Quantcast

configuration kerberos in Postgre sql

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

configuration kerberos in Postgre sql

rahimeh khodadadi
Hi,

after compling the postgresql --with-krb5  and setting up the krb5-server in centos, I configured the postgresql.conf as bellow:

krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'
krb_srvname = 'POSTGRES'        # (Kerberos only)
#krb_caseins_users = off
 
and

my pg_hba.conf is :

# "local" is for Unix domain socket connections only
local   all         postgres                         trust
# IPv4 local connections:
host   all         frank       0.0.0.0/0            krb5
#host    all         all         127.0.0.1/32      trust
# IPv6 local connections:
host    all         all         ::1/128               trust


,and kdc.conf

kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 EXAMPLE.COM = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
 
Then, I created the user frank  as :

 kadmin.local
Authenticating as principal rahimeh/[hidden email] with password.
kadmin.local:  ank frank
WARNING: no policy specified for [hidden email]; defaulting to no policy
Enter password for principal "[hidden email]":
Re-enter password for principal "[hidden email]":

kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank
Entry for principal frank with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Finally, it gives error like:

[root@localhost ~]# kinit frank -t /var/kerberos/krb5kdc/kadm5.keytab
Password for [hidden email]:
kinit(v5): Password incorrect while getting initial credentials

or

in cmd when I run this instruction the below error is shown.

[root@localhost bin]# ./psql -h 127.0.0.1  -U frank
psql: krb5_sendauth: Bad application version was sent (via sendauth)


Please help me.



--
With Best Regards
Miss.KHodadadi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: configuration kerberos in Postgre sql

rahimeh khodadadi
nobody could help me?

On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <[hidden email]> wrote:
Hi,

after compling the postgresql --with-krb5  and setting up the krb5-server in centos, I configured the postgresql.conf as bellow:

krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'
krb_srvname = 'POSTGRES'        # (Kerberos only)
#krb_caseins_users = off
 
and

my pg_hba.conf is :

# "local" is for Unix domain socket connections only
local   all         postgres                         trust
# IPv4 local connections:
host   all         frank       0.0.0.0/0            krb5
#host    all         all         127.0.0.1/32      trust
# IPv6 local connections:
host    all         all         ::1/128               trust


,and kdc.conf

kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 EXAMPLE.COM = {
  #master_key_type = des3-hmac-sha1
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3
 }
 
Then, I created the user frank  as :

 kadmin.local
Authenticating as principal rahimeh/[hidden email] with password.
kadmin.local:  ank frank
WARNING: no policy specified for [hidden email]; defaulting to no policy
Enter password for principal "[hidden email]":
Re-enter password for principal "[hidden email]":

kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank
Entry for principal frank with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Finally, it gives error like:

[root@localhost ~]# kinit frank -t /var/kerberos/krb5kdc/kadm5.keytab
Password for [hidden email]:
kinit(v5): Password incorrect while getting initial credentials

or

in cmd when I run this instruction the below error is shown.

[root@localhost bin]# ./psql -h 127.0.0.1  -U frank
psql: krb5_sendauth: Bad application version was sent (via sendauth)


Please help me.



--
With Best Regards
Miss.KHodadadi



--
With Best Regards
Miss.KHodadadi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: configuration kerberos in Postgre sql

rahimeh khodadadi
have never been worked  with krb5 in postgresql?

On 10/12/09, rahimeh khodadadi <[hidden email]> wrote:

