Re: Fwd: psql+krb5

---------- Forwarded message ----------
From: rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>
Date: 2009/11/29
Subject: Re: psql+krb5
To: Denis Feklushkin <denis(dot)feklushkin(at)gmail(dot)com>

These items have added after my sending.

I repeat again my configurations:

*
1) The configuration of krb5.conf is:
[realms]
EXAMPLE.COM <http://example.com/> ={

kdc=star :88
admin_server=star:749
default_domain= example.com
}
.....*

2) Then, I created principal as* " postgres/star(at)EXAMPLE(dot)COM "* and its
password is saved in* '/usr/local/pgsql/data/postgresql.keytab' .*

(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93
star)

3) I setup *postgresql.conf *as below:

krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/star(at)EXAMPLE(dot)COM'

krb_server_hostname = 'star' # empty string matches any keytab entry
krb_caseins_users = off

4) I *create user "frank"* in Psql .

5) Then I set up* hba.conf :*

host all all 0.0.0.0/0 krb5
host all all 127.0.0.1/32 krb5

When I want to connect to Postgresql, it gives error.

# *kinit frank*

[root(at)star bin]# *./psql -h star -U frank -d test*

psql: *krb5_sendauth: Bad application version was sent (via sendauth)*

I should mention that * both postgresql server and krb-server are in same
system* and* my IP is acquring from dhcp server of university*. Where is
wrong.

2009/11/29 Denis Feklushkin <denis(dot)feklushkin(at)gmail(dot)com>

> On Sun, 29 Nov 2009 14:23:52 +0330
> rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com> wrote:
>
> > Thanks for your replying. My detail of configuration is:
> >
> > I try to setup kerberos authentication in Postgresql 8.1.18 on centos.
> >
> > But I have some problem.
> >
> > 1) The configuration of krb5.conf is:
> > [realms]
> > EXAMPLE.COM <http://example.com/><http://EXAMPLE.COM
> > <http://example.com/>> ={
> >
> > kdc=star :88
> > admin_server=star:749
> > default_domain= example.com<http://example.com
> > >
> > > >
> > > }
> > > .....
> > >
> > > 2) Then, I created principal as " postgres/star(at)EXAMPLE(dot)COM<mailto:
> > > star(at)EXAMPLE(dot)COM> " and its password is saved in
> > > '/usr/local/pgsql/data/postgresql.keytab' .
> > >
> > >
> > > (star is localhost IP, but in hosts.conf I configure like:
> > > 213.233.169.93 star)
> > >
> > > 3) I setup postgresql.conf as below:
> > >
> > > krb_server_keyfile = '/usr/local/pgsql/data/
> > > postgresql.keytab'
> > > krb_srvname = 'postgres/star(at)EXAMPLE(dot)COM<mailto:star(at)EXAMPLE(dot)COM>'
> > >
> > > krb_server_hostname = 'star' # empty string matches any
> > > keytab entry
> > > krb_caseins_users = off
> > >
> > > 4) I create user "frank" in Psql .
> > >
> > > 5) Then I set up hba.conf :
> > >
> > > host all all 0.0.0.0/0<http://0.0.0.0/0>
> > > krb5
> > > host all all 127.0.0.1/32<http://127.0.0.1/32>
> > > krb5
> > >
> > >
> > > When I want to connect to Postgresql, it gives error.
> > >
> > > # kinit frank
> > >
> > > [root(at)star bin]# ./psql -h star -U frank -d test
> > >
> > > psql: krb5_sendauth: Bad application version was sent (via sendauth)
> > >
> >
> > some changes in users gives below error :
> > "[root(at)www bin]# ./psql -h 213.233.168.249 -U postgres
> > psql: Kerberos 5 authentication rejected: Wrong principal in
> > request"
> >
> >
> > > I should mention that both postgresql server and krb-server are in
> > > same system and my IP is acquring from dhcp server of university.
> > > Where is wrong.
> > >
> >
> >
> >
> > 2009/11/29 Denis Feklushkin <denis(dot)feklushkin(at)gmail(dot)com>
> >
> > > On Sun, 29 Nov 2009 10:48:30 +0330
> > > rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com> wrote:
> > >
> > > > Hi,
> > > >
> > > > When I want to connect to psql via krb5 in Linux, it gives me
> > > > error like: "[root(at)www bin]# ./psql -h 213.233.168.249 -U
> > > > postgres psql: Kerberos 5 authentication rejected: Wrong
> > > > principal in request"
> > >
> > > Что в логах KDC?
> ^^^^^^^^^^^^^^^^ !!!
>
> И ещё, в тексте который Вы дали встречаются пробелы в именах
> принципалов и странные записи "<mailto:star(at)EXAMPLE(dot)COM>"
>
> При настройке важно чтобы ничего этого небыло
>

--
With Best Regards
Miss.KHodadadi

--
With Best Regards
Miss.KHodadadi

2009/11/30 rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>:
>
>
> ---------- Forwarded message ----------
> From: rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>
> Date: 2009/11/29
> Subject: Re: psql+krb5
> To: Denis Feklushkin <denis(dot)feklushkin(at)gmail(dot)com>

Please review the guidelines for reporting a problem, which you can find here:

http://wiki.postgresql.org/wiki/Guide_to_reporting_problems

It seems to me that you've done the exact opposite of nearly
everything suggested there, starting with cross-posting your email to
four mailing lists at least three of which are irrelevant to the
problem that you're attempting to solve.

...Robert

Except that he posted a month ago and got no answers...

