Kerberos authentication environment PostgreSQL configuration

Recommended for you: Get network issues from WhatsUp Gold. Not end users.
PostgreSQL supports many authentication mode, Kerberos is one of them. In this paper, through an example of the Kerberos authentication environment PostgreSQL configuration.


 

1 Preparation



1.1 Kerberos principle



If you don't know what is Kerberos, strongly recommend to carefully read the following 2 articles, can completely understand the principles of Kerberos and related concepts. So in the actual environment configuration if you encounter problems, can quickly solve.


 

1.2 the target environment



The target environment consisting of 3 machines. Simplicity does not separate configuration DNS, the host through a local hosts file to resolve the host name. And, because the effectiveness of Kerberos will use the time stamp authentication ticket, so the need to ensure that the 3 hosts time synchronization.
 
[node1]
As the authentication server(KDC)
OS:RHEL6
IP:192.168.1.101
realm:MYDM.COM
hostname:node1
domain:mydm.com
user:user1
 
[node2]
As the PostgreSQL server and Linux client
OS:RHEL6
IP:192.168.1.102
realm:MYDM.COM
hostname:node2
domain:mydm.com
PostgreSQL cluster data directory:/home/postgres/data
 
[node3]
As the Windows client
OS:Windows 7
IP:192.168.1.103
realm:MYDM.COM
hostname:node3
domain:mydm.com
 

2 node1 configuration



2.1 host name configuration

Modify the /etc/hosts, add the following records.
[root@localhost ~]# vi /etc/hosts
192.168.1.101 node1.mydm.com node1 kdc.mydm.com kdc
192.168.1.102 node2.mydm.com node2
192.168.1.103 node3.mydm.com node3
 
The Kerberos certification process will use reverse name resolution for Service by IP (PostgreSQL) host name, so the need to ensure that 192.168.1.102 can reverse the parse of node2.mydm.com. That is to say, if the 192.168.1.102 corresponding to multiple host names, node2.mydm.com must be placed in the front.
 

2.2 software installation



Ensure that the installation of the following software
krb5-libs
pam_krb5
krb5-server
krb5-workstation
 

2.3 Kerberos environment configuration



Edit the Kerberos configuration file /etc/krb5.conf. The need to modify the place below the red part.
[root@localhost ~]# vi /etc/krb5.conf
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log
 
[libdefaults]
 default_realm = MYDM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = true
 
[realms]
  MYDM.COM= {
  kdc = kdc.mydm.com
  admin_server = kdc.mydm.com
 }
 
[domain_realm]
 .mydm.com = MYDM.COM
 mydm.com = MYDM.COM
 

2.4 KDC server configuration



2.4.1 kdc.conf editor

Kdc.conf is a KDC server configuration file. The need to modify the place below the red part.
 
[root@localhost ~]# vi /var/kerberos/krb5kdc/kdc.conf
[kdcdefaults]
 kdc_ports = 88
 kdc_tcp_ports = 88
 
[realms]
 MYDM.COM = {
  #master_key_type = aes256-cts
  acl_file = /var/kerberos/krb5kdc/kadm5.acl
  dict_file = /usr/share/dict/words
  admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
  supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
 }
 

2.4.2 kadm5.acl editor

Kadm5.acl is a remote management services used by kadmin is used to control the KDC database access ACL file. The following to the management account grant all privileges. The need to modify the place below the red part.
 [root@localhost ~]# vi /var/kerberos/krb5kdc/kadm5.acl
*/admin@MYDM.COM     *
 

2.4.3 KDC database initialization



Users of Key and other important information is stored in a KDC database. Configure a new KDC needs to initialize the KDC database, and set up the KDC database master password.
[root@localhost ~]# kdb5_util create -r MYDM.COM -s
Loading random data
Initializing database '/var/kerberos/krb5kdc/principal' for realm 'MYDM.COM',
master key name 'K/'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
Enter KDC database master key:
Re-enter KDC database master key to verify:
 

2.4.4 user Principal and additional



Additional management user root/admin and user user1 Principal (note) to the KDC database.
[root@localhost ~]# kadmin.local
Authenticating as principal root/ with password.
 
■root/Admin principal additional
kadmin.local:  addprinc root/admin
WARNING: no policy specified for root/; defaulting to no policy
Enter password for principal "root/":
Re-enter password for principal "root/":
Principal "root/" created.
 
■User1 principal additional
kadmin.local:  addprinc user1
WARNING: no policy specified for ; defaulting to no policy
Enter password for principal "":
Re-enter password for principal "":
Principal "" created.
 
Note) Principal:Kerberos terms, can be used to identify users, service object
 

2.4.5 export management service in kadmin need key

The kadmin management service requires key to an kadm5.keytab file, so that the kadmin use.
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
…(output omitted)
kadmin.local: ktadd -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/changepw
…(output omitted)
kadmin.local: quit
 

2.5 KDC service and kadmin service startup

[root@localhost ~]# service krb5kdc start
Starting Kerberos 5 KDC:                              [  OK  ]
[root@localhost ~]# service kadmin start
Starting Kerberos 5 Admin Server:                     [  OK  ]

 
 

3. The node2 configuration

3.1 host name configuration

With node1
 

3.2 software installation

Ensure that the installation of the following software
krb5-libs
pam_krb5
krb5-workstation
 