> nobody could help me?
>
> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
> [hidden email]> wrote:
>
>> Hi,
>>
>> after compling the postgresql --with-krb5  and setting up the krb5-server
>> in centos, I configured the *postgresql.conf* as bellow:
>>
>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>> *krb_srvname = 'POSTGRES' *       # (Kerberos only)
>> #krb_caseins_users = off
>>
>> and
>>
>> my *pg_hba.conf* is :
>>
>> # "local" is for Unix domain socket connections only
>> local   all         postgres                         trust
>> # IPv4 local connections:
>> host   all         *frank*       0.0.0.0/0            krb5
>> #host    all         all         127.0.0.1/32      trust
>> # IPv6 local connections:
>> host    all         all         ::1/128               trust
>>
>>
>> ,and kdc.conf
>>
>> kdcdefaults]
>>  v4_mode = nopreauth
>>  kdc_tcp_ports = 88
>>
>> [realms]
>>  EXAMPLE.COM = {
>>   #master_key_type = des3-hmac-sha1
>>  * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>>   dict_file = /usr/share/dict/words
>>   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
>> des-cbc-crc:afs3
>>  }
>>
>> Then, I created the user frank  as :
>>
>>  kadmin.local
>> Authenticating as principal rahimeh/[hidden email] with password.
>> kadmin.local: * ank frank*
>> WARNING: no policy specified for [hidden email]; defaulting to no
>> policy
>> Enter password for principal "[hidden email]":
>> Re-enter password for principal "[hidden email]":
>>
>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>> mode
>> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type ArcFour with
>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>
>> Finally, it gives error like:
>>
>> [root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>> Password for [hidden email]:
>> *kinit(v5): Password incorrect while getting initial credentials*
>>
>> or
>>
>> in cmd when I run this instruction the below error is shown.
>>
>> [root@localhost bin]# ./psql -h 127.0.0.1  -U frank
>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>
>>
>> Please help me.
>>
>>
>>
>> --
>> With Best Regards
>> Miss.KHodadadi
>>
>
>
>
> --
> With Best Regards
> Miss.KHodadadi
>


--
With Best Regards
Miss.KHodadadi

--
Sent via pgsql-admin mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: configuration kerberos in Postgre sql

Geoff Tolley-2
Hi Rahimeh,

Is PG on the same box as the kadmind?

rahimeh khodadadi wrote:

> have never been worked  with krb5 in postgresql?
>
> On 10/12/09, rahimeh khodadadi <[hidden email]> wrote:
>> nobody could help me?
>>
>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>> [hidden email]> wrote:
>>
>>> Hi,
>>>
>>> after compling the postgresql --with-krb5  and setting up the krb5-server
>>> in centos, I configured the *postgresql.conf* as bellow:
>>>
>>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>>> *krb_srvname = 'POSTGRES' *       # (Kerberos only)
>>> #krb_caseins_users = off

I like to specify my krb_server_hostname explicitly here.

>>> and
>>>
>>> my *pg_hba.conf* is :
>>>
>>> # "local" is for Unix domain socket connections only
>>> local   all         postgres                         trust
>>> # IPv4 local connections:
>>> host   all         *frank*       0.0.0.0/0            krb5
>>> #host    all         all         127.0.0.1/32      trust
>>> # IPv6 local connections:
>>> host    all         all         ::1/128               trust
>>>
>>>
>>> ,and kdc.conf
>>>
>>> kdcdefaults]
>>>  v4_mode = nopreauth
>>>  kdc_tcp_ports = 88
>>>
>>> [realms]
>>>  EXAMPLE.COM = {
>>>   #master_key_type = des3-hmac-sha1
>>>  * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>>>   dict_file = /usr/share/dict/words
>>>   admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

If this is the same machine as PG, I'm not sure why you have the same file here as
for the keytab to keep the PG service principal in.  My manpage for kdc.conf says
that admin_keytab specifies the keytab to be used by kadmin to authenticate to the
database, so really shouldn't be kept very distinct from the keytab with the PG
service principal.

>>>   supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
>>> des-cbc-crc:afs3
>>>  }
>>>
>>> Then, I created the user frank  as :
>>>
>>>  kadmin.local
>>> Authenticating as principal rahimeh/[hidden email] with password.
>>> kadmin.local: * ank frank*
>>> WARNING: no policy specified for [hidden email]; defaulting to no
>>> policy
>>> Enter password for principal "[hidden email]":
>>> Re-enter password for principal "[hidden email]":
>>>
>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>> mode
>>> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>> Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

But for PG you'll need a keytab with the service principal you've defined to be
POSTGRES/<hostname>@EXAMPLE.COM in it.

>>> Finally, it gives error like:
>>>
>>> [root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>>> Password for [hidden email]:
>>> *kinit(v5): Password incorrect while getting initial credentials*

I've never had much joy myself when getting tickets from a -t keytab, I usually just
kinit and enter a password instead.

>>> or
>>>
>>> in cmd when I run this instruction the below error is shown.
>>>
>>> [root@localhost bin]# ./psql -h 127.0.0.1  -U frank
>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*

To construct the service principal the library takes the the -h argument, then gets
the A record for it (if applicable), then gets the PTR record for the A record to get
the hostname for the service principal name (unless you're using Windows I have
found, in which case it just stops and takes the originally given hostname if an A
record exists).  Just use a non-127 address instead, it'll make things a lot easier
to keep straight.  For that matter, /etc/hostname and /etc/resolv.conf would be good
to see too because of their importance here.

