I've recently set up a new Samba4 Active Directory to handle centralized authentication for my small office network. On this server is also a postgresql-9.5 instance, and I'm trying to have it authenticate against the AD. Recognizing the difference between authentication (this is what I need) and authorization (I believe this is handled entirely within postgresql once the user has been authenticated), I'm running into problems.
The AD is rather vanilla at the moment, closely following this howto. I've set up some users and the basic kerberos authentication appears to be working (done with kinit [email protected], verified with klist). Similarly, smbclient //myhost.samdom.mydomain.tld/netlogon -U 'myusername' works.
The localhost is resolving to the samba AD and DNS forwarding is going upstream correctly. These work:
$ host -t SRV _ldap._tcp.samdom.mydomain.tld
$ host -t SRV _kerberos._udp.samdom.mydomain.tld
$ host -t A myhost.samdom.mydomain.tld
BTW: ubuntu-16.04 server, postgresql-9.5, samba-4.3.9
Question:
What am I missing in the configuration of samba and/or postgres to enable authentication against the AD?
DB Setup
Basic connectivity with postgresql appears to be good: it's listening on the appropriate interfaces (all for now), the postgres user can access things locally without a problem. I set up a simple database, output from \list:
Name | Owner | Encoding | Collate | Ctype | Access privileges
-----------+------------+----------+-------------+-------------+-----------------------
pgtest2 | myusername | UTF8 | en_US.UTF-8 | en_US.UTF-8 |
with users listed (per this query):
User name | User ID | Attributes
------------+---------+-------------------
myusername | 16384 | create database
postgres | 10 | superuser, create+
| | database
Failing Auth
However, when I try on the console:
$ psql -h myhost.samdom.mydomain.tld -U [email protected] -d pgtest2
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: No Kerberos credentials available
From /var/log/postgresql/postgresql-9.5-main.log:
[email protected]@pgtest2 LOG: could not receive data from client: Connection reset by peer
[email protected]@pgtest2 FATAL: GSSAPI authentication failed for user "[email protected]"
[email protected]@pgtest2 DETAIL: Connection matched pg_hba.conf line 92: "host all all 0.0.0.0/0 gss krb_realm=SAMDOM.MYDOMAIN.TLD include_realm=1 map=krb"
Config Files
The config file (portions) that I think are appropriate and necessary:
/etc/postgresql/9.5/main/pg_hba.conf:local all postgres peer local all all peer host all all 0.0.0.0/0 gss krb_realm=SAMDOM.MYDOMAIN.TLD include_realm=1 map=krb host all all 127.0.0.1/32 md5 host all all ::1/128 md5/etc/postgresql/9.5/main/postgres.conf:krb_server_keyfile = '/var/lib/postgresql/9.5/main/postgres.keytab'(The keytab was generated with:
samba-tool domain exportkeytab postgres.keytab -U postgres/[email protected], is mode 400, and owned bypostgres:postgres.)/etc/samba/smb.conf:# Global parameters [global] workgroup = SAMDOM realm = SAMDOM.MYDOMAIN.TLD netbios name = MYHOST interfaces = lo eno1 bind interfaces only = Yes server role = active directory domain controller dns forwarder = 11.22.33.254 idmap_ldb:use rfc2307 = yes tls enabled = yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem [netlogon] path = /var/lib/samba/sysvol/samdom.mydomain.tld/scripts read only = No [sysvol] path = /var/lib/samba/sysvol read only = No
