Hi,
I am struggling to provide access to the windows Active Directory user into
postgres database.
Am using windows server 2008R2, created forest in AD with 2003
compatibility. postgresql 9.3.1 has been compiled with gssapi and krb5
support on centos both windows server and contos are on vms with static ips.
I walkthrough as follows;
created enterprisedb user in AD with DES encryption type.
Added centos host to AD domain.
C:\Users\Administrator>setspn -S POSTGRES/centos.my.testdomain.lan
my.testdomain.lan\enterprisedb
Checking domain DC=my,DC=testdomain,DC=lan
Registering ServicePrincipalNames for
CN=enterprisedb,CN=Users,DC=my,DC=testdomain,DC=lan
POSTGRES/centos.my.testdomain.lan
Updated object
C:\Users\Administrator>ktpass -out postgres.keytab -princ
POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN -mapUser enterprisedb -pass XXXXXX
-crypto DES-CBC-MD5
Targeting domain controller: WIN-UC777GC73I8.my.testdomain.lan
Using legacy password setting method
Successfully mapped POSTGRES/centos to enterprisedb.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to postgres.keytab:
Keytab version: 0x502
keysize 60 POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN ptype 0 (KRB5_NT_UNKNOWN) vno
8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x1af1c29ebf252549)
-bash-4.1$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
debug=true
default_realm = MY.TESTDOMAIN.LAN
allow_weak_crypto = 1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
MYWIN.MY.TESTDOMAIN.LAN = {
kdc = .my.testdomain.lan
MY.TESTDOMAIN.LAN = {
kdc = win-uc777gc73i8.my.testdomain.lan
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
.mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
################
out put klist:
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN
Valid starting Expires Service principal
11/25/13 00:41:34 11/25/13 10:41:38
krbtgt/MY.TESTDOMAIN.LAN [ at ] MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos@
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos [ at ] MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
-bash-4.1$ kinit -V -k -t /opt/PostgreSQL/9.3.1/data/postgres.keytab
POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN
Using default cache: /tmp/krb5cc_501
Using principal: POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN
Using keytab: /opt/PostgreSQL/9.3.1/data/postgres.keytab
Authenticated to Kerberos v5
-bash-4.1$
-bash-4.1$ klist -k /opt/PostgreSQL/9.3.1/data/postgres.keytab
Keytab name: FILE:/opt/PostgreSQL/9.3.1/data/postgres.keytab
KVNO Principal
I am struggling to provide access to the windows Active Directory user into
postgres database.
Am using windows server 2008R2, created forest in AD with 2003
compatibility. postgresql 9.3.1 has been compiled with gssapi and krb5
support on centos both windows server and contos are on vms with static ips.
I walkthrough as follows;
created enterprisedb user in AD with DES encryption type.
Added centos host to AD domain.
C:\Users\Administrator>setspn -S POSTGRES/centos.my.testdomain.lan
my.testdomain.lan\enterprisedb
Checking domain DC=my,DC=testdomain,DC=lan
Registering ServicePrincipalNames for
CN=enterprisedb,CN=Users,DC=my,DC=testdomain,DC=lan
POSTGRES/centos.my.testdomain.lan
Updated object
C:\Users\Administrator>ktpass -out postgres.keytab -princ
POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN -mapUser enterprisedb -pass XXXXXX
-crypto DES-CBC-MD5
Targeting domain controller: WIN-UC777GC73I8.my.testdomain.lan
Using legacy password setting method
Successfully mapped POSTGRES/centos to enterprisedb.
WARNING: pType and account type do not match. This might cause problems.
Key created.
Output keytab to postgres.keytab:
Keytab version: 0x502
keysize 60 POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN ptype 0 (KRB5_NT_UNKNOWN) vno
8 etype 0x3 (DES-CBC-MD5) keylength 8 (0x1af1c29ebf252549)
-bash-4.1$ cat /etc/krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
debug=true
default_realm = MY.TESTDOMAIN.LAN
allow_weak_crypto = 1
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
EXAMPLE.COM = {
kdc = kerberos.example.com
admin_server = kerberos.example.com
MYWIN.MY.TESTDOMAIN.LAN = {
kdc = .my.testdomain.lan
MY.TESTDOMAIN.LAN = {
kdc = win-uc777gc73i8.my.testdomain.lan
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
.mywin.my.testdomain.lan = MYWIN.MY.TESTDOMAIN.LAN
################
out put klist:
-bash-4.1$ klist
Ticket cache: FILE:/tmp/krb5cc_501
Default principal: POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN
Valid starting Expires Service principal
11/25/13 00:41:34 11/25/13 10:41:38
krbtgt/MY.TESTDOMAIN.LAN [ at ] MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos@
renew until 12/02/13 00:41:34
11/25/13 00:41:41 11/25/13 10:41:38 postgres/centos [ at ] MY.TESTDOMAIN.LAN
renew until 12/02/13 00:41:34
-bash-4.1$ kinit -V -k -t /opt/PostgreSQL/9.3.1/data/postgres.keytab
POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN
Using default cache: /tmp/krb5cc_501
Using principal: POSTGRES/centos [ at ] MY.TESTDOMAIN.LAN
Using keytab: /opt/PostgreSQL/9.3.1/data/postgres.keytab
Authenticated to Kerberos v5
-bash-4.1$
-bash-4.1$ klist -k /opt/PostgreSQL/9.3.1/data/postgres.keytab
Keytab name: FILE:/opt/PostgreSQL/9.3.1/data/postgres.keytab
KVNO Principal