I'm trying to configure authentication between PostgreSQL database server on linux and Windows Active Directory.
First part of configuration is working but when I'm trying to authenticate from Windows client, it is not working with message: Can't obtain database list from the server. SSPI continuation error. The specified target is unknown or unreachable (80090303) On Windows: Domain is AD.CORP.COM Host is: WIN.AD.CORP.COM, IP is 192.168.1.173 On Linux (Ubuntu 16.04) hostname is UBUNTU.ad.corp.com, IP is 192.168.1.143 DNS are configured to reach the AD sytem (.173) PostgreSQL 9.6.9 on x86_64-pc-linux-gnu (Ubuntu 9.6.9-2.pgdg16.04+1), compiled by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609, 64-bit I've created à service user called POSTGRES and a normal user in AD called ubuntupg. Finally I've created the SPN: setspn -A POSTGRES/UBUNTU.ad.corp.com POSTGRES Generated the keytab to put on the linux server: ktpass -out postgres.keytab -princ POSTGRES/ubuntu.ad.corp....@ad.corp.com -mapUser POSTGRES -pass 'thepassword' -crypto all -ptype KRB5_NT_PRINCIPAL On the linux /etc/krb5.conf: [libdefaults] debug=true default_realm = AD.CORP.COM dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] AD.CORP.COM = { kdc = WIN.AD.CORP.COM } [domain_realm] ad.corp.com = AD.CORP.COM .ad.corp.com = AD.CORP.COM Making this command work and klist return a ticket: kinit -V -k -t /etc/postgresql/9.6/main/postgres.keytab POSTGRES/ubuntu.ad.corp....@ad.corp.com klist -k /etc/postgresql/9.6/main/postgres.keytab POSTGRES/ubuntu.ad.corp....@ad.corp.com Here is the added onfiguration to postgresql.conf krb_server_keyfile = '/etc/postgresql/9.6/main/postgres.keytab' Here is the configuration of pg_hba.conf host all all 0.0.0.0/0 gss Up to here, all is working as expected, kinit with ubuntupg is also working well. ubuntupg and ubunt...@ad.corp.com is also created on the database. The probleme is when I try, from a Windows client, connecting to the DB. psql.exe -h 192.168.1.143 -U ubuntupg Can't obtain database list from the server. SSPI continuation error. The specified target is unknown or unreachable (80090303) PostgreSQL log file show: 2019-02-28 14:02:54.178 EST [6747] [unknown]@[unknown] LOG: 00000: connection received: host=192.168.1.176 port=57254 2019-02-28 14:02:54.178 EST [6747] [unknown]@[unknown] LOCATION: BackendInitialize, postmaster.c:4188 2019-02-28 14:02:54.331 EST [6747] ubuntupg@ubuntupg FATAL: 28000: GSSAPI authentication failed for user "ubuntupg" 2019-02-28 14:02:54.331 EST [6747] ubuntupg@ubuntupg DETAIL: Connection matched pg_hba.conf line 92: "host all all 0.0.0.0/0 gss" 2019-02-28 14:02:54.331 EST [6747] ubuntupg@ubuntupg LOCATION: auth_failed, auth.c:307 psql.exe -h 192.168.1.143 -U ubunt...@ad.corp.com 2019-02-28 14:06:35.992 EST [6866] [unknown]@[unknown] LOG: 00000: connection received: host=192.168.1.176 port=57282 2019-02-28 14:06:35.992 EST [6866] [unknown]@[unknown] LOCATION: BackendInitialize, postmaster.c:4188 2019-02-28 14:06:36.148 EST [6866] ubunt...@ad.corp.com@ubunt...@ad.corp.com FATAL: 28000: GSSAPI authentication failed for user "ubunt...@ad.corp.com" 2019-02-28 14:06:36.148 EST [6866] ubunt...@ad.corp.com@ubunt...@ad.corp.com DETAIL: Connection matched pg_hba.conf line 96: "host all all 0.0.0.0/0 gss" 2019-02-28 14:06:36.148 EST [6866] ubunt...@ad.corp.com@ubunt...@ad.corp.com LOCATION: auth_failed, auth.c:307 Thank you very much for your help. Best regards,