<div dir="ltr">Thank you! <div>And one more question, what does error mean - "GSSAPI continuation error: No credentials found with supported encryption types". This error appears when I try to log in from another computer within the domain IPA.</div> <div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Sep 30, 2013 at 7:58 PM, Alexander Bokovoy <span dir="ltr"><<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>></span> wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div>On Mon, 30 Sep 2013, Gorbachev Ivan wrote:<br> </div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> I should add the role every time then add ipa users ? For example, i have<br> one role for PostgreSQL, and after add a new IPA user, i should add mapping<br> for this new user ? Or it would be made automaticaly ?<br> </blockquote></div> This is PostgreSQL-specific question, nothing specific to IPA at all.<br> Answer to it depends on your model of a database access since PostgreSQL<br> users are not the same as system users -- you need to map the to each<br> other. By default mapping is 1:1, i.e. for each system user there should<br> exist the same user entry in PostgreSQL.<br> <br> In general, if you have a single database user (or role) and want to<br> allow multiple system level users to access it, you need to supply user<br> maps: <a href="http://www.postgresql.org/docs/9.2/static/auth-username-maps.html" target="_blank">http://www.postgresql.org/<u></u>docs/9.2/static/auth-username-<u></u>maps.html</a><br> <br> In Adam's case I guess puppet's recipe automatically sets up PostgreSQL<br> user named 'keystone' and therefore connection to PostgreSQL with<br> principal 'keystone' matches it automatically.<br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div> <br> On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <<a href="mailto:abokovoy@redhat.com" target="_blank">abokovoy@redhat.com</a>>wrote:<br> <br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div> On Mon, 30 Sep 2013, Gorbachev Ivan wrote:<br> <br> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div> Hi!<br> <br> Sorry for my English. Can you help me. I try to add PostgreSQL<br> authentication to IPA.<br> <br> Server of IPA host name - server.my.domain.local<br> database PostgreSQL host name - database.my.domain.local<br> <br> 1. pg_hba.conf – add record<br> <br> host all all <a href="http://192.168.0.0/24" target="_blank">192.168.0.0/24</a> gss<br> <br> 2. postgresql.conf add records:<br> # Kerberos and GSSAPI<br></div> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.**<u></u>keytab'<div><br> krb_srvname = 'postgres' # (Kerberos only)<br> <br> 3. Add PostgreSQL service:<br></div> ipa service-add postgres/server.my.domain.**<u></u>local<div><br> <br> 4. Create keytab:<br> ipa-getkeytab -s server.my.domain.local -p<br></div> postgres/database.my.domain.**<u></u>local@MY.DOMAIN.LOCAL -k<br> /var/lib/pgsql/data/9.2/pg.**<u></u>keytab<br> <br> 5. Change owner:<br> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.**<u></u>keytab<div><br> <br> 6. restart PostgreSQL service<br> <br> 7. Try to connect from database host:<br> psql -h database.my.domain.local<br> <br> If I try – “psql -h database.my.domain.local” command, I have an error –<br> “psql: FATAL: role "rembo" does not exist”<br> <br> </div></blockquote><div> So authentication passes in this case but you don't have proper role<br> defined. Define a role called 'rembo'.<br> <br></div> See <a href="http://www.postgresql.org/**docs/9.2/static/database-**roles.html" target="_blank">http://www.postgresql.org/**<u></u>docs/9.2/static/database-**<u></u>roles.html</a><<a href="http://www.postgresql.org/docs/9.2/static/database-roles.html" target="_blank">http://www.<u></u>postgresql.org/docs/9.2/<u></u>static/database-roles.html</a>><div> <div><br> <br> <br> <br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"> If I try –“ psql -h database.my.domain.local -U rembo@MY.DOMAIN.LOCAL”<br> command, I have an error “psql: FATAL: GSSAPI authentication failed for<br> user rembo@MY.DOMAIN.LOCAL"<br> <br> database.my.domain.local host’s authentication method – IPA.<br> <br> This is PostgreSQL log:<br> DEBUG: InitPostgres<br> DEBUG: my backend ID is 1<br> DEBUG: StartTransaction<br> DEBUG: checkpointer updated shared memory configuration values<br> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,<br> xid/subid/cid: 0/1/0, nestlvl: 1, children:<br> DEBUG: CommitTransaction<br> DEBUG: name: unnamed; blockState: STARTED; state: INPROGR,<br> xid/subid/cid: 0/1/0, nestlvl: 1, children:<br> DEBUG: forked new backend, pid=17203 socket=11<br> DEBUG: postmaster child[17203]: starting with (<br> DEBUG: postgres<br> DEBUG: rembo@MY.DOMAIN.LOCAL<br> DEBUG: )<br> DEBUG: InitPostgres<br> DEBUG: my backend ID is 2<br> DEBUG: StartTransaction<br> DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,<br> xid/subid/cid: 0/1/0, nestlvl: 1, children:<br> DEBUG: Processing received GSS token of length 654<br> DEBUG: gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:<br> 1b2<br> DEBUG: sending GSS response token of length 156<br> DEBUG: sending GSS token of length 156<br> LOG: provided user name (rembo@MY.DOMAIN.LOCAL) and authenticated user<br> name (rembo) do not match<br> <br> </blockquote> You have this issue because your username and mapped name do not match.<br> <br> <br> --<br> / Alexander Bokovoy<br> <br> </div></div></blockquote><div><div> <br> <br> <br> -- <br> With Best Regards<br> Gorbachev Ivan<br> </div></div></blockquote><span><font color="#888888"> <br> <br> <br> -- <br> / Alexander Bokovoy<br> </font></span></blockquote></div><br><br clear="all"><div><br></div>-- <br><div>With Best Regards</div><div>Gorbachev Ivan</div><br> </div></div>