[Freeipa-devel] PostgreSQL + freeipa
Paul Robert Marino
prmarino1 at gmail.com
Mon Sep 30 14:38:39 UTC 2013
did you properly reconfigure your pg_hba.conf to accept kerberos auth
for the user and network interfaces in question?
that file can be surprisingly fussy about its content.
I would also check if the selinux context was set correctly on the
file. I see no mention of it in the article and its one of the first
things that comes into my mind that could trip you up.
running
"
fixfiles restore /var/lib/pgsql
"
should fix any missing selinux context on the file an you can confirm
it by running ls -lZ against the directory.
On Mon, Sep 30, 2013 at 10:26 AM, Gorbachev Ivan <gim.spb at gmail.com> wrote:
>
> I know about this article, and i made it like He. But, i can't connect to
> PostgreSQL =(((
>
> On Mon, Sep 30, 2013 at 6:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>
>> Gorbachev Ivan wrote:
>>>
>>> Hi!
>>>
>>> Sorry for my English. Can you help me. I try to add PostgreSQL
>>> authentication to IPA.
>>>
>>> Server of IPA host name - server.my.domain.local
>>> database PostgreSQL host name - database.my.domain.local
>>>
>>> 1. pg_hba.conf – add record
>>>
>>> host all all 192.168.0.0/24 <http://192.168.0.0/24> gss
>>>
>>>
>>> 2. postgresql.conf add records:
>>> # Kerberos and GSSAPI
>>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.keytab'
>>> krb_srvname = 'postgres' # (Kerberos only)
>>>
>>> 3. Add PostgreSQL service:
>>> ipa service-add postgres/server.my.domain.local
>>>
>>> 4. Create keytab:
>>> ipa-getkeytab -s server.my.domain.local -p
>>> postgres/database.my.domain.local at MY.DOMAIN.LOCAL -k
>>> /var/lib/pgsql/data/9.2/pg.keytab
>>>
>>> 5. Change owner:
>>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.keytab
>>>
>>> 6. restart PostgreSQL service
>>>
>>> 7. Try to connect from database host:
>>> psql -h database.my.domain.local
>>>
>>> If I try – “psql -h database.my.domain.local” command, I have an error –
>>> “psql: FATAL: role "rembo" does not exist”
>>>
>>> If I try –“psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL
>>> <mailto:rembo at MY.DOMAIN.LOCAL>” command, I have an error “psql: FATAL:
>>>
>>> GSSAPI authentication failed for user rembo at MY.DOMAIN.LOCAL
>>> <mailto:rembo at MY.DOMAIN.LOCAL>"
>>>
>>>
>>> database.my.domain.local host’s authentication method – IPA.
>>
>>
>> Adam got IPA working with Postgres in OpenStack and wrote a blog post
>> about it:
>> http://adam.younglogic.com/2013/05/kerberizing-postgresql-with-freeipa-for-keystone/
>>
>> The steps aren't directly comparable because he used puppet they look
>> largely the same to me, but I've never tried to set this up. It may be
>> helpful for you though.
>>
>> rob
>
>
>
>
> --
> With Best Regards
> Gorbachev Ivan
>
>
> _______________________________________________
> Freeipa-devel mailing list
> Freeipa-devel at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-devel
More information about the Freeipa-devel
mailing list