Configure gssapi to connect PostgreSQL server using AD

Question

I'm trying to connect Postgres server with the gssapi protocol. User accounts have been created in Active Directory.

I used the following commands:

postgres@xxxxx:John $ ktutil
ktutil:  add_entry -password -p POSTGRES/myserver.domain.com -k 1 -e aes256-cts-hmac-sha1-96
Password for POSTGRES/myserver.domain.com@myad.domain.com
ktutil:  write_kt postgres.keytab
ktutil:  quit
postgres@xxxxx:John $ klist -k postgres.keytab
Keytab name: FILE:postgres.keytab
KVNO Principal
---- --------------------------------------------------------------------------
   1 POSTGRES/myserver.domain.com@myad.domain.com

postgres@xxxxx:John $ kinit john
Password for john@myad.domain.com
postgres@xxxxx:John $ klist
Ticket cache: KEYRING:persistent:26:26
Default principal: john@myad.domain.com

Valid starting       Expires              Service principal
09/28/2020 14:45:09  09/29/2020 00:45:09  krbtgt/myad.domain.com@myad.domain.com
        renew until 10/05/2020 14:45:00

When I try connecting with my admin user, I got this unsuccessful reply.

psql -d postgres -h pgserver -p 5432 -U john@domain.com
psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information
GSSAPI continuation error: Server not found in Kerberos database

What are the missing steps?

Answer 1

"Server not found in Kerberos database" means the GSSAPI trying to reach the KDC and attempting to login using SPN instead of UPN.

This can be avoided by specifying "isInitiator=false" in JAAS config. Doing this, the incoming token will be decrypted on client side itself (Postgres).

If there is a delegation involved here (which I don't think is), then "isInitiator=true" needs to be set in JAAS config, and SPN must be equal to the UPN of the account to which the SPN is attached.

Check ktpass on windows, it creates Keytab file and also changes user's UPN to the SPN value specified. Similar thing should be done on your setup.