--0015174766d6edc5050475a8e446
Content-Type: text/plain; charset=ISO-8859-1

Hi,

after compling the postgresql --with-krb5 and setting up the krb5-server in
centos, I configured the *postgresql.conf* as bellow:

*krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
*krb_srvname = 'POSTGRES' * # (Kerberos only)
#krb_caseins_users = off

and

my *pg_hba.conf* is :

# "local" is for Unix domain socket connections only
local all postgres trust
# IPv4 local connections:
host all *frank* 0.0.0.0/0 krb5
#host all all 127.0.0.1/32 trust
# IPv6 local connections:
host all all ::1/128 trust


,and kdc.conf

kdcdefaults]
v4_mode = nopreauth
kdc_tcp_ports = 88

[realms]
EXAMPLE.COM = {
#master_key_type = des3-hmac-sha1
* acl_file = /var/kerberos/krb5kdc/kadm5.acl*
dict_file = /usr/share/dict/words
admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
des-cbc-crc:afs3
}

Then, I created the user frank as :

kadmin.local
Authenticating as principal rahimeh/admin [at] EXAMPLE.COM with password.
kadmin.local: * ank frank*
WARNING: no policy specified for frank [at] EXAMPLE.COM; defaulting to no policy
Enter password for principal "frank [at] EXAMPLE.COM":
Re-enter password for principal "frank [at] EXAMPLE.COM":

*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
Entry for principal frank with kvno 2, encryption type Triple DES cbc mode
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/md5
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
Entry for principal frank with kvno 2, encryption type DES cbc mode with
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

Finally, it gives error like:

[root [at] localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
Password for frank [at] EXAMPLE.COM:
*kinit(v5): Password incorrect while getting initial credentials*

or

in cmd when I run this instruction the below error is shown.

[root [at] localhost bin]# ./psql -h 127.0.0.1 -U frank
*psql: krb5_sendauth: Bad application version was sent (via sendauth)*


Please help me.



--
With Best Regards
Miss.KHodadadi

--0015174766d6edc5050475a8e446
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi, <br><br>after compling the postgresql --with-krb5=A0 and setting up the=
krb5-server in centos, I configured the <b>postgresql.conf</b> as bellow:<=
br><br><b>krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab=
9;</b><br>
<b>krb_srvname =3D 'POSTGRES'=A0</b>=A0=A0 =A0=A0=A0 # (Kerberos on=
ly)<br>#krb_caseins_users =3D off<br>=A0 <br>and <br><br>my <b>pg_hba.conf<=
/b> is :<br><br># "local" is for Unix domain socket connections o=
nly<br>local=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 postgres=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 trust<br>
# IPv4 local connections:<br>host=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 <b>fran=
k</b>=A0=A0=A0=A0=A0=A0 <a href=3D"http://0.0.0.0/0">0.0.0.0/0</a>=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0 krb5 <br>#host=A0=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=
=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 <a href=3D"http://127.0.0.1/32">127.0.0.1/3=
2</a>=A0=A0=A0=A0=A0 trust<br>
# IPv6 local connections:<br>host=A0=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 all=
=A0=A0=A0=A0=A0=A0=A0=A0 ::1/128=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
trust<br><br><br>,and kdc.conf <br><br>kdcdefaults]<br>=A0v4_mode =3D nopre=
auth<br>=A0kdc_tcp_ports =3D 88<br><br>[realms]<br>=A0<a href=3D"http://EXA=
MPLE.COM">EXAMPLE.COM</a> =3D {<br>
=A0 #master_key_type =3D des3-hmac-sha1<br>=A0<b> acl_file =3D /var/kerbero=
s/krb5kdc/kadm5.acl</b><br>=A0 dict_file =3D /usr/share/dict/words<br>=A0 a=
dmin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab<br>=A0 supported_enctype=
s =3D des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cb=
c-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3<br>
=A0}<br>=A0<br>Then, I created the user frank=A0 as :<br><br>=A0kadmin.loca=
l<br>Authenticating as principal rahimeh/<a href=3D"mailto:admin [at] EXAMPLE.CO=
M">admin [at] EXAMPLE.COM</a> with password.<br>kadmin.local:=A0<b> ank frank</b=
><br>WARNING: no policy specified for <a href=3D"mailto:frank [at] EXAMPLE.COM">=
frank [at] EXAMPLE.COM</a>; defaulting to no policy<br>
Enter password for principal "<a href=3D"mailto:frank [at] EXAMPLE.COM">fra=
nk [at] EXAMPLE.COM</a>": <br>Re-enter password for principal "<a href=
=3D"mailto:frank [at] EXAMPLE.COM">frank [at] EXAMPLE.COM</a>": <br><br><b>kadmi=
n.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank</b><br>
Entry for principal frank with kvno 2, encryption type Triple DES cbc mode =
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<b=
r>Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/=
md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 a=
dded to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>Entry for prin=
cipal frank with kvno 2, encryption type DES cbc mode with RSA-MD5 added to=
keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
<br>Finally, it gives error like:<br><br>[root [at] localhost ~]# <b>kinit frank=
</b> -t /var/kerberos/krb5kdc/kadm5.keytab<br>Password for <a href=3D"mailt=
o:frank [at] EXAMPLE.COM">frank [at] EXAMPLE.COM</a>: <br><b>kinit(v5): Password inco=
rrect while getting initial credentials</b><br>
<br>or <br><br>in cmd when I run this instruction the below error is shown.=
<br><br>[root [at] localhost bin]# ./psql -h 127.0.0.1=A0 -U frank<br><b>psql: k=
rb5_sendauth: Bad application version was sent (via sendauth)</b><br><br>
<br>Please help me.<br><br><br><br>-- <br>With Best Regards<br>Miss.KHodada=
di<br>

--0015174766d6edc5050475a8e446--

--000e0cd2378a56b1170475bb6c80
Content-Type: text/plain; charset=ISO-8859-1

nobody could help me?

