[Freeipa-devel] PostgreSQL + freeipa

Gorbachev Ivan gim.spb at gmail.com
Tue Oct 1 08:38:36 UTC 2013 

Thank you!
And one more question, what does error mean - "GSSAPI continuation error:
No credentials found with supported encryption types". This error appears
when I try to log in from another computer within the domain IPA.


On Mon, Sep 30, 2013 at 7:58 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:

> On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>
>> I should add the role every time then add ipa users ? For example, i have
>> one role for PostgreSQL, and after add a new IPA user, i should add
>> mapping
>> for this new user ? Or it would be made automaticaly ?
>>
> This is PostgreSQL-specific question, nothing specific to IPA at all.
> Answer to it depends on your model of a database access since PostgreSQL
> users are not the same as system users -- you need to map the to each
> other. By default mapping is 1:1, i.e. for each system user there should
> exist the same user entry in PostgreSQL.
>
> In general, if you have a single database user (or role) and want to
> allow multiple system level users to access it, you need to supply user
> maps: http://www.postgresql.org/**docs/9.2/static/auth-username-**
> maps.html<http://www.postgresql.org/docs/9.2/static/auth-username-maps.html>
>
> In Adam's case I guess puppet's recipe automatically sets up PostgreSQL
> user named 'keystone' and therefore connection to PostgreSQL with
> principal 'keystone' matches it automatically.
>
>
>> On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <abokovoy at redhat.com
>> >wrote:
>>
>>  On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>>>
>>>  Hi!
>>>>
>>>> Sorry for my English. Can you help me. I try to add PostgreSQL
>>>> authentication to IPA.
>>>>
>>>> Server of IPA host name - server.my.domain.local
>>>> database PostgreSQL host name - database.my.domain.local
>>>>
>>>> 1.    pg_hba.conf – add record
>>>>
>>>> host    all        all        192.168.0.0/24        gss
>>>>
>>>> 2.    postgresql.conf add records:
>>>> # Kerberos and GSSAPI
>>>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.****keytab'
>>>>
>>>> krb_srvname = 'postgres'        # (Kerberos only)
>>>>
>>>> 3.    Add PostgreSQL service:
>>>> ipa service-add postgres/server.my.domain.****local
>>>>
>>>>
>>>> 4.    Create keytab:
>>>> ipa-getkeytab -s server.my.domain.local -p
>>>> postgres/database.my.domain.****local at MY.DOMAIN.LOCAL  -k
>>>> /var/lib/pgsql/data/9.2/pg.****keytab
>>>>
>>>> 5.    Change owner:
>>>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.****keytab
>>>>
>>>>
>>>> 6.   restart PostgreSQL service
>>>>
>>>> 7.    Try to connect from database host:
>>>> psql -h database.my.domain.local
>>>>
>>>> If I try – “psql -h database.my.domain.local” command, I have an error –
>>>> “psql: FATAL:  role "rembo" does not exist”
>>>>
>>>>  So authentication passes in this case but you don't have proper role
>>> defined. Define a role called 'rembo'.
>>>
>>> See http://www.postgresql.org/****docs/9.2/static/database-****
>>> roles.html<http://www.postgresql.org/**docs/9.2/static/database-**roles.html>
>>> <http://www.**postgresql.org/docs/9.2/**static/database-roles.html<http://www.postgresql.org/docs/9.2/static/database-roles.html>
>>> >
>>>
>>>
>>>
>>>
>>>  If I try –“ psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL>>>> command, I have an error  “psql: FATAL:  GSSAPI authentication failed
>>>> for
>>>> user rembo at MY.DOMAIN.LOCAL"
>>>>
>>>> database.my.domain.local host’s authentication method – IPA.
>>>>
>>>> This is PostgreSQL log:
>>>> DEBUG:  InitPostgres
>>>> DEBUG:  my backend ID is 1
>>>> DEBUG:  StartTransaction
>>>> DEBUG:  checkpointer updated shared memory configuration values
>>>> DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>>> DEBUG:  CommitTransaction
>>>> DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR,
>>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>>> DEBUG:  forked new backend, pid=17203 socket=11
>>>> DEBUG:  postmaster child[17203]: starting with (
>>>> DEBUG:    postgres
>>>> DEBUG:    rembo at MY.DOMAIN.LOCAL
>>>> DEBUG:  )
>>>> DEBUG:  InitPostgres
>>>> DEBUG:  my backend ID is 2
>>>> DEBUG:  StartTransaction
>>>> DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>>> DEBUG:  Processing received GSS token of length 654
>>>> DEBUG:  gss_accept_sec_context major: 0, minor: 0, outlen: 156,
>>>> outflags:
>>>> 1b2
>>>> DEBUG:  sending GSS response token of length 156
>>>> DEBUG:  sending GSS token of length 156
>>>> LOG:  provided user name (rembo at MY.DOMAIN.LOCAL) and authenticated user
>>>> name (rembo) do not match
>>>>
>>>>  You have this issue because your username and mapped name do not match.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Gorbachev Ivan
>>
>
>
>
> --
> / Alexander Bokovoy
>



-- 
With Best Regards
Gorbachev Ivan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/051a8613/attachment.htm>

More information about the Freeipa-devel mailing list