On Tue, Dec 1, 2009 at 8:22 AM, Robert Haas <robertmhaas(at)gmail(dot)com> wrote:
> 2009/11/30 rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>:
>>
>>
>> ---------- Forwarded message ----------
>> From: rahimeh khodadadi <rahimeh(dot)khodadadi(at)gmail(dot)com>
>> Date: 2009/11/29
>> Subject: Re: psql+krb5
>> To: Denis Feklushkin <denis(dot)feklushkin(at)gmail(dot)com>
>
> Please review the guidelines for reporting a problem, which you can find here:
>
> http://wiki.postgresql.org/wiki/Guide_to_reporting_problems
>
> It seems to me that you've done the exact opposite of nearly
> everything suggested there, starting with cross-posting your email to
> four mailing lists at least three of which are irrelevant to the
> problem that you're attempting to solve.
>
> ...Robert
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
>

--
When fascism comes to America, it will be intolerance sold as diversity.

On Tue, Dec 1, 2009 at 11:26 AM, Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com> wrote:
> Except that he posted a month ago and got no answers...

Gee, I wonder why.

...Robert

I've dropped all your cross-posts; this is just going to PgSQL-general.

On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:

> psql: *krb5_sendauth: Bad application version was sent (via sendauth)*

Have you verified that your Kerberos setup is otherwise working
correctly - it's handling logins, other apps work, etc?

Also: a search for your error message finds this post, which, while
related to a Windows kerberos server, seems to apply:

http://www.mail-archive.com/pgsql-general(at)postgresql(dot)org/msg80403.html

That is: Make sure that the Kerberos service name matches everywhere.

I don't know much about Kerberos, not I suspect do all that many people
on the list, so I can't be of any more help.

--
Craig Ringer

* Craig Ringer (craig(at)postnewspapers(dot)com(dot)au) wrote:
> I've dropped all your cross-posts; this is just going to PgSQL-general.

Thanks for that.

> On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:
>
>> psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
>
> Also: a search for your error message finds this post, which, while
> related to a Windows kerberos server, seems to apply:

It's the same kind of issue (wrong service name), but I think the real
problem is this:

krb_srvname = 'postgres/star(at)EXAMPLE(dot)COM'

The documentation, I think, is pretty clear:
http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH

PostgreSQL operates like a normal Kerberos service. The name of the
service principal is servicename/hostname(at)realm(dot)

servicename can be set on the server side using the krb_srvname
configuration parameter

The above should just be:

krb_srvname = 'postgres'

Or, better, just removed. Unless you're running under a Microsoft
Active Directory Kerberos environment, the default should 'just work'.

Additionally, this is also almost certainly wrong:

krb_server_hostname = 'star'

Again, referring to the same documentation:

hostname is the fully qualified host name of the server machine.

You really should have a proper FQDN set for this system. I would also
recommend using a real domain rather than 'EXAMPLE.COM'. Also, I didn't
see the version of PostgreSQL, but if you're using something recent your
auth method should really be 'gss' instead of 'krb5'.

> I don't know much about Kerberos, not I suspect do all that many people
> on the list, so I can't be of any more help.

Unfortunately, I don't pay as close attention to the lists as I wish I
could. Kerberos with PG is actually a solution I typically recommend.

Thanks,

Stephen

I thanks from Stephen and Craig for their replying.
I am sorry for doing cross posting, But I did not know about it before. I
had to do for solving the problem, because no one did me answer .

On Wed, Dec 2, 2009 at 5:15 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> * Craig Ringer (craig(at)postnewspapers(dot)com(dot)au) wrote:
> > I've dropped all your cross-posts; this is just going to PgSQL-general.
>
> Thanks for that.
>
> > On 30/11/2009 3:29 PM, rahimeh khodadadi wrote:
> >
> >> psql: *krb5_sendauth: Bad application version was sent (via sendauth)*
> >
> > Also: a search for your error message finds this post, which, while
> > related to a Windows kerberos server, seems to apply:
>
> It's the same kind of issue (wrong service name), but I think the real
> problem is this:
>
> krb_srvname = 'postgres/star(at)EXAMPLE(dot)COM'
>
> The documentation, I think, is pretty clear:
>
> http://www.postgresql.org/docs/8.4/interactive/auth-methods.html#KERBEROS-AUTH
>
> PostgreSQL operates like a normal Kerberos service. The name of the
> service principal is servicename/hostname(at)realm(dot)
>
> servicename can be set on the server side using the krb_srvname
> configuration parameter
>
> The above should just be:
>
> krb_srvname = 'postgres'
>
> Or, better, just removed. Unless you're running under a Microsoft
> Active Directory Kerberos environment, the default should 'just work'.
>
> Additionally, this is also almost certainly wrong:
>
> krb_server_hostname = 'star'
>
> Again, referring to the same documentation:
>
> hostname is the fully qualified host name of the server machine.
>
> You really should have a proper FQDN set for this system. I would also
> recommend using a real domain rather than 'EXAMPLE.COM'. Also, I didn't
> see the version of PostgreSQL, but if you're using something recent your
> auth method should really be 'gss' instead of 'krb5'.
>
> > I don't know much about Kerberos, not I suspect do all that many people
> > on the list, so I can't be of any more help.
>
> Unfortunately, I don't pay as close attention to the lists as I wish I
> could. Kerberos with PG is actually a solution I typically recommend.
>
> Thanks,
>
> Stephen
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAksVxtQACgkQrzgMPqB3kihTAwCfYonsLsS1EirM+LQ89NbU+lXz
> loQAn0dK1N6xco7Wdtq4m5SVPjMWaC9G
> =zeD5
> -----END PGP SIGNATURE-----
>
>

--
With Best Regards
Miss.KHodadadi