[Freeipa-devel] PostgreSQL + freeipa
Alexander Bokovoy
abokovoy at redhat.com
Mon Sep 30 15:03:27 UTC 2013
On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>Hi!
>
>Sorry for my English. Can you help me. I try to add PostgreSQL
>authentication to IPA.
>
>Server of IPA host name - server.my.domain.local
>database PostgreSQL host name - database.my.domain.local
>
>1. pg_hba.conf – add record
>
>host all all 192.168.0.0/24 gss
>
>2. postgresql.conf add records:
># Kerberos and GSSAPI
>krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.keytab'
>krb_srvname = 'postgres' # (Kerberos only)
>
>3. Add PostgreSQL service:
>ipa service-add postgres/server.my.domain.local
>
>4. Create keytab:
>ipa-getkeytab -s server.my.domain.local -p
>postgres/database.my.domain.local at MY.DOMAIN.LOCAL -k
>/var/lib/pgsql/data/9.2/pg.keytab
>
>5. Change owner:
>chown postgres:postgres /var/lib/pgsql/9.2/data/pg.keytab
>
>6. restart PostgreSQL service
>
>7. Try to connect from database host:
>psql -h database.my.domain.local
>
> If I try – “psql -h database.my.domain.local” command, I have an error –
>“psql: FATAL: role "rembo" does not exist”
So authentication passes in this case but you don't have proper role
defined. Define a role called 'rembo'.
See http://www.postgresql.org/docs/9.2/static/database-roles.html
>
>If I try –“ psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL”
>command, I have an error “psql: FATAL: GSSAPI authentication failed for
>user rembo at MY.DOMAIN.LOCAL"
>
> database.my.domain.local host’s authentication method – IPA.
>
>This is PostgreSQL log:
>DEBUG: InitPostgres
>DEBUG: my backend ID is 1
>DEBUG: StartTransaction
>DEBUG: checkpointer updated shared memory configuration values
>DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,
>xid/subid/cid: 0/1/0, nestlvl: 1, children:
>DEBUG: CommitTransaction
>DEBUG: name: unnamed; blockState: STARTED; state: INPROGR,
>xid/subid/cid: 0/1/0, nestlvl: 1, children:
>DEBUG: forked new backend, pid=17203 socket=11
>DEBUG: postmaster child[17203]: starting with (
>DEBUG: postgres
>DEBUG: rembo at MY.DOMAIN.LOCAL
>DEBUG: )
>DEBUG: InitPostgres
>DEBUG: my backend ID is 2
>DEBUG: StartTransaction
>DEBUG: name: unnamed; blockState: DEFAULT; state: INPROGR,
>xid/subid/cid: 0/1/0, nestlvl: 1, children:
>DEBUG: Processing received GSS token of length 654
>DEBUG: gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:
>1b2
>DEBUG: sending GSS response token of length 156
>DEBUG: sending GSS token of length 156
>LOG: provided user name (rembo at MY.DOMAIN.LOCAL) and authenticated user
>name (rembo) do not match
You have this issue because your username and mapped name do not match.
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list