"Tomas" == Tomas Pospisek <tpo2@sourcepole.ch> writes:
Hello all,
tldr:
D:\>C:\OSGeo4W\bin\psql.exe service=the_db
psql: error: connection to server at "dbserver.example.lan
(192.168.4.104), port 5432 failed: could not initiate GSSAPI
security context: No credentials were supplied, or the credentials
were unavailable or inaccessible: Internal credentials cache error
Goal
====
I want to have my Postgresql clients (in this case psql.exe) on Windows
to authenticate against Active Directory.
Steps taken so far
==================
Linux client -> Active Directory -> Linux server works ------------------------------------------------------
I was able to get psql on Linux to authenticate against Active Directory
and with the service ticket that it got from Active Directory to
authenticate to the Postgresql service and server.
Windows client -> Active Directory does not work ------------------------------------------------
I do know that psql.exe (on Windows) is linked and is using GSS to do Kerberos authentication.
A psql.exe that is not linked against GSS will tell me: "gssencmode
value "require" invalid when GSSAPI support is not compiled in"
A psql.exe that is linked against GSS will not tell me that. I'm
evidently now using the latter - a psql.exe that is linked against GSS.
So I know that the psql.exe that I'm using is linked against GSS.
Also, in the Windows shell I can issue a klist, and I see the Ticket
Granting Ticket and I see various service tickets (mainly to mount CIFS shares).
Also on Windows shell I can issue a
klist get postgres/dbserver.example.lan@EXAMPLE.LAN
and I see the ticket listed when I issue klist.
So I know that getting the service ticket on the Windows client doesindeed work.
When using psql.exe without setting `gssencmode = require` I am able to authenticate with username/password and connect to the Postgresql
service on the DB server just fine.
So I know that there is no problem with psql.exe wrt to connecting tothe Postgresql server and there is no problem with authentication per se.
I tried to trace psql.exe with the "Process Monitor" tool. I see that
(for whatever reason), psql.exe will open a TCP connection to the
Postgresql server. But it will *NOT* open a connection to the Active Directory server.
Maybe it *shoud* connect to a local (that is on the local host) authentication/active directory service, but I do not know enough
Windows to know how I would see that in the "Process Monitor" trace.
I can see that psql.exe is accessing the Windows Registry and that it's accessing various DLLs, among others the kerberos library, and various
config files, such as the krb5.conf file, but I can not see it accessing
a keytab.
Again I do not know *exactly* how Active Directory/Kerberos access works
on Windows, but I *suspect* that the protocol on a Windows client is
*not* using keytab file.
I do see that `psql.exe` is trying to access a `ccapiserver.exe` file,
that is not there.
Question: is a `ccapiserver.exe` executable required in order to be able
to access tickets from a Kerberos client on a Windows client?
Other question: is the error "Internal credentials cache error" the root cause of psql.exe not being able to authenticate against Active
Directory (I am supposing that the error "Internal credentials cache
error" refers to the kerberos client not being able to access the
*existing* tickets. But in "theory" psql.exe could try getting a ticket *without* accessing the existing tickets? So it wouldn't have to
forcibly fail there?).
And another question: is there any way to make GSS more talkative? At
this moment all that I can get as logs is the above "computer says no".
I was able to set the kerberos log to a local file, but that just tells
me that the client now wants to do authentication and that's that.
So that's as far as I got and I'm a bit at the end of my wisdom and a
would very, very much appreciate:
* help on how to proceed from here
* pointers to how configure krb5.conf-wise a given Windows executable
that links against GSS so that it can authenticate against active directory
* any help and pointer or debugging help
* has anybody been able to authenticate from Windows against Active
Directory and how did you do that respectively how did you set it up?
Any help would be very, very much appreciated, thank you.
*t
________________________________________________
Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
Also, since I got precisely zilch feedback here while there were other >postings here I'm under the impression that this is a mailing list with
*no* user support (but instead a development list or similar).
In case anybody is interested (or as a reference for future readers): I was able to resolve the problem. See https://www.postgresql.org/message-id/08b836a7-272a-2309-da45-ac691fccacb8%40sourcepole.ch
for details.
Also, since I got precisely zilch feedback here while there were other postings here I'm under the impression that this is a mailing list with *no* user support (but instead a development list or similar). If that's the
case, then it would be certainly helpful for other similar poor mislead
souls like me to have that characteristic of the mailing list documented on it's page: http://web.mit.edu/kerberos/new/mail-lists.html ...
"Tomas" == Tomas Pospisek <tpo2@sourcepole.ch> writes:
Tomas> Also, since I got precisely zilch feedback here while there
Tomas> were other postings here I'm under the impression that this
Tomas> is a mailing list with *no* user support (but instead a
Tomas> development list or similar). If that's the case, then it
Tomas> would be certainly helpful for other similar poor mislead
Tomas> souls like me to have that characteristic of the mailing list
Tomas> documented on it's page:
Tomas> http://web.mit.edu/kerberos/new/mail-lists.html ...
I've been reading this list since the mid 90's, and I believe your post
was on-topic.
For myself, I didn't happen to know the answer off the top of my head,
and your post came in at a point where I didn't have any spare cycles.
I'm also a lot less involved in Kerberos than I used to be.
Also, since I got precisely zilch feedback here while there were other
postings here I'm under the impression that this is a mailing list with
*no* user support (but instead a development list or similar).
Dude, I can't speak for anyone else, but I didn't know the answer (and
it involved Windows, which I am not that familiar with), _and_ my
day job does not pay me to support people on the MIT Kerberos mailing
list. That's not to say I'm opposed to helping people, but if I don't
know the answer I'm not going to chime in with a "Sorry, I have no idea"
kind of answer because that doesn't help anyone.
Judging by the thread you posted, it sure seems like the problem
was specific to the Postgresql implementation on Windows so it's not surprising nobody here would be an expert on that.
I have to apologize to everyone here and thank you and Sam for your
feedback: the tone of my original message was an edge to sharp. I should
have had my frustration under control that my asking a lowly question
gets no reply on a mailing list with evidently a kiloton of critically >condensed knowledge in the subject matter. Of course nobody owes me
nothing here - sorry.
Judging by the thread you posted, it sure seems like the problem
was specific to the Postgresql implementation on Windows so it's not
surprising nobody here would be an expert on that.
The question was in fact not specific to Postgresql. It was pretty much
a generic "I can't get my windows client to authenticate via >SSPI/AD/Kerberos". It was just that it was psql that showed the symptoms
and that I as a newbie in the subject matter was caught up in that >oekosystem. However the problem is/was a generic client ->
SSPI/AD/Kerberos one.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 300 |
Nodes: | 16 (2 / 14) |
Uptime: | 10:05:33 |
Calls: | 6,706 |
Files: | 12,236 |
Messages: | 5,350,838 |