On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
rahimeh.khodadadi [at] gmail.com> wrote:

> Hi,
>
> after compling the postgresql --with-krb5 and setting up the krb5-server
> in centos, I configured the *postgresql.conf* as bellow:
>
> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
> *krb_srvname = 'POSTGRES' * # (Kerberos only)
> #krb_caseins_users = off
>
> and
>
> my *pg_hba.conf* is :
>
> # "local" is for Unix domain socket connections only
> local all postgres trust
> # IPv4 local connections:
> host all *frank* 0.0.0.0/0 krb5
> #host all all 127.0.0.1/32 trust
> # IPv6 local connections:
> host all all ::1/128 trust
>
>
> ,and kdc.conf
>
> kdcdefaults]
> v4_mode = nopreauth
> kdc_tcp_ports = 88
>
> [realms]
> EXAMPLE.COM = {
> #master_key_type = des3-hmac-sha1
> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
> dict_file = /usr/share/dict/words
> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
> des-cbc-crc:afs3
> }
>
> Then, I created the user frank as :
>
> kadmin.local
> Authenticating as principal rahimeh/admin [at] EXAMPLE.COM with password.
> kadmin.local: * ank frank*
> WARNING: no policy specified for frank [at] EXAMPLE.COM; defaulting to no
> policy
> Enter password for principal "frank [at] EXAMPLE.COM":
> Re-enter password for principal "frank [at] EXAMPLE.COM":
>
> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
> Entry for principal frank with kvno 2, encryption type Triple DES cbc mode
> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
> Entry for principal frank with kvno 2, encryption type ArcFour with
> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
> Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
> Entry for principal frank with kvno 2, encryption type DES cbc mode with
> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>
> Finally, it gives error like:
>
> [root [at] localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
> Password for frank [at] EXAMPLE.COM:
> *kinit(v5): Password incorrect while getting initial credentials*
>
> or
>
> in cmd when I run this instruction the below error is shown.
>
> [root [at] localhost bin]# ./psql -h 127.0.0.1 -U frank
> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>
>
> Please help me.
>
>
>
> --
> With Best Regards
> Miss.KHodadadi
>



--
With Best Regards
Miss.KHodadadi

--000e0cd2378a56b1170475bb6c80
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

nobody could help me?<br><br><div class=3D"gmail_quote">On Sun, Oct 11, 200=
9 at 5:06 PM, rahimeh khodadadi <span dir=3D"ltr"><<a href=3D"mailto:rah=
imeh.khodadadi [at] gmail.com">rahimeh.khodadadi [at] gmail.com</a>></span> wrote:=
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi, <br><br>after=
compling the postgresql --with-krb5=A0 and setting up the krb5-server in c=
entos, I configured the <b>postgresql.conf</b> as bellow:<br>
<br><b>krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'<=
/b><br>
<b>krb_srvname =3D 'POSTGRES'=A0</b>=A0=A0 =A0=A0=A0 # (Kerberos on=
ly)<br>#krb_caseins_users =3D off<br>=A0 <br>and <br><br>my <b>pg_hba.conf<=
/b> is :<br><br># "local" is for Unix domain socket connections o=
nly<br>local=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 postgres=A0=A0=A0=A0=A0=A0=
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 trust<br>

# IPv4 local connections:<br>host=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 <b>fran=
k</b>=A0=A0=A0=A0=A0=A0 <a href=3D"http://0.0.0.0/0" target=3D"_blank">0.0.=
0.0/0</a>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 krb5 <br>#host=A0=A0=A0 all=A0=
=A0=A0=A0=A0=A0=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 <a href=3D"http://127.0.0=
..1/32" target=3D"_blank">127.0.0.1/32</a>=A0=A0=A0=A0=A0 trust<br>

# IPv6 local connections:<br>host=A0=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 all=
=A0=A0=A0=A0=A0=A0=A0=A0 ::1/128=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
trust<br><br><br>,and kdc.conf <br><br>kdcdefaults]<br>=A0v4_mode =3D nopre=
auth<br>=A0kdc_tcp_ports =3D 88<br><br>[realms]<br>=A0<a href=3D"http://EXA=
MPLE.COM" target=3D"_blank">EXAMPLE.COM</a> =3D {<br>

=A0 #master_key_type =3D des3-hmac-sha1<br>=A0<b> acl_file =3D /var/kerbero=
s/krb5kdc/kadm5.acl</b><br>=A0 dict_file =3D /usr/share/dict/words<br>=A0 a=
dmin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab<br>=A0 supported_enctype=
s =3D des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cb=
c-md5:normal des-cbc-crc:normal des-cbc-crc:v4 des-cbc-crc:afs3<br>

=A0}<br>=A0<br>Then, I created the user frank=A0 as :<br><br>=A0kadmin.loca=
l<br>Authenticating as principal rahimeh/<a href=3D"mailto:admin [at] EXAMPLE.CO=
M" target=3D"_blank">admin [at] EXAMPLE.COM</a> with password.<br>kadmin.local:=
=A0<b> ank frank</b><br>
WARNING: no policy specified for <a href=3D"mailto:frank [at] EXAMPLE.COM" targe=
t=3D"_blank">frank [at] EXAMPLE.COM</a>; defaulting to no policy<br>
Enter password for principal "<a href=3D"mailto:frank [at] EXAMPLE.COM" tar=
get=3D"_blank">frank [at] EXAMPLE.COM</a>": <br>Re-enter password for princ=
ipal "<a href=3D"mailto:frank [at] EXAMPLE.COM" target=3D"_blank">frank [at] EXA=
MPLE.COM</a>": <br>
<br><b>kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank</b><=
br>
Entry for principal frank with kvno 2, encryption type Triple DES cbc mode =
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<b=
r>Entry for principal frank with kvno 2, encryption type ArcFour with HMAC/=
md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>

Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1 a=
dded to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>Entry for prin=
cipal frank with kvno 2, encryption type DES cbc mode with RSA-MD5 added to=
keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>

<br>Finally, it gives error like:<br><br>[root [at] localhost ~]# <b>kinit frank=
</b> -t /var/kerberos/krb5kdc/kadm5.keytab<br>Password for <a href=3D"mailt=
o:frank [at] EXAMPLE.COM" target=3D"_blank">frank [at] EXAMPLE.COM</a>: <br><b>kinit(=
v5): Password incorrect while getting initial credentials</b><br>

<br>or <br><br>in cmd when I run this instruction the below error is shown.=
<br><br>[root [at] localhost bin]# ./psql -h 127.0.0.1=A0 -U frank<br><b>psql: k=
rb5_sendauth: Bad application version was sent (via sendauth)</b><br><br>

<br>Please help me.<br><font color=3D"#888888"><br><br><br>-- <br>With Best=
Regards<br>Miss.KHodadadi<br>
</font></blockquote></div><br><br clear=3D"all"><br>-- <br>With Best Regard=
s<br>Miss.KHodadadi<br>

--000e0cd2378a56b1170475bb6c80--

have never been worked with krb5 in postgresql?

