java - Error connecting to PostgreSQL 9.4 with MIT Kerberos via JDBC vs CLI -
i have set postgresql 9.4 mit kerberos 5 , can connect on cli using psql. after filing off fingerprints principal bgiles/postgres@realm, pg_hba.conf has
host 0.0.0.0/0 gss include_realm=1 map=gss krb_realm=realm
and pg_ident.conf file has
gss /^(.*)/postgres@realm$ \1
i created principal, saved keytab, , if
$ kinit -k -t krb5.keytab bgiles/postgres
i can connect postgresql server 'kpg'. proves kerberos , keytab set properly.
$ psql -h kpg dbname (connection information...)
however when use same keytab connect via jdbc gss authentication error due postgresql refusing perform mapping.
2016-04-20 00:13:16 utc [18919-1] bgiles/postgres@bgiles log: no match in usermap "gss" user "bgiles/postgres" authenticated "bgiles/postgres@realm" 2016-04-20 00:13:16 utc [18919-2] bgiles/postgres@bgiles fatal: gssapi authentication failed user "bgiles/postgres" 2016-04-20 00:13:16 utc [18919-3] bgiles/postgres@bgiles detail: connection matched pg_hba.conf line 100: "host 75.144.16.201/32 gss include_realm=1 map=gss krb_realm=realm"
(i noticed @bgiles , suspect key problem totally stumped it.)
the test code is
public class kerberospostgresqltest { static { url url = thread.currentthread().getcontextclassloader().getresource("jaas.conf"); system.setproperty("java.security.auth.login.config", url.toexternalform()); system.setproperty("java.security.krb5.realm", "realm"); system.setproperty("java.security.krb5.kdc", "kdc"); } @test public void test() throws exception { string url = "jdbc:postgresql://kpg/bgiles"; string user = "bgiles/postgres"; properties conninfo = new properties(); conninfo.put("user", user); conninfo.put("jaasapplicationname", "pgjdbc"); try (connection conn = drivermanager.getconnection(url, conninfo)) { } } }
and jaas configuration file is
pgjdbc { com.sun.security.auth.module.krb5loginmodule required refreshkrb5config=true donotprompt=true useticketcache=true renewtgt=false usekeytab=true keytab="/tmp/krb5.keytab" debug=true client=true principal="bgiles/postgres" ;
};
the postgresql database recognizes valid kerberos connection attempt. it's balking @ final step maps kerberos principal postgresql user id. somehow java/jaas/jdbc code mangling , works on cli not work via jdbc.
i have used countless variants of boolean flags , adding or removing @realm , found many ways prevent gss authentication happening @ nothing lets me connect server.
any ideas? difference in java/jaas/jdbc code can't understand how can mangled principal that's still accepted kdc. tgt issues?
thanks,
bear
Comments
Post a Comment