HTH,
Geoff

 
---------
Geoff Tolley
DBA/Systems Administrator
 
YouGovPolimetrix
285 Hamilton Avenue Suite 200
Palo Alto, CA 94301
[hidden email]
http://www.yougov.com/
 
 


--
Sent via pgsql-admin mailing list ([hidden email])
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Fwd: configuration kerberos in Postgre sql

rahimeh khodadadi


---------- Forwarded message ----------
From: rahimeh khodadadi <[hidden email]>
Date: Sun, Oct 25, 2009 at 4:55 PM
Subject: Re: [ADMIN] configuration kerberos in Postgre sql
To: Geoff Tolley <[hidden email]>


I am new to kerberos. I need help

Whether  we define ank username for every users of postgresql in kadmin.local?  or we just define for sevice of PG.

When I define principle for every user then I wat to connect to psql, I get faced to error.

I will be happy, if you reply.



On Sun, Oct 25, 2009 at 3:15 PM, rahimeh khodadadi <[hidden email]> wrote:
Hi Geoff,

Can you tell me what is your PG version?
Because, If I define server-name in postgresql.conf, it gives a error.

Thanks in advance 

On Sat, Oct 17, 2009 at 3:48 PM, rahimeh khodadadi <[hidden email]> wrote:
Hi Geoff,

Ofcourse, krb server is same system that PG has been installed.
When I compiled the PG, there was not any option like "krb_server_hostname" in conf file.

So, I donot know, what to do?
And, I create the POSTGRES/<hostname>@EXAMPLE.COM too. 

On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley <[hidden email]> wrote:
Hi Rahimeh,

Is PG on the same box as the kadmind?


rahimeh khodadadi wrote:
have never been worked  with krb5 in postgresql?

On 10/12/09, rahimeh khodadadi <[hidden email]> wrote:
nobody could help me?

On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
[hidden email]> wrote:

Hi,

after compling the postgresql --with-krb5  and setting up the krb5-server
in centos, I configured the *postgresql.conf* as bellow:

*krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
*krb_srvname = 'POSTGRES' *       # (Kerberos only)
#krb_caseins_users = off

I like to specify my krb_server_hostname explicitly here.


and

my *pg_hba.conf* is :

# "local" is for Unix domain socket connections only
local   all         postgres                         trust
# IPv4 local connections:
host   all         *frank*       0.0.0.0/0            krb5
#host    all         all         127.0.0.1/32      trust
# IPv6 local connections:
host    all         all         ::1/128               trust


,and kdc.conf

kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 EXAMPLE.COM = {
 #master_key_type = des3-hmac-sha1
 * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

If this is the same machine as PG, I'm not sure why you have the same file here as for the keytab to keep the PG service principal in.  My manpage for kdc.conf says that admin_keytab specifies the keytab to be used by kadmin to authenticate to the database, so really shouldn't be kept very distinct from the keytab with the PG service principal.


 supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
 }

Then, I created the user frank  as :

 kadmin.local
Authenticating as principal rahimeh/[hidden email] with password.
kadmin.local: * ank frank*
WARNING: no policy specified for [hidden email]; defaulting to no
policy
Enter password for principal "[hidden email]":
Re-enter password for principal "[hidden email]":

*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
Entry for principal frank with kvno 2, encryption type Triple DES cbc
mode
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type ArcFour with
HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES cbc mode with
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

But for PG you'll need a keytab with the service principal you've defined to be POSTGRES/<hostname>@EXAMPLE.COM in it.


Finally, it gives error like:

[root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
Password for [hidden email]:
*kinit(v5): Password incorrect while getting initial credentials*

I've never had much joy myself when getting tickets from a -t keytab, I usually just kinit and enter a password instead.


or

in cmd when I run this instruction the below error is shown.

[root@localhost bin]# ./psql -h 127.0.0.1  -U frank
*psql: krb5_sendauth: Bad application version was sent (via sendauth)*

To construct the service principal the library takes the the -h argument, then gets the A record for it (if applicable), then gets the PTR record for the A record to get the hostname for the service principal name (unless you're using Windows I have found, in which case it just stops and takes the originally given hostname if an A record exists).  Just use a non-127 address instead, it'll make things a lot easier to keep straight.  For that matter, /etc/hostname and /etc/resolv.conf would be good to see too because of their importance here.

HTH,
Geoff


---------
Geoff Tolley
DBA/Systems Administrator

YouGovPolimetrix
285 Hamilton Avenue Suite 200
Palo Alto, CA 94301
[hidden email]
http://www.yougov.com/






--
With Best Regards
Miss.KHodadadi



--
With Best Regards
Miss.KHodadadi



--
With Best Regards
Miss.KHodadadi



--
With Best Regards
Miss.KHodadadi
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: configuration kerberos in Postgre sql

rahimeh khodadadi
In reply to this post by Geoff Tolley-2
Hi,

I try to setup kerberos authentication in Postgresql 8.1.18 on centos.

But I have some problem.

I setup postgresql.conf as below:

krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/[hidden email]'
krb_server_hostname = 'star'         # empty string matches any keytab entry
krb_caseins_users = off


(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93   star)

Then hba.conf

host    all         all         0.0.0.0/0              krb5
host    all         all         127.0.0.1/32           krb5

When I want to conne
ct postgresql, it give error.

# kinit frank

[root@star bin]# ./psql -h star  -U frank  -d test
psql: krb5_sendauth: Bad application version was sent (via sendauth)

and both postgresql server and krb-server are in same system. Where is wrong.
Please help me.


On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley <[hidden email]> wrote:
Hi Rahimeh,

Is PG on the same box as the kadmind?


rahimeh khodadadi wrote:
have never been worked  with krb5 in postgresql?

On 10/12/09, rahimeh khodadadi <[hidden email]> wrote:
nobody could help me?

On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
[hidden email]> wrote:

Hi,

after compling the postgresql --with-krb5  and setting up the krb5-server
in centos, I configured the *postgresql.conf* as bellow:

*krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
*krb_srvname = 'POSTGRES' *       # (Kerberos only)
#krb_caseins_users = off

I like to specify my krb_server_hostname explicitly here.


and

my *pg_hba.conf* is :

# "local" is for Unix domain socket connections only
local   all         postgres                         trust
# IPv4 local connections:
host   all         *frank*       0.0.0.0/0            krb5
#host    all         all         127.0.0.1/32      trust
# IPv6 local connections:
host    all         all         ::1/128               trust


,and kdc.conf

kdcdefaults]
 v4_mode = nopreauth
 kdc_tcp_ports = 88

[realms]
 EXAMPLE.COM = {
 #master_key_type = des3-hmac-sha1
 * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
 dict_file = /usr/share/dict/words
 admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab

If this is the same machine as PG, I'm not sure why you have the same file here as for the keytab to keep the PG service principal in.  My manpage for kdc.conf says that admin_keytab specifies the keytab to be used by kadmin to authenticate to the database, so really shouldn't be kept very distinct from the keytab with the PG service principal.


 supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
 }

Then, I created the user frank  as :

 kadmin.local
Authenticating as principal rahimeh/[hidden email] with password.
kadmin.local: * ank frank*
WARNING: no policy specified for [hidden email]; defaulting to no
policy
Enter password for principal "[hidden email]":
Re-enter password for principal "[hidden email]":

*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
Entry for principal frank with kvno 2, encryption type Triple DES cbc
mode
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type ArcFour with
HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES cbc mode with
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

But for PG you'll need a keytab with the service principal you've defined to be POSTGRES/<hostname>@EXAMPLE.COM in it.


Finally, it gives error like:

[root@localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
Password for [hidden email]:
*kinit(v5): Password incorrect while getting initial credentials*

I've never had much joy myself when getting tickets from a -t keytab, I usually just kinit and enter a password instead.


or

in cmd when I run this instruction the below error is shown.

[root@localhost bin]# ./psql -h 127.0.0.1  -U frank
*psql: krb5_sendauth: Bad application version was sent (via sendauth)*

To construct the service principal the library takes the the -h argument, then gets the A record for it (if applicable), then gets the PTR record for the A record to get the hostname for the service principal name (unless you're using Windows I have found, in which case it just stops and takes the originally given hostname if an A record exists).  Just use a non-127 address instead, it'll make things a lot easier to keep straight.  For that matter, /etc/hostname and /etc/resolv.conf would be good to see too because of their importance here.

HTH,
Geoff


---------
Geoff Tolley
DBA/Systems Administrator

YouGovPolimetrix
285 Hamilton Avenue Suite 200
Palo Alto, CA 94301
[hidden email]
http://www.yougov.com/






--
With Best Regards
Miss.KHodadadi

Loading...