On 10/12/09, rahimeh khodadadi <rahimeh.khodadadi [at] gmail.com> wrote:
> nobody could help me?
>
> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
> rahimeh.khodadadi [at] gmail.com> wrote:
>
>> Hi,
>>
>> after compling the postgresql --with-krb5 and setting up the krb5-server
>> in centos, I configured the *postgresql.conf* as bellow:
>>
>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>> *krb_srvname = 'POSTGRES' * # (Kerberos only)
>> #krb_caseins_users = off
>>
>> and
>>
>> my *pg_hba.conf* is :
>>
>> # "local" is for Unix domain socket connections only
>> local all postgres trust
>> # IPv4 local connections:
>> host all *frank* 0.0.0.0/0 krb5
>> #host all all 127.0.0.1/32 trust
>> # IPv6 local connections:
>> host all all ::1/128 trust
>>
>>
>> ,and kdc.conf
>>
>> kdcdefaults]
>> v4_mode = nopreauth
>> kdc_tcp_ports = 88
>>
>> [realms]
>> EXAMPLE.COM = {
>> #master_key_type = des3-hmac-sha1
>> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>> dict_file = /usr/share/dict/words
>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4
>> des-cbc-crc:afs3
>> }
>>
>> Then, I created the user frank as :
>>
>> kadmin.local
>> Authenticating as principal rahimeh/admin [at] EXAMPLE.COM with password.
>> kadmin.local: * ank frank*
>> WARNING: no policy specified for frank [at] EXAMPLE.COM; defaulting to no
>> policy
>> Enter password for principal "frank [at] EXAMPLE.COM":
>> Re-enter password for principal "frank [at] EXAMPLE.COM":
>>
>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>> mode
>> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type ArcFour with
>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1
>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>
>> Finally, it gives error like:
>>
>> [root [at] localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>> Password for frank [at] EXAMPLE.COM:
>> *kinit(v5): Password incorrect while getting initial credentials*
>>
>> or
>>
>> in cmd when I run this instruction the below error is shown.
>>
>> [root [at] localhost bin]# ./psql -h 127.0.0.1 -U frank
>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>
>>
>> Please help me.
>>
>>
>>
>> --
>> With Best Regards
>> Miss.KHodadadi
>>
>
>
>
> --
> With Best Regards
> Miss.KHodadadi
>


--
With Best Regards
Miss.KHodadadi

--
Sent via pgsql-admin mailing list (pgsql-admin [at] postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

Hi Rahimeh,

Is PG on the same box as the kadmind?

rahimeh khodadadi wrote:
> have never been worked with krb5 in postgresql?
>
> On 10/12/09, rahimeh khodadadi <rahimeh.khodadadi [at] gmail.com> wrote:
>> nobody could help me?
>>
>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>> rahimeh.khodadadi [at] gmail.com> wrote:
>>
>>> Hi,
>>>
>>> after compling the postgresql --with-krb5 and setting up the krb5-serv=
er
>>> in centos, I configured the *postgresql.conf* as bellow:
>>>
>>> *krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'*
>>> *krb_srvname =3D 'POSTGRES' * # (Kerberos only)
>>> #krb_caseins_users =3D off

I like to specify my krb_server_hostname explicitly here.

>>> and
>>>
>>> my *pg_hba.conf* is :
>>>
>>> # "local" is for Unix domain socket connections only
>>> local all postgres trust
>>> # IPv4 local connections:
>>> host all *frank* 0.0.0.0/0 krb5
>>> #host all all 127.0.0.1/32 trust
>>> # IPv6 local connections:
>>> host all all ::1/128 trust
>>>
>>>
>>> ,and kdc.conf
>>>
>>> kdcdefaults]
>>> v4_mode =3D nopreauth
>>> kdc_tcp_ports =3D 88
>>>
>>> [realms]
>>> EXAMPLE.COM =3D {
>>> #master_key_type =3D des3-hmac-sha1
>>> * acl_file =3D /var/kerberos/krb5kdc/kadm5.acl*
>>> dict_file =3D /usr/share/dict/words
>>> admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab

If this is the same machine as PG, I'm not sure why you have the same file =
here as
for the keytab to keep the PG service principal in. My manpage for kdc.con=
f says
that admin_keytab specifies the keytab to be used by kadmin to authenticate=
to the
database, so really shouldn't be kept very distinct from the keytab with th=
e PG
service principal.

>>> supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal
>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:=
v4
>>> des-cbc-crc:afs3
>>> }
>>>
>>> Then, I created the user frank as :
>>>
>>> kadmin.local
>>> Authenticating as principal rahimeh/admin [at] EXAMPLE.COM with password.
>>> kadmin.local: * ank frank*
>>> WARNING: no policy specified for frank [at] EXAMPLE.COM; defaulting to no
>>> policy
>>> Enter password for principal "frank [at] EXAMPLE.COM":
>>> Re-enter password for principal "frank [at] EXAMPLE.COM":
>>>
>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>> mode
>>> with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keyta=
b.
>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>> Entry for principal frank with kvno 2, encryption type DES with HMAC/sh=
a1
>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.

But for PG you'll need a keytab with the service principal you've defined t=
o be
POSTGRES/<hostname> [at] EXAMPLE.COM in it.

>>> Finally, it gives error like:
>>>
>>> [root [at] localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>>> Password for frank [at] EXAMPLE.COM:
>>> *kinit(v5): Password incorrect while getting initial credentials*

I've never had much joy myself when getting tickets from a -t keytab, I usu=
ally just
kinit and enter a password instead.

>>> or
>>>
>>> in cmd when I run this instruction the below error is shown.
>>>
>>> [root [at] localhost bin]# ./psql -h 127.0.0.1 -U frank
>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*

To construct the service principal the library takes the the -h argument, t=
hen gets
the A record for it (if applicable), then gets the PTR record for the A rec=
ord to get
the hostname for the service principal name (unless you're using Windows I =
have
found, in which case it just stops and takes the originally given hostname =
if an A
record exists). Just use a non-127 address instead, it'll make things a lo=
t easier
to keep straight. For that matter, /etc/hostname and /etc/resolv.conf woul=
d be good
to see too because of their importance here.

HTH,
Geoff


---------
Geoff Tolley
DBA/Systems Administrator

YouGovPolimetrix
285 Hamilton Avenue Suite 200
Palo Alto, CA 94301
geoff.tolley [at] yougov.com
http://www.yougov.com/




--
Sent via pgsql-admin mailing list (pgsql-admin [at] postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin

--0016e6d7ee572947030476d1de33
Content-Type: text/plain; charset=ISO-8859-1

---------- Forwarded message ----------
From: rahimeh khodadadi <rahimeh.khodadadi [at] gmail.com>
Date: Sun, Oct 25, 2009 at 4:55 PM
Subject: Re: [ADMIN] configuration kerberos in Postgre sql
To: Geoff Tolley <geoff.tolley [at] yougov.com>


I am new to kerberos. I need help

Whether we define ank username for every users of postgresql in
kadmin.local? or we just define for sevice of PG.

When I define principle for every user then I wat to connect to psql, I get
faced to error.

I will be happy, if you reply.



On Sun, Oct 25, 2009 at 3:15 PM, rahimeh khodadadi <
rahimeh.khodadadi [at] gmail.com> wrote:

> Hi Geoff,
>
> Can you tell me what is your PG version?
> Because, If I define server-name in postgresql.conf, it gives a error.
>
> Thanks in advance
>
> On Sat, Oct 17, 2009 at 3:48 PM, rahimeh khodadadi <
> rahimeh.khodadadi [at] gmail.com> wrote:
>
>> Hi Geoff,
>>
>> Ofcourse, krb server is same system that PG has been installed.
>> When I compiled the PG, there was not any option like
>> "krb_server_hostname" in conf file.
>>
>> So, I donot know, what to do?
>> And, I create the POSTGRES/<hostname> [at] EXAMPLE.COM <http://example.com/>too.
>>
>> On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley <geoff.tolley [at] yougov.com>wrote:
>>
>>> Hi Rahimeh,
>>>
>>> Is PG on the same box as the kadmind?
>>>
>>>
>>> rahimeh khodadadi wrote:
>>>
>>>> have never been worked with krb5 in postgresql?
>>>>
>>>> On 10/12/09, rahimeh khodadadi <rahimeh.khodadadi [at] gmail.com> wrote:
>>>>
>>>>> nobody could help me?
>>>>>
>>>>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>>>>> rahimeh.khodadadi [at] gmail.com> wrote:
>>>>>
>>>>> Hi,
>>>>>>
>>>>>> after compling the postgresql --with-krb5 and setting up the
>>>>>> krb5-server
>>>>>> in centos, I configured the *postgresql.conf* as bellow:
>>>>>>
>>>>>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>>>>>> *krb_srvname = 'POSTGRES' * # (Kerberos only)
>>>>>> #krb_caseins_users = off
>>>>>>
>>>>>
>>> I like to specify my krb_server_hostname explicitly here.
>>>
>>>
>>> and
>>>>>>
>>>>>> my *pg_hba.conf* is :
>>>>>>
>>>>>> # "local" is for Unix domain socket connections only
>>>>>> local all postgres trust
>>>>>> # IPv4 local connections:
>>>>>> host all *frank* 0.0.0.0/0 krb5
>>>>>> #host all all 127.0.0.1/32 trust
>>>>>> # IPv6 local connections:
>>>>>> host all all ::1/128 trust
>>>>>>
>>>>>>
>>>>>> ,and kdc.conf
>>>>>>
>>>>>> kdcdefaults]
>>>>>> v4_mode = nopreauth
>>>>>> kdc_tcp_ports = 88
>>>>>>
>>>>>> [realms]
>>>>>> EXAMPLE.COM = {
>>>>>> #master_key_type = des3-hmac-sha1
>>>>>> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>>>>>> dict_file = /usr/share/dict/words
>>>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>>>>
>>>>>
>>> If this is the same machine as PG, I'm not sure why you have the same
>>> file here as for the keytab to keep the PG service principal in. My manpage
>>> for kdc.conf says that admin_keytab specifies the keytab to be used by
>>> kadmin to authenticate to the database, so really shouldn't be kept very
>>> distinct from the keytab with the PG service principal.
>>>
>>>
>>> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
>>>>>> des-cbc-crc:v4
>>>>>> des-cbc-crc:afs3
>>>>>> }
>>>>>>
>>>>>> Then, I created the user frank as :
>>>>>>
>>>>>> kadmin.local
>>>>>> Authenticating as principal rahimeh/admin [at] EXAMPLE.COM with password.
>>>>>> kadmin.local: * ank frank*
>>>>>> WARNING: no policy specified for frank [at] EXAMPLE.COM; defaulting to no
>>>>>> policy
>>>>>> Enter password for principal "frank [at] EXAMPLE.COM":
>>>>>> Re-enter password for principal "frank [at] EXAMPLE.COM":
>>>>>>
>>>>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>>>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>>>>> mode
>>>>>> with HMAC/sha1 added to keytab
>>>>>> WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>>>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>> Entry for principal frank with kvno 2, encryption type DES with
>>>>>> HMAC/sha1
>>>>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>> Entry for principal frank with kvno 2, encryption type DES cbc mode
>>>>>> with
>>>>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>>>
>>>>>
>>> But for PG you'll need a keytab with the service principal you've defined
>>> to be POSTGRES/<hostname> [at] EXAMPLE.COM in it.
>>>
>>>
>>> Finally, it gives error like:
>>>>>>
>>>>>> [root [at] localhost ~]# *kinit frank* -t
>>>>>> /var/kerberos/krb5kdc/kadm5.keytab
>>>>>> Password for frank [at] EXAMPLE.COM:
>>>>>> *kinit(v5): Password incorrect while getting initial credentials*
>>>>>>
>>>>>
>>> I've never had much joy myself when getting tickets from a -t keytab, I
>>> usually just kinit and enter a password instead.
>>>
>>>
>>> or
>>>>>>
>>>>>> in cmd when I run this instruction the below error is shown.
>>>>>>
>>>>>> [root [at] localhost bin]# ./psql -h 127.0.0.1 -U frank
>>>>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>>>>>
>>>>>
>>> To construct the service principal the library takes the the -h argument,
>>> then gets the A record for it (if applicable), then gets the PTR record for
>>> the A record to get the hostname for the service principal name (unless
>>> you're using Windows I have found, in which case it just stops and takes the
>>> originally given hostname if an A record exists). Just use a non-127
>>> address instead, it'll make things a lot easier to keep straight. For that
>>> matter, /etc/hostname and /etc/resolv.conf would be good to see too because
>>> of their importance here.
>>>
>>> HTH,
>>> Geoff
>>>
>>>
>>> ---------
>>> Geoff Tolley
>>> DBA/Systems Administrator
>>>
>>> YouGovPolimetrix
>>> 285 Hamilton Avenue Suite 200
>>> Palo Alto, CA 94301
>>> geoff.tolley [at] yougov.com
>>> http://www.yougov.com/
>>>
>>>
>>>
>>>
>>
>>
>> --
>> With Best Regards
>> Miss.KHodadadi
>>
>
>
>
> --
> With Best Regards
> Miss.KHodadadi
>



