
>>>
> To construct the service principal the library takes the the -h argument,
> then gets the A record for it (if applicable), then gets the PTR record for
> the A record to get the hostname for the service principal name (unless
> you're using Windows I have found, in which case it just stops and takes the
> originally given hostname if an A record exists). Just use a non-127
> address instead, it'll make things a lot easier to keep straight. For that
> matter, /etc/hostname and /etc/resolv.conf would be good to see too because
> of their importance here.
>
> HTH,
> Geoff
>
>
> ---------
> Geoff Tolley
> DBA/Systems Administrator
>
> YouGovPolimetrix
> 285 Hamilton Avenue Suite 200
> Palo Alto, CA 94301
> geoff.tolley@yougov.com
> http://www.yougov.com/
>
>
>
>

--
With Best Regards
Miss.KHodadadi

--0016e6d644d0099a2e0477ea2382
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,

I try to setup kerberos authentication in Postgresql 8.1.18 on c=
entos.

But I have some problem.

I setup postgresql.conf as be=
low:

krb_server_keyfile =3D '/usr/local/pgsql/data/
49" class=3D"ii gt">
postgresql.keytab'

krb_srvname =3D 'postgres/ "_blank">star@EXAMPLE.COM'
krb_server_hostname =3D 'star'=
;   =A0   =A0 # empty string matches any keytab entry
krb_casein=
s_users =3D off

(star is localhost IP, but in hosts.conf I configure like: 213.233.=
169.93 =A0 star)

Then hba.conf

host  =A0 all         all=A0=
      =A0 0.0.0.=
0/0            =A0 krb5
host  =A0 all=
         all         0.0.1/32" target=3D"_blank">127.0.0.1/32           =
krb5

When I want to conne
ct postgresql, it give error.

# kinit fran=
k

[root@star bin]# ./psql -h star=A0 -U frank=A0 -d test
psql: kr=
b5_sendauth: Bad application version was sent (via sendauth)

and bot=
h postgresql server and krb-server are in same system. Where is wrong.

Please help me.

On Sat, Oct 17, 20=
09 at 12:42 AM, Geoff Tolley < tolley@yougov.com">geoff.tolley@yougov.com> wrote:
uote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 20=
4); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Rahimeh,

Is PG on the same box as the kadmind?

rahimeh khodadadi wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
have never been worked =A0with krb5 in postgresql?

On 10/12/09, rahimeh khodadadi < l.com" target=3D"_blank">rahimeh.khodadadi@gmail.com> wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
nobody could help me?

On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <

rahimeh.kh=
odadadi@gmail.com> wrote:

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,

after compling the postgresql --with-krb5 =A0and setting up the krb5-server=

in centos, I configured the *postgresql.conf* as bellow:

*krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'*

*krb_srvname =3D 'POSTGRES' * =A0 =A0 =A0 # (Kerberos only)

#krb_caseins_users =3D off

I like to specify my krb_server_hostname explicitly here.
=

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
and

my *pg_hba.conf* is :

# "local" is for Unix domain socket connections only

local =A0 all =A0 =A0 =A0 =A0 postgres =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 trust

# IPv4 local connections:

host =A0 all =A0 =A0 =A0 =A0 *frank* =A0 =A0 =A0 0" target=3D"_blank">0.0.0.0/0 =A0 =A0 =A0 =A0 =A0 =A0krb5

#host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 0.0.1/32" target=3D"_blank">127.0.0.1/32 =A0 =A0 =A0trust

# IPv6 local connections:

host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 ::1/128 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 trust

,and kdc.conf

kdcdefaults]

=A0v4_mode =3D nopreauth

=A0kdc_tcp_ports =3D 88

[realms]

=A0 =3D { r>
=A0#master_key_type =3D des3-hmac-sha1

=A0* acl_file =3D /var/kerberos/krb5kdc/kadm5.acl*

=A0dict_file =3D /usr/share/dict/words

=A0admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab

If this is the same machine as PG, I'm not sure why you have the same f=
ile here as for the keytab to keep the PG service principal in. =A0My manpa=
ge for kdc.conf says that admin_keytab specifies the keytab to be used by k=
admin to authenticate to the database, so really shouldn't be kept very=
distinct from the keytab with the PG service principal.

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=A0supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal

des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 r>
des-cbc-crc:afs3

=A0}

Then, I created the user frank =A0as :

=A0kadmin.local

Authenticating as principal rahimeh/ rget=3D"_blank">admin@EXAMPLE.COM with password.

kadmin.local: * ank frank*

WARNING: no policy specified for t=3D"_blank">frank@EXAMPLE.COM; defaulting to no

policy

Enter password for principal " get=3D"_blank">frank@EXAMPLE.COM":

Re-enter password for principal " target=3D"_blank">frank@EXAMPLE.COM":

*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*

Entry for principal frank with kvno 2, encryption type Triple DES cbc

mode

with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab. r>
Entry for principal frank with kvno 2, encryption type ArcFour with

HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 r>
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Entry for principal frank with kvno 2, encryption type DES cbc mode with >
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

But for PG you'll need a keytab with the service principal you've d=
efined to be POSTGRES/<hostname>@ t=3D"_blank">EXAMPLE.COM in it.

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Finally, it gives error like:

[root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab

Password for frank@E=
XAMPLE.COM:

*kinit(v5): Password incorrect while getting initial credentials*

I've never had much joy myself when getting tickets from a -t keytab, I=
usually just kinit and enter a password instead.

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">

204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
or

in cmd when I run this instruction the below error is shown.

[root@localhost bin]# ./psql -h 127.0.0.1 =A0-U frank

*psql: krb5_sendauth: Bad application version was sent (via sendauth)*

To construct the service principal the library takes the the -h argument, t=
hen gets the A record for it (if applicable), then gets the PTR record for =
the A record to get the hostname for the service principal name (unless you=
're using Windows I have found, in which case it just stops and takes t=
he originally given hostname if an A record exists). =A0Just use a non-127 =
address instead, it'll make things a lot easier to keep straight. =A0Fo=
r that matter, /etc/hostname and /etc/resolv.conf would be good to see too =
because of their importance here.

HTH,

Geoff

---------

Geoff Tolley

DBA/Systems Administrator

YouGovPolimetrix

285 Hamilton Avenue Suite 200

Palo Alto, CA 94301

geoff.tolley@y=
ougov.com

http://www.yougov.com/=

--
With Best Regard=
s
Miss.KHodadadi

--0016e6d644d0099a2e0477ea2382--

Index | Impressum | Datenschutz | XODOX