[Freeipa-devel] PostgreSQL + freeipa

Alexander Bokovoy abokovoy at redhat.com
Mon Sep 30 15:03:27 UTC 2013 

On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>Hi!
>
>Sorry for my English. Can you help me. I try to add PostgreSQL
>authentication to IPA.
>
>Server of IPA host name - server.my.domain.local
>database PostgreSQL host name - database.my.domain.local
>
>1.    pg_hba.conf – add record
>
>host    all        all        192.168.0.0/24        gss
>
>2.    postgresql.conf add records:
># Kerberos and GSSAPI
>krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.keytab'
>krb_srvname = 'postgres'        # (Kerberos only)
>
>3.    Add PostgreSQL service:
>ipa service-add postgres/server.my.domain.local
>
>4.    Create keytab:
>ipa-getkeytab -s server.my.domain.local -p
>postgres/database.my.domain.local at MY.DOMAIN.LOCAL  -k
>/var/lib/pgsql/data/9.2/pg.keytab
>
>5.    Change owner:
>chown postgres:postgres /var/lib/pgsql/9.2/data/pg.keytab
>
>6.   restart PostgreSQL service
>
>7.    Try to connect from database host:
>psql -h database.my.domain.local
>
> If I try – “psql -h database.my.domain.local” command, I have an error –
>“psql: FATAL:  role "rembo" does not exist”
So authentication passes in this case but you don't have proper role
defined. Define a role called 'rembo'.

See http://www.postgresql.org/docs/9.2/static/database-roles.html

>
>If I try –“ psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL>command, I have an error  “psql: FATAL:  GSSAPI authentication failed for
>user rembo at MY.DOMAIN.LOCAL"
>
> database.my.domain.local host’s authentication method – IPA.
>
>This is PostgreSQL log:
>DEBUG:  InitPostgres
>DEBUG:  my backend ID is 1
>DEBUG:  StartTransaction
>DEBUG:  checkpointer updated shared memory configuration values
>DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>xid/subid/cid: 0/1/0, nestlvl: 1, children:
>DEBUG:  CommitTransaction
>DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR,
>xid/subid/cid: 0/1/0, nestlvl: 1, children:
>DEBUG:  forked new backend, pid=17203 socket=11
>DEBUG:  postmaster child[17203]: starting with (
>DEBUG:    postgres
>DEBUG:    rembo at MY.DOMAIN.LOCAL
>DEBUG:  )
>DEBUG:  InitPostgres
>DEBUG:  my backend ID is 2
>DEBUG:  StartTransaction
>DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>xid/subid/cid: 0/1/0, nestlvl: 1, children:
>DEBUG:  Processing received GSS token of length 654
>DEBUG:  gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:
>1b2
>DEBUG:  sending GSS response token of length 156
>DEBUG:  sending GSS token of length 156
>LOG:  provided user name (rembo at MY.DOMAIN.LOCAL) and authenticated user
>name (rembo) do not match
You have this issue because your username and mapped name do not match.


-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list