--
With Best Regards
Miss.KHodadadi



--
With Best Regards
Miss.KHodadadi

--0016e6d7ee572947030476d1de33
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<br><br><div class=3D"gmail_quote">---------- Forwarded message ----------<=
br>From: <b class=3D"gmail_sendername">rahimeh khodadadi</b> <span dir=3D"l=
tr"><<a href=3D"mailto:rahimeh.khodadadi [at] gmail.com">rahimeh.khodadadi [at] gm=
ail.com</a>></span><br>
Date: Sun, Oct 25, 2009 at 4:55 PM<br>Subject: Re: [ADMIN] configuration ke=
rberos in Postgre sql<br>To: Geoff Tolley <<a href=3D"mailto:geoff.tolle=
y [at] yougov.com">geoff.tolley [at] yougov.com</a>><br><br><br>I am new to kerber=
os. I need help <br>
<br>Whether=A0 we define ank username for every users of postgresql in kadm=
in.local?=A0 or we just define for sevice of PG.<br><br>When I define princ=
iple for every user then I wat to connect to psql, I get faced to error. <b=
r>
<br>I will be happy, if you reply. <br><div><div></div><div class=3D"h5"><b=
r><br><br><div class=3D"gmail_quote">
On Sun, Oct 25, 2009 at 3:15 PM, rahimeh khodadadi <span dir=3D"ltr"><<a=
href=3D"mailto:rahimeh.khodadadi [at] gmail.com" target=3D"_blank">rahimeh.khod=
adadi [at] gmail.com</a>></span> wrote:<br><blockquote class=3D"gmail_quote" =
style=3D"border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8=
ex; padding-left: 1ex;">

Hi Geoff,<br><br>Can you tell me what is your PG version?<br>Because, If I =
define server-name in postgresql.conf, it gives a error.<br><br>Thanks in a=
dvance=A0 <br><div><div></div><div><br><div class=3D"gmail_quote">
On Sat, Oct 17, 2009 at 3:48 PM, rahimeh khodadadi <span dir=3D"ltr"><<a=
href=3D"mailto:rahimeh.khodadadi [at] gmail.com" target=3D"_blank">rahimeh.khod=
adadi [at] gmail.com</a>></span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Geoff,<br><br>=
Ofcourse, krb server is same system that PG has been installed. <br>When I =
compiled the PG, there was not any option like "krb_server_hostname&qu=
ot; in conf file.<br>


<br>So, I donot know, what to do?<br>
And, I create the POSTGRES/<hostname> [at] <a href=3D"http://example.com/"=
target=3D"_blank">EXAMPLE.COM</a> too.=A0 <br><div><div></div><div><br><di=
v class=3D"gmail_quote">On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley <spa=
n dir=3D"ltr"><<a href=3D"mailto:geoff.tolley [at] yougov.com" target=3D"_bla=
nk">geoff.tolley [at] yougov.com</a>></span> wrote:<br>



<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi Rahimeh,<br>
<br>
Is PG on the same box as the kadmind?<div><br>
<br>
rahimeh khodadadi wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
have never been worked =A0with krb5 in postgresql?<br>
<br>
On 10/12/09, rahimeh khodadadi <<a href=3D"mailto:rahimeh.khodadadi [at] gmai=
l.com" target=3D"_blank">rahimeh.khodadadi [at] gmail.com</a>> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
nobody could help me?<br>
<br>
On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <<br>
<a href=3D"mailto:rahimeh.khodadadi [at] gmail.com" target=3D"_blank">rahimeh.kh=
odadadi [at] gmail.com</a>> wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br>
<br>
after compling the postgresql --with-krb5 =A0and setting up the krb5-server=
<br>
in centos, I configured the *postgresql.conf* as bellow:<br>
<br>
*krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'*<br>
*krb_srvname =3D 'POSTGRES' * =A0 =A0 =A0 # (Kerberos only)<br>
#krb_caseins_users =3D off<br>
</blockquote></blockquote></blockquote>
<br></div>
I like to specify my krb_server_hostname explicitly here.<div><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">



<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
and<br>
<br>
my *pg_hba.conf* is :<br>
<br>
# "local" is for Unix domain socket connections only<br>
local =A0 all =A0 =A0 =A0 =A0 postgres =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 trust<br>
# IPv4 local connections:<br>
host =A0 all =A0 =A0 =A0 =A0 *frank* =A0 =A0 =A0 <a href=3D"http://0.0.0.0/=
0" target=3D"_blank">0.0.0.0/0</a> =A0 =A0 =A0 =A0 =A0 =A0krb5<br>
#host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 <a href=3D"http://127.=
0.0.1/32" target=3D"_blank">127.0.0.1/32</a> =A0 =A0 =A0trust<br>
# IPv6 local connections:<br>
host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 ::1/128 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 trust<br>
<br>
<br>
,and kdc.conf<br>
<br>
kdcdefaults]<br>
=A0v4_mode =3D nopreauth<br>
=A0kdc_tcp_ports =3D 88<br>
<br>
[realms]<br>
=A0<a href=3D"http://EXAMPLE.COM" target=3D"_blank">EXAMPLE.COM</a> =3D {<b=
r>
=A0#master_key_type =3D des3-hmac-sha1<br>
=A0* acl_file =3D /var/kerberos/krb5kdc/kadm5.acl*<br>
=A0dict_file =3D /usr/share/dict/words<br>
=A0admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab<br>
</blockquote></blockquote></blockquote>
<br></div>
If this is the same machine as PG, I'm not sure why you have the same f=
ile here as for the keytab to keep the PG service principal in. =A0My manpa=
ge for kdc.conf says that admin_keytab specifies the keytab to be used by k=
admin to authenticate to the database, so really shouldn't be kept very=
distinct from the keytab with the PG service principal.<div>



<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">



<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=A0supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal<br>
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4<b=
r>
des-cbc-crc:afs3<br>
=A0}<br>
<br>
Then, I created the user frank =A0as :<br>
<br>
=A0kadmin.local<br>
Authenticating as principal rahimeh/<a href=3D"mailto:admin [at] EXAMPLE.COM" ta=
rget=3D"_blank">admin [at] EXAMPLE.COM</a> with password.<br>
kadmin.local: * ank frank*<br>
WARNING: no policy specified for <a href=3D"mailto:frank [at] EXAMPLE.COM" targe=
t=3D"_blank">frank [at] EXAMPLE.COM</a>; defaulting to no<br>
policy<br>
Enter password for principal "<a href=3D"mailto:frank [at] EXAMPLE.COM" tar=
get=3D"_blank">frank [at] EXAMPLE.COM</a>":<br>
Re-enter password for principal "<a href=3D"mailto:frank [at] EXAMPLE.COM" =
target=3D"_blank">frank [at] EXAMPLE.COM</a>":<br>
<br>
*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*<br>
Entry for principal frank with kvno 2, encryption type Triple DES cbc<br>
mode<br>
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<b=
r>
Entry for principal frank with kvno 2, encryption type ArcFour with<br>
HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1<b=
r>
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
Entry for principal frank with kvno 2, encryption type DES cbc mode with<br=
>
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
</blockquote></blockquote></blockquote>
<br></div>
But for PG you'll need a keytab with the service principal you've d=
efined to be POSTGRES/<hostname> [at] <a href=3D"http://EXAMPLE.COM" targe=
t=3D"_blank">EXAMPLE.COM</a> in it.<div><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">



<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Finally, it gives error like:<br>
<br>
[root [at] localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab<br>
Password for <a href=3D"mailto:frank [at] EXAMPLE.COM" target=3D"_blank">frank [at] E=
XAMPLE.COM</a>:<br>
*kinit(v5): Password incorrect while getting initial credentials*<br>
</blockquote></blockquote></blockquote>
<br></div>
I've never had much joy myself when getting tickets from a -t keytab, I=
usually just kinit and enter a password instead.<div><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">



<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
or<br>
<br>
in cmd when I run this instruction the below error is shown.<br>
<br>
[root [at] localhost bin]# ./psql -h 127.0.0.1 =A0-U frank<br>
*psql: krb5_sendauth: Bad application version was sent (via sendauth)*<br>
</blockquote></blockquote></blockquote>
<br></div>
To construct the service principal the library takes the the -h argument, t=
hen gets the A record for it (if applicable), then gets the PTR record for =
the A record to get the hostname for the service principal name (unless you=
're using Windows I have found, in which case it just stops and takes t=
he originally given hostname if an A record exists). =A0Just use a non-127 =
address instead, it'll make things a lot easier to keep straight. =A0Fo=
r that matter, /etc/hostname and /etc/resolv.conf would be good to see too =
because of their importance here.<br>




<br>
HTH,<br>
Geoff<br>
<br>
<br>
---------<br>
Geoff Tolley<br>
DBA/Systems Administrator<br>
<br>
YouGovPolimetrix<br>
285 Hamilton Avenue Suite 200<br>
Palo Alto, CA 94301<br><font color=3D"#888888">
<a href=3D"mailto:geoff.tolley [at] yougov.com" target=3D"_blank">geoff.tolley [at] y=
ougov.com</a><br>
<a href=3D"http://www.yougov.com/" target=3D"_blank">http://www.yougov.com/=
</a><br>
<br>
<br>
<br>
</font></blockquote></div><br><br clear=3D"all"><br></div></div>-- <br><div=
><div></div><div>With Best Regards<br>Miss.KHodadadi<br>
</div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>With Best R=
egards<br>Miss.KHodadadi<br>
</div></div></blockquote></div><br><br clear=3D"all"><br>-- <br>With Best R=
egards<br>Miss.KHodadadi<br>
</div></div></div><br><br clear=3D"all"><br>-- <br>With Best Regards<br>Mis=
s.KHodadadi<br>

--0016e6d7ee572947030476d1de33--

--0016e6d644d0099a2e0477ea2382
Content-Type: text/plain; charset=ISO-8859-1

Hi,

I try to setup kerberos authentication in Postgresql 8.1.18 on centos.

But I have some problem.

I setup postgresql.conf as below:

krb_server_keyfile = '/usr/local/pgsql/data/
postgresql.keytab'
krb_srvname = 'postgres/star [at] EXAMPLE.COM'
krb_server_hostname = 'star' # empty string matches any keytab entry
krb_caseins_users = off


(star is localhost IP, but in hosts.conf I configure like: 213.233.169.93
star)

Then hba.conf

host all all 0.0.0.0/0 krb5
host all all 127.0.0.1/32 krb5

When I want to conne
ct postgresql, it give error.

# kinit frank

[root [at] star bin]# ./psql -h star -U frank -d test
psql: krb5_sendauth: Bad application version was sent (via sendauth)

and both postgresql server and krb-server are in same system. Where is
wrong.
Please help me.


On Sat, Oct 17, 2009 at 12:42 AM, Geoff Tolley <geoff.tolley [at] yougov.com>wrote:

