问题
I have set up PostgreSQL 9.4 with MIT Kerberos 5 and CAN connect on the CLI using psql. After filing off the fingerprints my principal is bgiles/postgres@REALM, the pg_hba.conf has
host all all 0.0.0.0/0 gss include_realm=1 map=gss krb_realm=REALM
and the pg_ident.conf file has
gss /^(.*)/postgres@REALM$ \1
I created that principal, saved it to a keytab, and if I
$ kinit -k -t krb5.keytab bgiles/postgres
I can successfully connect to my PostgreSQL server 'kpg'. This proves the Kerberos and keytab are set up properly.
$ psql -h kpg dbname
(connection information...)
However when I use the same keytab to connect via JDBC I get a GSS Authentication Error which is due to PostgreSQL refusing to perform the mapping.
2016-04-20 00:13:16 UTC [18919-1] bgiles/postgres@bgiles LOG: no match in usermap "gss" for user "bgiles/postgres" authenticated as "bgiles/postgres@REALM"
2016-04-20 00:13:16 UTC [18919-2] bgiles/postgres@bgiles FATAL: GSSAPI authentication failed for user "bgiles/postgres"
2016-04-20 00:13:16 UTC [18919-3] bgiles/postgres@bgiles DETAIL: Connection matched pg_hba.conf line 100: "host all all 75.144.16.201/32 gss include_realm=1 map=gss krb_realm=REALM"
(I noticed the @bgiles and suspect this is key to the problem but am totally stumped by it.)
The test code is
public class KerberosPostgreSQLTest {
static {
URL url = Thread.currentThread().getContextClassLoader().getResource("jaas.conf");
System.setProperty("java.security.auth.login.config", url.toExternalForm());
System.setProperty("java.security.krb5.realm", "REALM");
System.setProperty("java.security.krb5.kdc", "kdc");
}
@Test
public void test() throws Exception {
String url = "jdbc:postgresql://kpg/bgiles";
String user = "bgiles/postgres";
Properties connInfo = new Properties();
connInfo.put("user", user);
connInfo.put("jaasApplicationName", "pgjdbc");
try (Connection conn = DriverManager.getConnection(url, connInfo)) {
}
}
}
and the JAAS configuration file is
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
refreshKrb5Config=true
doNotPrompt=true
useTicketCache=true
renewTGT=false
useKeyTab=true
keyTab="/tmp/krb5.keytab"
debug=true
client=true
principal="bgiles/postgres"
;
};
The PostgreSQL database definitely recognizes a valid Kerberos connection attempt. It's balking at the final step where it maps from Kerberos principal to PostgreSQL user id. Somehow the java/jaas/jdbc code is mangling it and something that works on the CLI does not work via JDBC.
I have used countless variants of the boolean flags and adding or removing @REALM and found many ways to prevent GSS authentication from happening at all but nothing lets me connect to the server.
Any ideas? The only difference is in the java/jaas/jdbc code but I can't understand how it can get a mangled principal that's still accepted by the KDC. TGT issues?
Thanks,
Bear
来源:https://stackoverflow.com/questions/36731871/error-connecting-to-postgresql-9-4-with-mit-kerberos-via-jdbc-vs-cli