By Harikrishna Doredla
Enable the Kerberos authentication in active directory.
- Domain controller by default is enabled for kerberos service delegation.
- Start-> Active Directory users and the computers -> select your domain -> domain controllers -> right click on your default-first-site-name and click on properties menu will snap-in then select the Delegation tab (please see in below figure).
- Make sure “Trust this computer for delegation to any service (Kerberos only)” option is enabled. ..
Create the service principal in active directory (KDC) for the service running on Linux.
- Direct service principal creation is not possible in Active directory . So map the service principal to the user account in active directory.
- Create service instance account in the active directory.
- Created gss Organizational unit then create (bsoft6) user in this Organizational unit with password bsoft6.
CN=bsoft6, OU=gss, DC=bimarian, DC=com - While creating users through Active Directory users and the computers tool, make sure the option User must change password at next log in is unchecked – by default it is checked. (as in below figure)
Create service principal key tab file to use in the (PostgreSQL) server.
- Use ktpass command map the service principal to bsot6 user account and create keytab file for the service principal.
- ktpass command help:
http://technet.microsoft.com/en-us/library/cc753771.aspx - C:\Users\Administrator\Desktop\kerberos>ktpass princ bimarian/bsoft6-dev.bimarian.com@BIMARIAN.COM -mapuser bsoft6 pass bsoft6 out krb5.keytab
- Targeting domain controller: bim-ad.bimarian.com
Using legacy password setting method
Successfully mapped bimarian/bsoft6-dev.bimarian.com to bsoft6.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to krb5.keytab:
Keytab version: 0x502
keysize 80 bimarian/bsoft6-dev.bimarian.com@BIMARIAN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x7cd63349dc70b4a20879180652095d5b)
C:\Users\Administrator\Desktop\kerberos> - Generated key tab file was located in: C:\Users\Administrator\Desktop\kerberos\ krb5.keytab on bim-ad.bimarian.com
Configure the (PostgreSQL) server to use Windows domain controller as KDC.
- PostgreSQL server: bsoft6-dev.bimarian.com
- Copied keytab from bim-ad.bimarian.com to bsoft6-dev.bimarian.com‘s /etc folder.
- Configured /etc/krb5.conf point to the windows domain controller as KDC. please check the attached conf file for reference.
- Add below lines /var/lib/pgsql/9.3/data/postgresql.conf conf
krb_server_keyfile = /etc/krb5.keytab
krb_srvname = bimarian - Executed below commands in terminal.
sudo chown root: postgres /etc/krb5.keytab
sudo chmod g+r /etc/krb5.keytab
service postgresql-9.3 restart - PostgreSQL Server up successfully without any error.
Create the client (DB) principals in active directory(KDC) and get the tickets from the Kerberos windows server and connect to the PostgreSQL server.
- Client: psql on bsoft6-dev.bimarian.com
- Active directory server: bim-ad.bimarian.com
- Added below entry in /etc/hosts
192.168.19.55 bim-ad.bimarian.com - Created psqltesting user in PostgreSQL.
psql dev
create user psqltesting; - Add below lines in the /var/lib/pgsql/9.3/data/pg_hba.conffile and execute “pg_ctl reload”
host all psqltesting 168.19.74/32 gss krb_realm=BIMARIAN.COM - Verify gss authentication is enabled for user psqltesting.
[bimarian@bsoft6-dev etc]$ psql -d dev -h 192.168.19.74 -U psqltesting
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more
information
GSSAPI continuation error: Credentials cache file ‘/tmp/krb5cc_500′ not found
[bimarian@bsoft6-dev etc]$ - While creating users through Active Directory users and the computers tool, please make sure the option User must change password at next log in is unchecked – by default it is checked.
- Created psqltesting user under gss organizational unit with password as testing
CN= psqltesting, OU=gss, DC=bimarian, DC=com - After creation psqltesting user in active directory will be referred as client principle like psqltesting@BIMARIAN.COM
- Successfully connected to PostgreSQL server using kerberos authentication(windows active directory as KDC) through PSQL client on Linux.
Trouble shooting:
- Create the sysadmin user in active directory and tried to get kerberos ticket for sysadmin on the Linux terminal then if you phased the issue like below – please follow below steps to solve the issue.
kinit sysadmin
Password for sysadmin@BIMARIAN.COM:
kinit: Generic preauthentication failure while getting initial credentials
[bimarian@bsoft6-dev ~]$
Resolution steps:
- Connect to your Windows active directory server.
- Access the user account from the Active Directory users and the computers, thereafter right click on user and click on properties menu will snap-in and select the account tab.
From the account options: slide window, if option “User must change password at next log in” check box is marked then un mark and try to get a ticket. (please see in below figure)
Create the bsoft6 user account in active directory for PostgreSQL server and map the server service principal to this account; configure PostgreSQL server to work with Windows active directory as KDC , tried psql client connect to PostgreSQL then if you phased the issue like below – Follow below steps to solve the issue.
psql -d dev -h 192.168.19.74 -U sysadmin
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database
- Verify the PGKRBSRVNAME variable is set in your system. By default it is set – postgres.
Linux: echo $PGKRBSRVNAME
Windows: echo %PGKRBSRVNAME% - Verify that the user account which you created for the PostgreSQL server service principle mapping is not in disable mode.
- If you get error ‘GSS duplicate request’ while client connecting to PostgreSQL using Kerberos/GSS authentication.
- Resolution: Check whether the client principal username exists in database if not create a user and connect.