> Hi Rahimeh,
>
> Is PG on the same box as the kadmind?
>
>
> rahimeh khodadadi wrote:
>
>> have never been worked with krb5 in postgresql?
>>
>> On 10/12/09, rahimeh khodadadi <rahimeh.khodadadi [at] gmail.com> wrote:
>>
>>> nobody could help me?
>>>
>>> On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <
>>> rahimeh.khodadadi [at] gmail.com> wrote:
>>>
>>> Hi,
>>>>
>>>> after compling the postgresql --with-krb5 and setting up the
>>>> krb5-server
>>>> in centos, I configured the *postgresql.conf* as bellow:
>>>>
>>>> *krb_server_keyfile = '/var/kerberos/krb5kdc/kadm5.keytab'*
>>>> *krb_srvname = 'POSTGRES' * # (Kerberos only)
>>>> #krb_caseins_users = off
>>>>
>>>
> I like to specify my krb_server_hostname explicitly here.
>
>
> and
>>>>
>>>> my *pg_hba.conf* is :
>>>>
>>>> # "local" is for Unix domain socket connections only
>>>> local all postgres trust
>>>> # IPv4 local connections:
>>>> host all *frank* 0.0.0.0/0 krb5
>>>> #host all all 127.0.0.1/32 trust
>>>> # IPv6 local connections:
>>>> host all all ::1/128 trust
>>>>
>>>>
>>>> ,and kdc.conf
>>>>
>>>> kdcdefaults]
>>>> v4_mode = nopreauth
>>>> kdc_tcp_ports = 88
>>>>
>>>> [realms]
>>>> EXAMPLE.COM = {
>>>> #master_key_type = des3-hmac-sha1
>>>> * acl_file = /var/kerberos/krb5kdc/kadm5.acl*
>>>> dict_file = /usr/share/dict/words
>>>> admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
>>>>
>>>
> If this is the same machine as PG, I'm not sure why you have the same file
> here as for the keytab to keep the PG service principal in. My manpage for
> kdc.conf says that admin_keytab specifies the keytab to be used by kadmin to
> authenticate to the database, so really shouldn't be kept very distinct from
> the keytab with the PG service principal.
>
>
> supported_enctypes = des3-hmac-sha1:normal arcfour-hmac:normal
>>>> des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
>>>> des-cbc-crc:v4
>>>> des-cbc-crc:afs3
>>>> }
>>>>
>>>> Then, I created the user frank as :
>>>>
>>>> kadmin.local
>>>> Authenticating as principal rahimeh/admin [at] EXAMPLE.COM with password.
>>>> kadmin.local: * ank frank*
>>>> WARNING: no policy specified for frank [at] EXAMPLE.COM; defaulting to no
>>>> policy
>>>> Enter password for principal "frank [at] EXAMPLE.COM":
>>>> Re-enter password for principal "frank [at] EXAMPLE.COM":
>>>>
>>>> *kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*
>>>> Entry for principal frank with kvno 2, encryption type Triple DES cbc
>>>> mode
>>>> with HMAC/sha1 added to keytab
>>>> WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type ArcFour with
>>>> HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type DES with
>>>> HMAC/sha1
>>>> added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>> Entry for principal frank with kvno 2, encryption type DES cbc mode with
>>>> RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
>>>>
>>>
> But for PG you'll need a keytab with the service principal you've defined
> to be POSTGRES/<hostname> [at] EXAMPLE.COM in it.
>
>
> Finally, it gives error like:
>>>>
>>>> [root [at] localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab
>>>> Password for frank [at] EXAMPLE.COM:
>>>> *kinit(v5): Password incorrect while getting initial credentials*
>>>>
>>>
> I've never had much joy myself when getting tickets from a -t keytab, I
> usually just kinit and enter a password instead.
>
>
> or
>>>>
>>>> in cmd when I run this instruction the below error is shown.
>>>>
>>>> [root [at] localhost bin]# ./psql -h 127.0.0.1 -U frank
>>>> *psql: krb5_sendauth: Bad application version was sent (via sendauth)*
>>>>
>>>
> To construct the service principal the library takes the the -h argument,
> then gets the A record for it (if applicable), then gets the PTR record for
> the A record to get the hostname for the service principal name (unless
> you're using Windows I have found, in which case it just stops and takes the
> originally given hostname if an A record exists). Just use a non-127
> address instead, it'll make things a lot easier to keep straight. For that
> matter, /etc/hostname and /etc/resolv.conf would be good to see too because
> of their importance here.
>
> HTH,
> Geoff
>
>
> ---------
> Geoff Tolley
> DBA/Systems Administrator
>
> YouGovPolimetrix
> 285 Hamilton Avenue Suite 200
> Palo Alto, CA 94301
> geoff.tolley [at] yougov.com
> http://www.yougov.com/
>
>
>
>


--
With Best Regards
Miss.KHodadadi

--0016e6d644d0099a2e0477ea2382
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

Hi,<br><br>I try to setup kerberos authentication in Postgresql 8.1.18 on c=
entos.<br><br>But I have some problem.<br><br>I setup postgresql.conf as be=
low:<br><br>krb_server_keyfile =3D '/usr/local/pgsql/data/<div id=3D":1=
49" class=3D"ii gt">
postgresql.keytab'<br>
krb_srvname =3D 'postgres/<a href=3D"mailto:star [at] EXAMPLE.COM" target=3D=
"_blank">star [at] EXAMPLE.COM</a>'<br>krb_server_hostname =3D 'star'=
;=A0=A0 =A0 =A0=A0=A0 # empty string matches any keytab entry<br>krb_casein=
s_users =3D off <br>
<br><br>(star is localhost IP, but in hosts.conf I configure like: 213.233.=
169.93 =A0 star)<br>
<br>Then hba.conf<br><br>host=A0=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 all=A0=
=A0=A0=A0=A0=A0=A0=A0 <a href=3D"http://0.0.0.0/0" target=3D"_blank">0.0.0.=
0/0</a>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 krb5 <br>host=A0=A0=A0 all=
=A0=A0=A0=A0=A0=A0=A0=A0 all=A0=A0=A0=A0=A0=A0=A0=A0 <a href=3D"http://127.=
0.0.1/32" target=3D"_blank">127.0.0.1/32</a>=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 =
krb5<br>
<br>
When I want to conne<br> ct postgresql, it give error. <br><br># kinit fran=
k<br><br>[root [at] star bin]# ./psql -h star=A0 -U frank=A0 -d test<br>psql: kr=
b5_sendauth: Bad application version was sent (via sendauth)<br><br>and bot=
h postgresql server and krb-server are in same system. Where is wrong. <br>

