Does my PostgreSQL instance support kerberos/gssapi authentication?

All we need is an easy explanation of the problem, so here it is.

I installed it following instructions from digital ocean how-to-install-postgresql-on-ubuntu-20-04-quickstart:

% sudo apt install postgresql postgresql-contrib

I also did a ‘show all’ in psql and didn’t see anything that suggested it was other than the krb_server_keyfile = /etc/krb5.keytab that I configured in postgresql.conf

These are the errors I see in the log:

2021-05-07 21:58:49.990 UTC [1434] [email protected] LOG:  accepting GSS security context failed
2021-05-07 21:58:49.990 UTC [1434] [email protected] DETAIL:  Unspecified GSS failure.  Minor code may provide more information: Key table entry not found
2021-05-07 21:58:49.990 UTC [1434] [email protected] FATAL:  GSSAPI authentication failed for user "postgres"
2021-05-07 21:58:49.990 UTC [1434] [email protected] DETAIL:  Connection matched pg_hba.conf line 114: "host postgres     postgres           172.31.93.176/24                              gs\
s include_realm=0"
2021-05-07 21:58:49.993 UTC [1435] [email protected] LOG:  accepting GSS security context failed
2021-05-07 21:58:49.993 UTC [1435] [email protected] DETAIL:  Unspecified GSS failure.  Minor code may provide more information: Key table entry not found
2021-05-07 21:58:49.993 UTC [1435] [email protected] FATAL:  GSSAPI authentication failed for user "postgres"
2021-05-07 21:58:49.993 UTC [1435] [email protected] DETAIL:  Connection matched pg_hba.conf line 114: "host postgres     postgres           172.31.93.176/24                              gs\
s include_realm=0"

How to solve :

I know you bored from this bug, So we are here to help you! Take a deep breath and look at the explanation of your problem. We have many solutions to this problem, But we recommend you to use the first method because it is tested & true method that will 100% work for you.

Method 1

First, let me add some more description of the environment where this problem was observed.

This excellent series of articles describes setting up kerberos and postgresql

PostgreSQL GSSAPI Authentication with Kerberos

  1. Part-1
  2. Part-2
  3. Part-3

If you do this in AWS, you should also setup elastic-ip addresses (so you can stop and start your servers). I also setup rt53 for the host names and have those map to the elastic-ip addresses you setup.

Note: in my case I am using postgresql v13 and after my initial failure, I followed these instructions on the postgressql for installing postgresql.

You would think that would be enough. However, if you don’t tweak the /etc/hosts file so that you have entries for your servers (as David did in his example, that was on ‘in-house’ hardware) you get this error:

[email protected]:~$ psql -U postgres -d postgres -h
jl-krb5dev-postgres.matlabonlineserver.com psql: error: could not
initiate GSSAPI security context: Unspecified GSS failure.  Minor code
may provide more information: Server
krbtgt/[email protected] not found in
Kerberos database FATAL:  no pg_hba.conf entry for host "52.70.13.95",
user "postgres", database "postgres", SSL on FATAL:  no pg_hba.conf
entry for host "52.70.13.95", user "postgres", database "postgres",
SSL off

But if you add entries in the /etc/hosts file on your client machine for the kerberos and postgresql machines (using the elastic-ip addresses you setup earlier) everything works fine.

Note: this does require that you properly configured postgres with a keytab file.
For v13 of postgresql, I put it in /etc/postgresql/13/main/conf.d/krb5.keytab AND adjusted the postgresql.conf file (in /etc/postgresql/13/main) so that it has an entry like this: krb_server_keyfile = ‘FILE:/etc/postgresql/13/main/conf.d/krb5.keytab

A Big Thanks to @jjanes for getting me on the right path in the comment to my initial question.

Note: Use and implement method 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply