Environment:
VM - FreeIPA providing LDAP/Kerberos (FreeIPA 4.10.0) on Rocky Linux 9.1
VM - Rocky Linux 9.1 as Docker Host
-- PGADMIN (Container) 6.15
VM - Rocky Linux 9.1 providing Postgres 15
From an IPA joined client Kerberos SSO works to the PGAdmin container (no extra login prompt)
From an IPA joined client with psql installed I can connect to Postgres using Kerberos. I see the "GSSAPI - Encrypted connection" in the connection.
When I attempt to connect with the same account from the PGAdmin web application I receive the following error in the web interface.
"GSSAPI continuation error. No credentials were supplied, or the credentials were unavailable or inaccessible. No Kerberos credentials available.(Default cache: FILE:/tmp/krb5cc_5050)
On Postgres I checked the logs and it looks like the right user is being sent....but not authenticated:
2023-04-11 13:31:53.364 +07 [3858] FATAL: GSSAPI authentication failed for user "a01-6"
2023-04-11 13:31:53.364 +07 [3858] DETAIL: Connection matched pg_hba.conf line 91: "host all all
192.168.1.0/24 gss include_realm=0 krb_realm=MY.LAB"
Initially I thought it might be the typical kerberos double-hop issue with Kerberos delegation and I found the following article on Kerberos delelgation.
I configured the delegation (First time in the Linux world I've done this so maybe it's wrong?) using:
ipa servicedelegationtarget-add
ipa servicedelegationtarget-ad-member
ipa servicedelegationrule-add
ipa servicedelegationrule-add-member
ipa servicedelegationrule-add-target
Then rebooted everything, but same results. Is there a way in the PGAdmin container to turn up logging to see what's happening?
Thanks,
Greg