Please help me. </div><br><br><div class=3D"gmail_quote">On Sat, Oct 17, 20=
09 at 12:42 AM, Geoff Tolley <span dir=3D"ltr"><<a href=3D"mailto:geoff.=
tolley [at] yougov.com">geoff.tolley [at] yougov.com</a>></span> wrote:<br><blockq=
uote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 20=
4); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi Rahimeh,<br>
<br>
Is PG on the same box as the kadmind?<div class=3D"im"><br>
<br>
rahimeh khodadadi wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
have never been worked =A0with krb5 in postgresql?<br>
<br>
On 10/12/09, rahimeh khodadadi <<a href=3D"mailto:rahimeh.khodadadi [at] gmai=
l.com" target=3D"_blank">rahimeh.khodadadi [at] gmail.com</a>> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
nobody could help me?<br>
<br>
On Sun, Oct 11, 2009 at 5:06 PM, rahimeh khodadadi <<br>
<a href=3D"mailto:rahimeh.khodadadi [at] gmail.com" target=3D"_blank">rahimeh.kh=
odadadi [at] gmail.com</a>> wrote:<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hi,<br>
<br>
after compling the postgresql --with-krb5 =A0and setting up the krb5-server=
<br>
in centos, I configured the *postgresql.conf* as bellow:<br>
<br>
*krb_server_keyfile =3D '/var/kerberos/krb5kdc/kadm5.keytab'*<br>
*krb_srvname =3D 'POSTGRES' * =A0 =A0 =A0 # (Kerberos only)<br>
#krb_caseins_users =3D off<br>
</blockquote></blockquote></blockquote>
<br></div>
I like to specify my krb_server_hostname explicitly here.<div class=3D"im">=
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
and<br>
<br>
my *pg_hba.conf* is :<br>
<br>
# "local" is for Unix domain socket connections only<br>
local =A0 all =A0 =A0 =A0 =A0 postgres =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 trust<br>
# IPv4 local connections:<br>
host =A0 all =A0 =A0 =A0 =A0 *frank* =A0 =A0 =A0 <a href=3D"http://0.0.0.0/=
0" target=3D"_blank">0.0.0.0/0</a> =A0 =A0 =A0 =A0 =A0 =A0krb5<br>
#host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 <a href=3D"http://127.=
0.0.1/32" target=3D"_blank">127.0.0.1/32</a> =A0 =A0 =A0trust<br>
# IPv6 local connections:<br>
host =A0 =A0all =A0 =A0 =A0 =A0 all =A0 =A0 =A0 =A0 ::1/128 =A0 =A0 =A0 =A0=
=A0 =A0 =A0 trust<br>
<br>
<br>
,and kdc.conf<br>
<br>
kdcdefaults]<br>
=A0v4_mode =3D nopreauth<br>
=A0kdc_tcp_ports =3D 88<br>
<br>
[realms]<br>
=A0<a href=3D"http://EXAMPLE.COM" target=3D"_blank">EXAMPLE.COM</a> =3D {<b=
r>
=A0#master_key_type =3D des3-hmac-sha1<br>
=A0* acl_file =3D /var/kerberos/krb5kdc/kadm5.acl*<br>
=A0dict_file =3D /usr/share/dict/words<br>
=A0admin_keytab =3D /var/kerberos/krb5kdc/kadm5.keytab<br>
</blockquote></blockquote></blockquote>
<br></div>
If this is the same machine as PG, I'm not sure why you have the same f=
ile here as for the keytab to keep the PG service principal in. =A0My manpa=
ge for kdc.conf says that admin_keytab specifies the keytab to be used by k=
admin to authenticate to the database, so really shouldn't be kept very=
distinct from the keytab with the PG service principal.<div class=3D"im">
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
=A0supported_enctypes =3D des3-hmac-sha1:normal arcfour-hmac:normal<br>
des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal des-cbc-crc:v4<b=
r>
des-cbc-crc:afs3<br>
=A0}<br>
<br>
Then, I created the user frank =A0as :<br>
<br>
=A0kadmin.local<br>
Authenticating as principal rahimeh/<a href=3D"mailto:admin [at] EXAMPLE.COM" ta=
rget=3D"_blank">admin [at] EXAMPLE.COM</a> with password.<br>
kadmin.local: * ank frank*<br>
WARNING: no policy specified for <a href=3D"mailto:frank [at] EXAMPLE.COM" targe=
t=3D"_blank">frank [at] EXAMPLE.COM</a>; defaulting to no<br>
policy<br>
Enter password for principal "<a href=3D"mailto:frank [at] EXAMPLE.COM" tar=
get=3D"_blank">frank [at] EXAMPLE.COM</a>":<br>
Re-enter password for principal "<a href=3D"mailto:frank [at] EXAMPLE.COM" =
target=3D"_blank">frank [at] EXAMPLE.COM</a>":<br>
<br>
*kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab frank*<br>
Entry for principal frank with kvno 2, encryption type Triple DES cbc<br>
mode<br>
with HMAC/sha1 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<b=
r>
Entry for principal frank with kvno 2, encryption type ArcFour with<br>
HMAC/md5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
Entry for principal frank with kvno 2, encryption type DES with HMAC/sha1<b=
r>
added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
Entry for principal frank with kvno 2, encryption type DES cbc mode with<br=
>
RSA-MD5 added to keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.<br>
</blockquote></blockquote></blockquote>
<br></div>
But for PG you'll need a keytab with the service principal you've d=
efined to be POSTGRES/<hostname> [at] <a href=3D"http://EXAMPLE.COM" targe=
t=3D"_blank">EXAMPLE.COM</a> in it.<div class=3D"im"><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Finally, it gives error like:<br>
<br>
[root [at] localhost ~]# *kinit frank* -t /var/kerberos/krb5kdc/kadm5.keytab<br>
Password for <a href=3D"mailto:frank [at] EXAMPLE.COM" target=3D"_blank">frank [at] E=
XAMPLE.COM</a>:<br>
*kinit(v5): Password incorrect while getting initial credentials*<br>
</blockquote></blockquote></blockquote>
<br></div>
I've never had much joy myself when getting tickets from a -t keytab, I=
usually just kinit and enter a password instead.<div class=3D"im"><br>
<br>
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><blockquote class=
=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, 204, 204); margin=
: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, =
204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
or<br>
<br>
in cmd when I run this instruction the below error is shown.<br>
<br>
[root [at] localhost bin]# ./psql -h 127.0.0.1 =A0-U frank<br>
*psql: krb5_sendauth: Bad application version was sent (via sendauth)*<br>
</blockquote></blockquote></blockquote>
<br></div>
To construct the service principal the library takes the the -h argument, t=
hen gets the A record for it (if applicable), then gets the PTR record for =
the A record to get the hostname for the service principal name (unless you=
're using Windows I have found, in which case it just stops and takes t=
he originally given hostname if an A record exists). =A0Just use a non-127 =
address instead, it'll make things a lot easier to keep straight. =A0Fo=
r that matter, /etc/hostname and /etc/resolv.conf would be good to see too =
because of their importance here.<br>

<br>
HTH,<br>
Geoff<br>
<br>
<br>
---------<br>
Geoff Tolley<br>
DBA/Systems Administrator<br>
<br>
YouGovPolimetrix<br>
285 Hamilton Avenue Suite 200<br>
Palo Alto, CA 94301<br><font color=3D"#888888">
<a href=3D"mailto:geoff.tolley [at] yougov.com" target=3D"_blank">geoff.tolley [at] y=
ougov.com</a><br>
<a href=3D"http://www.yougov.com/" target=3D"_blank">http://www.yougov.com/=
</a><br>
<br>
<br>
<br>
</font></blockquote></div><br><br clear=3D"all"><br>-- <br>With Best Regard=
s<br>Miss.KHodadadi<br>

--0016e6d644d0099a2e0477ea2382--