[Freeipa-devel] PostgreSQL + freeipa

Gorbachev Ivan gim.spb at gmail.com
Mon Sep 30 15:31:04 UTC 2013 

I should add the role every time then add ipa users ? For example, i have
one role for PostgreSQL, and after add a new IPA user, i should add mapping
for this new user ? Or it would be made automaticaly ?

On Mon, Sep 30, 2013 at 7:03 PM, Alexander Bokovoy <abokovoy at redhat.com>wrote:

> On Mon, 30 Sep 2013, Gorbachev Ivan wrote:
>
>> Hi!
>>
>> Sorry for my English. Can you help me. I try to add PostgreSQL
>> authentication to IPA.
>>
>> Server of IPA host name - server.my.domain.local
>> database PostgreSQL host name - database.my.domain.local
>>
>> 1.    pg_hba.conf – add record
>>
>> host    all        all        192.168.0.0/24        gss
>>
>> 2.    postgresql.conf add records:
>> # Kerberos and GSSAPI
>> krb_server_keyfile = '/var/lib/pgsql/9.2/data/pg.**keytab'
>> krb_srvname = 'postgres'        # (Kerberos only)
>>
>> 3.    Add PostgreSQL service:
>> ipa service-add postgres/server.my.domain.**local
>>
>> 4.    Create keytab:
>> ipa-getkeytab -s server.my.domain.local -p
>> postgres/database.my.domain.**local at MY.DOMAIN.LOCAL  -k
>> /var/lib/pgsql/data/9.2/pg.**keytab
>>
>> 5.    Change owner:
>> chown postgres:postgres /var/lib/pgsql/9.2/data/pg.**keytab
>>
>> 6.   restart PostgreSQL service
>>
>> 7.    Try to connect from database host:
>> psql -h database.my.domain.local
>>
>> If I try – “psql -h database.my.domain.local” command, I have an error –
>> “psql: FATAL:  role "rembo" does not exist”
>>
> So authentication passes in this case but you don't have proper role
> defined. Define a role called 'rembo'.
>
> See http://www.postgresql.org/**docs/9.2/static/database-**roles.html<http://www.postgresql.org/docs/9.2/static/database-roles.html>
>
>
>
>> If I try –“ psql -h database.my.domain.local -U rembo at MY.DOMAIN.LOCAL>> command, I have an error  “psql: FATAL:  GSSAPI authentication failed for
>> user rembo at MY.DOMAIN.LOCAL"
>>
>> database.my.domain.local host’s authentication method – IPA.
>>
>> This is PostgreSQL log:
>> DEBUG:  InitPostgres
>> DEBUG:  my backend ID is 1
>> DEBUG:  StartTransaction
>> DEBUG:  checkpointer updated shared memory configuration values
>> DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>> DEBUG:  CommitTransaction
>> DEBUG:  name: unnamed; blockState:       STARTED; state: INPROGR,
>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>> DEBUG:  forked new backend, pid=17203 socket=11
>> DEBUG:  postmaster child[17203]: starting with (
>> DEBUG:    postgres
>> DEBUG:    rembo at MY.DOMAIN.LOCAL
>> DEBUG:  )
>> DEBUG:  InitPostgres
>> DEBUG:  my backend ID is 2
>> DEBUG:  StartTransaction
>> DEBUG:  name: unnamed; blockState:       DEFAULT; state: INPROGR,
>> xid/subid/cid: 0/1/0, nestlvl: 1, children:
>> DEBUG:  Processing received GSS token of length 654
>> DEBUG:  gss_accept_sec_context major: 0, minor: 0, outlen: 156, outflags:
>> 1b2
>> DEBUG:  sending GSS response token of length 156
>> DEBUG:  sending GSS token of length 156
>> LOG:  provided user name (rembo at MY.DOMAIN.LOCAL) and authenticated user
>> name (rembo) do not match
>>
> You have this issue because your username and mapped name do not match.
>
>
> --
> / Alexander Bokovoy
>



-- 
With Best Regards
Gorbachev Ivan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-devel/attachments/20130930/020681d4/attachment.htm>

More information about the Freeipa-devel mailing list