Kerberos authentication with Windows Active Directory

By Harikrishna Doredla

Enable the Kerberos authentication in active directory.

  • Domain controller by default is enabled for kerberos service delegation.
  • Start-> Active Directory users and the computers -> select your domain -> domain controllers -> right click on your default-first-site-name and click on properties menu  will snap-in then select the Delegation tab (please see in below figure).
  • Make sure “Trust this computer for delegation to any service (Kerberos only)” option is enabled. ..

KerberosActiveWindow-fig1

Create the service principal in active directory (KDC) for the service running on Linux.

  •  Direct service principal creation is not possible in Active directory . So map the service principal to the user account in active directory.
  • Create service instance account in the active directory.
  • Created gss Organizational unit then create (bsoft6) user in this Organizational unit with password  bsoft6.
                CN=bsoft6, OU=gss, DC=bimarian, DC=com
  • While creating users through Active Directory users and the computers tool, make sure the option User must change password at next log in is unchecked – by default it is checked.  (as in below figure)

KerberosActiveWindow-fig2

 

 Create service principal key tab file to use in the (PostgreSQL) server.

  • Use ktpass command map the service principal to bsot6 user account and create keytab file for the service principal.
  • ktpass command help:
    http://technet.microsoft.com/en-us/library/cc753771.aspx
  •  C:\Users\Administrator\Desktop\kerberos>ktpass princ bimarian/bsoft6-dev.bimarian.com@BIMARIAN.COM -mapuser bsoft6 pass bsoft6 out krb5.keytab
  • Targeting domain controller: bim-ad.bimarian.com
    Using legacy password setting method
    Successfully mapped bimarian/bsoft6-dev.bimarian.com to bsoft6.
    WARNING: pType and account type do not match. This might cause problems.
    Key created.
    Output keytab to krb5.keytab:
    Keytab version: 0x502
    keysize 80 bimarian/bsoft6-dev.bimarian.com@BIMARIAN.COM ptype 0 (KRB5_NT_UNKNOWN) vno 3 etype 0x17 (RC4-HMAC) keylength 16 (0x7cd63349dc70b4a20879180652095d5b)
    C:\Users\Administrator\Desktop\kerberos>
  • Generated key tab file was located in: C:\Users\Administrator\Desktop\kerberos\ krb5.keytab on bim-ad.bimarian.com

Configure the (PostgreSQL) server to use Windows domain controller as KDC.

  • PostgreSQL server: bsoft6-dev.bimarian.com
  • Copied keytab from bim-ad.bimarian.com to bsoft6-dev.bimarian.com‘s /etc folder.
  • Configured /etc/krb5.conf point to the windows domain controller as KDC. please check the attached conf file for reference.
  • Add below lines /var/lib/pgsql/9.3/data/postgresql.conf conf
    krb_server_keyfile = /etc/krb5.keytab
    krb_srvname = bimarian
  • Executed below commands in terminal.
    sudo chown root: postgres /etc/krb5.keytab
    sudo chmod g+r /etc/krb5.keytab
    service postgresql-9.3 restart
  • PostgreSQL Server up successfully without any error.

        Create the client (DB) principals in active directory(KDC) and get the tickets from the Kerberos windows server             and connect to the PostgreSQL server.

  • Client: psql on bsoft6-dev.bimarian.com
  • Active directory server: bim-ad.bimarian.com
  • Added below entry in /etc/hosts
    192.168.19.55   bim-ad.bimarian.com
  • Created psqltesting user in PostgreSQL.
    psql dev
    create user psqltesting;
  • Add below lines in the /var/lib/pgsql/9.3/data/pg_hba.conffile and execute “pg_ctl reload”
    host    all     psqltesting     168.19.74/32        gss krb_realm=BIMARIAN.COM
  • Verify gss authentication is enabled for user psqltesting.
    [bimarian@bsoft6-dev etc]$ psql -d dev -h 192.168.19.74 -U psqltesting
    psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more
    information
    GSSAPI continuation error: Credentials cache file ‘/tmp/krb5cc_500′ not found
    [bimarian@bsoft6-dev etc]$
  • While creating users through Active Directory users and the computers tool, please make sure the option User must change password at next log in is unchecked – by default it is checked.
  • Created psqltesting user under gss organizational unit with password  as testing
          CN= psqltesting, OU=gss, DC=bimarian, DC=com
  • After creation psqltesting user in active directory will be referred as client principle like psqltesting@BIMARIAN.COM
  • Successfully connected to PostgreSQL server using kerberos authentication(windows active directory as KDC) through PSQL client on Linux.

      Trouble shooting:

  • Create the sysadmin user in active directory and tried to get kerberos ticket for sysadmin on the Linux terminal then if you phased the issue like below – please follow below steps to solve the issue.

          kinit sysadmin

Password for sysadmin@BIMARIAN.COM:

         kinit: Generic preauthentication failure while getting initial credentials

[bimarian@bsoft6-dev ~]$

      Resolution steps:

  1. Connect to your Windows active directory server.
  2. Access the user account from the Active Directory users and the computers, thereafter right click on user and click on properties menu will snap-in and select the account tab.

From the account options: slide window, if option “User must change password at next log in” check box is marked then un mark and try        to get a ticket. (please see in below figure)
KerberosActiveWindow-fig3

 

Create the bsoft6 user account in active directory for PostgreSQL server and map the server service principal to this account;  configure PostgreSQL server to work with Windows active directory as KDC , tried psql client connect to PostgreSQL then if you phased the issue like below – Follow below steps to solve the issue.
psql -d dev -h 192.168.19.74 -U sysadmin
psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information

GSSAPI continuation error: Server not found in Kerberos database

  1. Verify the PGKRBSRVNAME variable is set in your system. By default it is set – postgres.
    Linux:             echo $PGKRBSRVNAME
    Windows:      echo %PGKRBSRVNAME%
  2. Verify that the user account which you created for the PostgreSQL server service principle mapping  is not in  disable mode.
  • If you get error ‘GSS duplicate request’ while client connecting to PostgreSQL using Kerberos/GSS authentication.
  • Resolution: Check whether the client principal username exists in database if not create a user and connect.