<div dir="ltr"><br><div class="gmail_extra">I should add the role every time then add ipa users ? For example, i have one role for PostgreSQL, and after add a new IPA user, i should add mapping for this new user ? Or it would be made automaticaly ?<br>
<br><div class="gmail_quote">On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<div class=""><div class="h5">On Mon, 30 Sep 2013, Gorbachev Ivan wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
Hi!<br>
<br>
Sorry for my English. Can you help me. I try to add PostgreSQL<br>
authentication to IPA.<br>
<br>
Server of IPA host name - server.my.domain.local<br>
database PostgreSQL host name - database.my.domain.local<br>
<br>
1. pg_hba.conf – add record<br>
<br>
host all all <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> gss<br>
<br>
2. postgresql.conf add records:<br>
# Kerberos and GSSAPI<br>
krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.<u></u>keytab'<br>
krb_srvname = 'postgres' # (Kerberos only)<br>
<br>
3. Add PostgreSQL service:<br>
ipa service-add postgres/server.my.domain.<u></u>local<br>
<br>
4. Create keytab:<br>
ipa-getkeytab -s server.my.domain.local -p<br>
postgres/database.my.domain.<u></u>local@MY.DOMAIN.LOCAL -k<br>
/var/lib/pgsql/data/9.2/pg.<u></u>keytab<br>
<br>
5. Change owner:<br>
chown postgres:postgres /var/lib/pgsql/9.2/data/pg.<u></u>keytab<br>
<br>
6. restart PostgreSQL service<br>
<br>
7. Try to connect from database host:<br>
psql -h database.my.domain.local<br>
<br>
If I try – “psql -h database.my.domain.local” command, I have an error –<br>
“psql: FATAL: role "rembo" does not exist”<br>
</blockquote></div></div>
So authentication passes in this case but you don't have proper role<br>
defined. Define a role called 'rembo'.<br>
<br>
See <a href="http://www.postgresql.org/docs/9.2/static/database-roles.html" target="_blank">http://www.postgresql.org/<u></u>docs/9.2/static/database-<u></u>roles.html</a><div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">
<br>
If I try –“ psql -h database.my.domain.local -U rembo@MY.DOMAIN.LOCAL”<br>
command, I have an error “psql: FATAL: GSSAPI authentication failed for<br>
user rembo@MY.DOMAIN.LOCAL"<br>
<br>
database.my.domain.local host’s authentication method – IPA.<br>
<br>
This is PostgreSQL log:<br>
DEBUG: InitPostgres<br>
DEBUG: my backend ID is 1<br>
DEBUG: StartTransaction<br>
DEBUG: checkpointer updated shared memory configuration values<br>
DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,<br>
xid/subid/cid: 0/1/0, nestlvl: 1, children:<br>
DEBUG: CommitTransaction<br>
DEBUG: name: unnamed; blockState: STARTED; state: INPROGR,<br>
xid/subid/cid: 0/1/0, nestlvl: 1, children:<br>
DEBUG: forked new backend, pid=17203 socket=11<br>
DEBUG: postmaster child[17203]: starting with (<br>
DEBUG: postgres<br>
DEBUG: rembo@MY.DOMAIN.LOCAL<br>
DEBUG: )<br>
DEBUG: InitPostgres<br>
DEBUG: my backend ID is 2<br>
DEBUG: StartTransaction<br>
DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,<br>
xid/subid/cid: 0/1/0, nestlvl: 1, children:<br>
DEBUG: Processing received GSS token of length 654<br>
DEBUG: gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:<br>
1b2<br>
DEBUG: sending GSS response token of length 156<br>
DEBUG: sending GSS token of length 156<br>
LOG: provided user name (rembo@MY.DOMAIN.LOCAL) and authenticated user<br>
name (rembo) do not match<br>
</blockquote></div></div>
You have this issue because your username and mapped name do not match.<span class=""><font color="#888888"><br>
<br>
<br>
-- <br>
/ Alexander Bokovoy<br>
</font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>With Best Regards</div><div>Gorbachev Ivan</div><br>
</div></div>