I'm trying to configure authentication between PostgreSQL database server on
linux and Windows Active Directory.
First part of configuration is working but when I'm trying to authenticate from
Windows client, it is not working with message: Can't obtain database list from
the server. SSPI continuation error. The specified target is unknown or
unreachable (80090303)
On Windows:
Domain is AD.CORP.COM
Host is: WIN.AD.CORP.COM, IP is 192.168.1.173
On Linux (Ubuntu 16.04)
hostname is UBUNTU.ad.corp.com, IP is 192.168.1.143
DNS are configured to reach the AD sytem (.173)
PostgreSQL 9.6.9 on x86_64-pc-linux-gnu (Ubuntu 9.6.9-2.pgdg16.04+1), compiled
by gcc (Ubuntu 5.4.0-6ubuntu1~16.04.9) 5.4.0 20160609, 64-bit
I've created à service user called POSTGRES and a normal user in AD called
ubuntupg.
Finally I've created the SPN:
setspn -A POSTGRES/UBUNTU.ad.corp.com POSTGRES
Generated the keytab to put on the linux server:
ktpass -out postgres.keytab -princ POSTGRES/ubuntu.ad.corp....@ad.corp.com
-mapUser POSTGRES -pass 'thepassword' -crypto all -ptype KRB5_NT_PRINCIPAL
On the linux /etc/krb5.conf:
[libdefaults]
debug=true
default_realm = AD.CORP.COM
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
AD.CORP.COM = {
kdc = WIN.AD.CORP.COM
}
[domain_realm]
ad.corp.com = AD.CORP.COM
.ad.corp.com = AD.CORP.COM
Making this command work and klist return a ticket:
kinit -V -k -t /etc/postgresql/9.6/main/postgres.keytab
POSTGRES/ubuntu.ad.corp....@ad.corp.com
klist -k /etc/postgresql/9.6/main/postgres.keytab
POSTGRES/ubuntu.ad.corp....@ad.corp.com
Here is the added onfiguration to postgresql.conf
krb_server_keyfile = '/etc/postgresql/9.6/main/postgres.keytab'
Here is the configuration of pg_hba.conf
host all all 0.0.0.0/0 gss
Up to here, all is working as expected, kinit with ubuntupg is also working
well. ubuntupg and ubunt...@ad.corp.com is also created on the database. The
probleme is when I try, from a Windows client, connecting to the DB.
psql.exe -h 192.168.1.143 -U ubuntupg
Can't obtain database list from the server. SSPI continuation error. The
specified target is unknown or unreachable (80090303)
PostgreSQL log file show:
2019-02-28 14:02:54.178 EST [6747] [unknown]@[unknown] LOG: 00000: connection
received: host=192.168.1.176 port=57254
2019-02-28 14:02:54.178 EST [6747] [unknown]@[unknown] LOCATION:
BackendInitialize, postmaster.c:4188
2019-02-28 14:02:54.331 EST [6747] ubuntupg@ubuntupg FATAL: 28000: GSSAPI
authentication failed for user "ubuntupg"
2019-02-28 14:02:54.331 EST [6747] ubuntupg@ubuntupg DETAIL: Connection
matched pg_hba.conf line 92: "host all all 0.0.0.0/0
gss"
2019-02-28 14:02:54.331 EST [6747] ubuntupg@ubuntupg LOCATION: auth_failed,
auth.c:307
psql.exe -h 192.168.1.143 -U ubunt...@ad.corp.com
2019-02-28 14:06:35.992 EST [6866] [unknown]@[unknown] LOG: 00000: connection
received: host=192.168.1.176 port=57282
2019-02-28 14:06:35.992 EST [6866] [unknown]@[unknown] LOCATION:
BackendInitialize, postmaster.c:4188
2019-02-28 14:06:36.148 EST [6866] ubunt...@ad.corp.com@ubunt...@ad.corp.com
FATAL: 28000: GSSAPI authentication failed for user "ubunt...@ad.corp.com"
2019-02-28 14:06:36.148 EST [6866] ubunt...@ad.corp.com@ubunt...@ad.corp.com
DETAIL: Connection matched pg_hba.conf line 96: "host all all
0.0.0.0/0 gss"
2019-02-28 14:06:36.148 EST [6866] ubunt...@ad.corp.com@ubunt...@ad.corp.com
LOCATION: auth_failed, auth.c:307
Thank you very much for your help.
Best regards,
