BUG #4126: KRB5/GSSAPI authenication fails for multipart kerberos principals
От | Peter Koczan |
---|---|
Тема | BUG #4126: KRB5/GSSAPI authenication fails for multipart kerberos principals |
Дата | |
Msg-id | 200804231717.m3NHH1vq092328@wwwmaster.postgresql.org обсуждение исходный текст |
Список | pgsql-bugs |
The following bug has been logged online: Bug reference: 4126 Logged by: Peter Koczan Email address: pjkoczan@gmail.com PostgreSQL version: 8.3.1 Operating system: Red Hat Enterprise Linux 5 Description: KRB5/GSSAPI authenication fails for multipart kerberos principals Details: When trying to connect to an 8.3 server using a multipart Kerberos principal (e.g. ator/wsbackup.cs.wisc.edu@CS.WISC.EDU or koczan/mail@CS.WISC.EDU instead of wsbackup@CS.WISC.EDU or koczan@CS.WISC.EDU), the connection fails, claiming a name mismatch. This is a change from 8.2 and I found nothing in the changelog or documentation to suggest this change or offer a workaround. This happens no matter what client libraries I'm using (I'll connect using 8.3 clients only to illustrate this point). Here's what happens with a normal login principal: [koczan@ator] ~ $ klist Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_zWQIbO Default principal: koczan@CS.WISC.EDU ... [koczan@ator] koczan $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 sushi Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit WARNING: You are connected to a server with major version 8.2, but your psql client is major version 8.3. Some backslash commands, such as \d, might not work properly. SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) sushi=> select version(); version ---------------------------------------------------------------------------- PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4 (1 row) sushi=> select current_user; current_user -------------- koczan (1 row) [koczan@ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi Welcome to psql 8.3.1, the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) sushi=> select version(); version ---------------------------------------------------------------------------- PostgreSQL 8.3.1 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4 (1 row) sushi=> select current_user; current_user -------------- koczan (1 row) And what happens with my "mail" instance: [root@ator ~]# su - koczan [koczan@ator] ~ $ klist klist: No credentials cache found (ticket cache FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc) ... [koczan@ator] ~ $ kinit -f -k -t /var/adm/krb5/quickauth/kt/koczan.mail.kt -l 1d koczan/mail@CS.WISC.EDU [koczan@ator] ~ $ klist Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc Default principal: koczan/mail@CS.WISC.EDU ... Connecting to an 8.2 server works just fine... [koczan@ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 sushi Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit WARNING: You are connected to a server with major version 8.2, but your psql client is major version 8.3. Some backslash commands, such as \d, might not work properly. SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256) sushi=> select version(); version ---------------------------------------------------------------------------- PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4 (1 row) sushi=> select current_user; current_user -------------- koczan (1 row) However, connecting to an 8.3 server... [koczan@ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan", database "sushi", SSL off And this shows up in the syslog... Apr 23 12:02:41 sensei postgres[23100]: [3-1] LOG: connection received: host=ator.cs.wisc.edu port=49188 Apr 23 12:02:41 sensei postgres[23100]: [4-1] LOG: unexpected Kerberos user name received from client (received "koczan", expected "koczan/mail") Apr 23 12:02:41 sensei postgres[23100]: [5-1] FATAL: Kerberos 5 authentication failed for user "koczan" Apr 23 12:02:41 sensei postgres[23101]: [3-1] LOG: connection received: host=ator.cs.wisc.edu port=49189 Apr 23 12:02:41 sensei postgres[23101]: [4-1] FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan", database "sushi", SSL off The appropriate line in pg_hba.conf shows hostssl all all 128.105.0.0/16 krb5 I'm connecting via native krb5, but this problem (or a variant of it) occurs when using GSSAPI authentication... [koczan@ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan", database "sushi", SSL off Apr 23 12:08:02 sensei postgres[23257]: [4-1] LOG: connection received: host=ator.cs.wisc.edu port=49409 Apr 23 12:08:02 sensei postgres[23257]: [5-1] FATAL: GSSAPI authentication failed for user "koczan" Apr 23 12:08:02 sensei postgres[23258]: [4-1] LOG: connection received: host=ator.cs.wisc.edu port=49410 Apr 23 12:08:02 sensei postgres[23258]: [5-1] FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan", database "sushi", SSL off Different things happen when I turn SSL off, but it's still failing to connect... Native krb5 / SSL off: [koczan@ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi psql: FATAL: Kerberos 5 authentication failed for user "koczan" Apr 23 12:12:10 sensei postgres[23327]: [6-1] LOG: connection received: host=ator.cs.wisc.edu port=49525 Apr 23 12:12:11 sensei postgres[23327]: [7-1] LOG: unexpected Kerberos user name received from client (received "koczan", expected "koczan/mail") Apr 23 12:12:11 sensei postgres[23327]: [8-1] FATAL: Kerberos 5 authentication failed for user "koczan" Apr 23 12:12:11 sensei postgres[23328]: [6-1] LOG: connection received: host=ator.cs.wisc.edu port=49526 Apr 23 12:12:11 sensei postgres[23328]: [7-1] LOG: unexpected Kerberos user name received from client (received "koczan", expected "koczan/mail") Apr 23 12:12:11 sensei postgres[23328]: [8-1] FATAL: Kerberos 5 authentication failed for user "koczan" GSSAPI / SSL off: [koczan@ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi psql: duplicate GSS authentication request Apr 23 12:10:21 sensei postgres[23287]: [5-1] LOG: connection received: host=ator.cs.wisc.edu port=49462 Apr 23 12:10:22 sensei postgres[23287]: [6-1] FATAL: GSSAPI authentication failed for user "koczan" Apr 23 12:10:22 sensei postgres[23288]: [5-1] LOG: connection received: host=ator.cs.wisc.edu port=49463 Apr 23 12:10:22 sensei postgres[23288]: [6-1] FATAL: GSSAPI authentication failed for user "koczan"
В списке pgsql-bugs по дате отправления: