[pgpool-general: 6942] Re: Keberos issues
Bo Peng
pengbo at sraoss.co.jp
Fri Mar 27 15:24:27 JST 2020
Hello,
On Fri, 20 Mar 2020 09:57:23 +0100
Oliver Freyermuth <freyermuth at physik.uni-bonn.de> wrote:
> Dear PGPoolers,
>
> after setting up PGPool[0] with md5 auth and having the pool_hba correctly set up,
> and login working fine, I encountered one client which could not log in with the following message
> (just using the CLI psql tool):
> --------------------
> $ psql -l "host=my_pgpool_node port=5432 dbname=testdb user=testuser"
> psql: error: could not connect to server: server closed the connection unexpectedly
> This probably means the server terminated abnormally
> before or while processing the request.
> --------------------
> So the client does not see any underlying cause.
>
> Checking with strace, I found the client seems to try Kerberos 5 first, and apparently never falls back to password auth
> (it does not prompt for a password).
>
> Checking the pgpool-II debug logs:
> --------------------
> Mar 20 09:46:34 pgsql pgpool[25144]: [949-1] 2020-03-20 09:46:34: pid 25144: LOG: new connection received
> Mar 20 09:46:34 pgsql pgpool[25144]: [949-2] 2020-03-20 09:46:34: pid 25144: DETAIL: connecting host=client_ip port=54946
> Mar 20 09:46:34 pgsql pgpool[25144]: [949-3] 2020-03-20 09:46:34: pid 25144: LOCATION: child.c:2166
> Mar 20 09:46:34 pgsql pgpool[25144]: [951-1] 2020-03-20 09:46:34: pid 25144: FATAL: client authentication failed
> Mar 20 09:46:34 pgsql pgpool[25144]: [951-2] 2020-03-20 09:46:34: pid 25144: DETAIL: no pool_hba.conf entry for host "client_ip", user "", database "", SSL off
> Mar 20 09:46:34 pgsql pgpool[25144]: [951-3] 2020-03-20 09:46:34: pid 25144: HINT: see pgpool log for details
> --------------------
> it's quite curious that "user" and "database" are empty.
>
> Reading through the code, notably check_hba() and ClientAuthentication() in src/auth/pool_hba.c,
> my best guess is that a client connecting with Kerberos is implicitly rejected and not asked to retry with another method.
> Sadly, there seems to be no way to disallow psql from trying KRB5 (and it prefers it if possible).
>
> So the only approach I've found for the moment is to destroy KRB credentials to force psql to use MD5 auth,
> that does indeed work, but any client who is capable of KRB5 auth will silently fail to authenticate with MD5 against PGPool
> since the connection is dropped before it can try.
>
> I'd interpret this as a bug, but before opening an issue, wanted to ask here if this problem is known
> and / or my understanding is correct.
>
> Cheers,
> Oliver
>
> [0] Version: pgpool-II-pg11-4.0.8-1.pgdg.rhel7 (on CentOS 7)
>
I think it is a existing issue on CentOS6.
[FAQ]
https://www.pgpool.net/mediawiki/index.php/FAQ#Connection_failed_in_CentOS6
I tried on CentOS7 but I couldn't reproduce this issue.
Could you share your pgpool.conf, pool_hba.conf and pg_hba.conf?
--
Bo Peng <pengbo at sraoss.co.jp>
SRA OSS, Inc. Japan
More information about the pgpool-general
mailing list