[Freeipa-devel] PostgreSQL + freeipa
Gorbachev Ivan
gim.spb at gmail.com
Tue Oct 1 08:38:36 UTC 2013
Thank you!
And one more question, what does error mean - "GSSAPI continuation error:
No credentials found with supported encryption types". This error appears
when I try to log in from another computer within the domain IPA.
On Mon, Sep 30, 2013 at 7:58 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:
> On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>
>> I should add the role every time then add ipa users ? For example, i have
>> one role for PostgreSQL, and after add a new IPA user, i should add
>> mapping
>> for this new user ? Or it would be made automaticaly ?
>>
> This is PostgreSQL-specific question, nothing specific to IPA at all.
> Answer to it depends on your model of a database access since PostgreSQL
> users are not the same as system users -- you need to map the to each
> other. By default mapping is 1:1, i.e. for each system user there should
> exist the same user entry in PostgreSQL.
>
> In general, if you have a single database user (or role) and want to
> allow multiple system level users to access it, you need to supply user
> maps: http://www.postgresql.org/**docs/9.2/static/auth-username-**
> maps.html<http://www.postgresql.org/docs/9.2/static/auth-username-maps.html>
>
> In Adam's case I guess puppet's recipe automatically sets up PostgreSQL
> user named 'keystone' and therefore connection to PostgreSQL with
> principal 'keystone' matches it automatically.
>
>
>> On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <abokovoy at redhat.com
>> >wrote:
>>
>> On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>>>
>>> Hi!
>>>>
>>>> Sorry for my English. Can you help me. I try to add PostgreSQL
>>>> authentication to IPA.
>>>>
>>>> Server of IPA host name - server.my.domain.local
>>>> database PostgreSQL host name - database.my.domain.local
>>>>
>>>> 1. pg_hba.conf – add record
>>>>
>>>> host all all 192.168.0.0/24 gss
>>>>
>>>> 2. postgresql.conf add records:
>>>> # Kerberos and GSSAPI
>>>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.****keytab'
>>>>
>>>> krb_srvname = 'postgres' # (Kerberos only)
>>>>
>>>> 3. Add PostgreSQL service:
>>>> ipa service-add postgres/server.my.domain.****local
>>>>
>>>>
>>>> 4. Create keytab:
>>>> ipa-getkeytab -s server.my.domain.local -p
>>>> postgres/database.my.domain.****local at MY.DOMAIN.LOCAL -k
>>>> /var/lib/pgsql/data/9.2/pg.****keytab
>>>>
>>>> 5. Change owner:
>>>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.****keytab
>>>>
>>>>
>>>> 6. restart PostgreSQL service
>>>>
>>>> 7. Try to connect from database host:
>>>> psql -h database.my.domain.local
>>>>
>>>> If I try – “psql -h database.my.domain.local” command, I have an error –
>>>> “psql: FATAL: role "rembo" does not exist”
>>>>
>>>> So authentication passes in this case but you don't have proper role
>>> defined. Define a role called 'rembo'.
>>>
>>> See http://www.postgresql.org/****docs/9.2/static/database-****
>>> roles.html<http://www.postgresql.org/**docs/9.2/static/database-**roles.html>
>>> <http://www.**postgresql.org/docs/9.2/**static/database-roles.html<http://www.postgresql.org/docs/9.2/static/database-roles.html>
>>> >
>>>
>>>
>>>
>>>
>>> If I try –“ psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL”
>>>> command, I have an error “psql: FATAL: GSSAPI authentication failed
>>>> for
>>>> user rembo at MY.DOMAIN.LOCAL"
>>>>
>>>> database.my.domain.local host’s authentication method – IPA.
>>>>
>>>> This is PostgreSQL log:
>>>> DEBUG: InitPostgres
>>>> DEBUG: my backend ID is 1
>>>> DEBUG: StartTransaction
>>>> DEBUG: checkpointer updated shared memory configuration values
>>>> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,
>>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>>> DEBUG: CommitTransaction
>>>> DEBUG: name: unnamed; blockState: STARTED; state: INPROGR,
>>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>>> DEBUG: forked new backend, pid=17203 socket=11
>>>> DEBUG: postmaster child[17203]: starting with (
>>>> DEBUG: postgres
>>>> DEBUG: rembo at MY.DOMAIN.LOCAL
>>>> DEBUG: )
>>>> DEBUG: InitPostgres
>>>> DEBUG: my backend ID is 2
>>>> DEBUG: StartTransaction
>>>> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,
>>>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>>>> DEBUG: Processing received GSS token of length 654
>>>> DEBUG: gss_accept_sec_context major: 0, minor: 0, outlen: 156,
>>>> outflags:
>>>> 1b2
>>>> DEBUG: sending GSS response token of length 156
>>>> DEBUG: sending GSS token of length 156
>>>> LOG: provided user name (rembo at MY.DOMAIN.LOCAL) and authenticated user
>>>> name (rembo) do not match
>>>>
>>>> You have this issue because your username and mapped name do not match.
>>>
>>>
>>> --
>>> / Alexander Bokovoy
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Gorbachev Ivan
>>
>
>
>
> --
> / Alexander Bokovoy
>
--
With Best Regards
Gorbachev Ivan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20131001/051a8613/attachment.htm>
More information about the Freeipa-devel
mailing list