3.3 Kerberos environment configuration

With node1
 

3.4 PostgreSQL compile and install

The default PostgreSQL compiler does not support Kerberos, so need to add "--with-krb5" to compile the PostgreSQL compiler options
./configure '--with-krb5' [other compiler options.
./make
./make install
mkdir /usr/local/pgsql/etc
 

3.5 PostgreSQL service principal added



Remote login to the kadmin service PostgreSQL service principal added. Root/admin settings in the password prompt local input "2.4.4 user Principal password in additional". This step can also use a kadmin.local in the node1 local execution (note), but then must the krb5.keytab file to node2.
[root@localhost postgres]# kadmin -p root/admin
Authenticating as principal root/admin with password.
Password for root/:
kadmin.:  addprinc -randkey postgres/node2.mydm.com
…(output omitted)
kadmin.:  ktadd -k /usr/local/pgsql/etc/krb5.keytab postgres/node2.mydm.com
…(output omitted)
kadmin.: quit
 
Then, modify the krb5.keytab owner, ensure that the Postgres process has read access to it.
[root@localhost ~]# chown postgres:postgres /usr/local/pgsql/etc/krb5.keytab
 
Note) kadmin.local can only be executed on the KDC server and the local, the other is the same as kadmin.
 

The 3.6 set of the PostgreSQL database

3.6.1 to create PostgreSQL database

[root@localhost ~]# su - postgres
[postgres@localhost ~]# export PATH=/usr/local/pgsql/bin:$PATH
[postgres@localhost ~]# initdb -D /home/postgres/data
 

Start the PostgreSQL database 3.6.2

[postgres@localhost ~]# pg_ctl -D /home/postgres/data start
 

3.6.3 user user1 and additional

Create a user1 account in PostgreSQL database. If you want to use a different username and KDC to set the username mapping in pg_hba.conf.
[postgres@localhost ~]# createuser user1
 

3.6.4 postgres.conf editor

listen_addresses = '*'
krb_server_keyfile = '/usr/local/pgsql/etc/krb5.keytab'
krb_srvname = 'postgres'
 

3.6.5 pg_hba.conf`Editor

To add content to a pg_hba.conf.
host   all   all   all           krb5 krb_server_hostname=node2.mydm.com
 

Restart 4.6.6 PostgreSQL

[postgres@localhost ~]$ pg_ctl –D /home/postgres/data restart
 

4.7 action verification

4.7.1 to obtain the initial user credentials

Initial evidence obtained from the KDC user1 account. User1 settings in the password prompt local input "2.4.4 user Principal password in additional".
[postgres@localhost ~]$ kinit
Password for :
 

4.7.2 connect to Postgres server

Connect to the Postgres server through psql. Pay attention not to omit the -h option, or use pg_hba.conf local settings, the configuration is not set in the krb5 certification for local.
[postgres@localhost ~]$ psql -h 192.168.1.102 -U user1 postgres
psql (9.2.4)
Type "help" for help.
 
postgres=#
 

5 node3 configuration

5.1 host name configuration

Add the following content to the%windir%\System32\drivers\etc\hosts file
192.168.1.101   node1.mydm.com
192.168.1.101   kdc.mydm.com
192.168.1.102   node2.mydm.com
192.168.1.103   node3.mydm.com
 

5.2 Kerberos software installation

Install the Windows version of the MIT Kerberos (KfW). Download the address is as follows

 

5.3 Kerberos environment configuration

Windows 7 MIT Kerberos configuration file as follows.
C:\ProgramData\MIT\Kerberos5\krb5.ini
Note that C:\ProgramData is a hidden directory. Will node1 krb5.conf to copy the contents to the krb5.ini revise path in [logging].

[logging]  default = FILE:D:\log\krb5libs.log
 kdc = FILE:D:\log\krb5kdc.log
 admin_server = FILE:D:\log\kadmind.log


 
[libdefaults]
 default_realm = MYDM.COM
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 forwardable = true
 
[realms]
  MYDM.COM= {
  kdc = kdc.mydm.com
  admin_server = kdc.mydm.com
 }
 
[domain_realm]
 .mydm.com = MYDM.COM
 mydm.com = MYDM.COM
 

5.4 PostgreSQL compile and install

Slightly. Like the Linux environment, compile time must open support for krb5.
 

5.5 action verification

5.5.1 to obtain the initial document

Initial evidence obtained from the KDC user1 account. User1 settings in the password prompt local input "2.4.4, Principal" in additional user password.
C:\ >kinit
Password for :
 

5.5.2 connect to Postgres server

Connect to the Postgres server through PSQL.
C:\ >psql -h 192.168.1.102 -U user1 postgres
psql (9.2.4)
Type "help" for help.
 
postgres=>
 

6 note

Each time through the ktadd export service key, will upgrade the key version. If the service load the krb5.keytab file is not stored in the old version of the key, have access to the old version of the service the client will due to version mismatch caused authentication failure. This requires that the client re run Kinit to obtain initial certificate.
 

7 other

In addition to the PSQL also try other client. Pgjdbc and npgsql do not support Kerberos authentication. PsqlODBC through the libpq can support (compile time need to specify the USE_LIBPQ), and found that the ODBC management tools Test button is not always successful in the Windows error "Krb5_sendauth: Server not, found in Kerberos database", but his writing ODBC applications can connect success. Because the driver pgjdbc and npgsql the 2 mainstream do not support Kerberos authentication, so the PostgreSQL Kerberos certification at present there seems to be no use many actual.
 
Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download

Posted by Lauren at December 14, 2013 - 4:37 AM