kerberos client on windows not being able to access credentials cache ("Internal credentials cache error")

Tomas Pospisek tpo2 at sourcepole.ch
Fri Mar 10 11:14:48 EST 2023 

Hello,

In case anybody is interested (or as a reference for future readers): I 
was able to resolve the problem. See 
https://www.postgresql.org/message-id/08b836a7-272a-2309-da45-ac691fccacb8%40sourcepole.ch 
for details.

Also, since I got precisely zilch feedback here while there were other 
postings here I'm under the impression that this is a mailing list with 
*no* user support (but instead a development list or similar). If that's 
the case, then it would be certainly helpful for other similar poor 
mislead souls like me to have that characteristic of the mailing list 
documented on it's page: http://web.mit.edu/kerberos/new/mail-lists.html ...

Thanks,
*t

On 20.02.23 14:11, Tomas Pospisek wrote:
> Hello all,
> 
> tldr:
> 
>      D:\>C:\OSGeo4W\bin\psql.exe service=the_db
>      psql: error: connection to server at "dbserver.example.lan
>      (192.168.4.104), port 5432 failed: could not initiate GSSAPI
>      security context: No credentials were supplied, or the credentials
>      were unavailable or inaccessible: Internal credentials cache error
> 
> Goal
> ====
> 
> I want to have my Postgresql clients (in this case psql.exe) on Windows 
> to authenticate against Active Directory.
> 
> Steps taken so far
> ==================
> 
> Linux client -> Active Directory -> Linux server works
> ------------------------------------------------------
> 
> I was able to get psql on Linux to authenticate against Active Directory 
> and with the service ticket that it got from Active Directory to 
> authenticate to the Postgresql service and server.
> 
> Windows client -> Active Directory does not work
> ------------------------------------------------
> 
> I do know that psql.exe (on Windows) is linked and is using GSS to do 
> Kerberos authentication.
> 
> A psql.exe that is not linked against GSS will tell me: "gssencmode 
> value "require" invalid when GSSAPI support is not compiled in"
> 
> A psql.exe that is linked against GSS will not tell me that. I'm 
> evidently now using the latter - a psql.exe that is linked against GSS.
> 
> -> So I know that the psql.exe that I'm using is linked against GSS.
> 
> Also, in the Windows shell I can issue a klist, and I see the Ticket 
> Granting Ticket and I see various service tickets (mainly to mount CIFS 
> shares).
> 
> Also on Windows shell I can issue a
> 
>      klist get postgres/dbserver.example.lan at EXAMPLE.LAN
> 
> and I see the ticket listed when I issue klist.
> 
> -> So I know that getting the service ticket on the Windows client does 
> indeed work.
> 
> When using psql.exe without setting `gssencmode = require` I am able to 
> authenticate with username/password and connect to the Postgresql 
> service on the DB server just fine.
> 
> -> So I know that there is no problem with psql.exe wrt to connecting to 
> the Postgresql server and there is no problem with authentication per se.
> 
> I tried to trace psql.exe with the "Process Monitor" tool. I see that 
> (for whatever reason), psql.exe will open a TCP connection to the 
> Postgresql server. But it will *NOT* open a connection to the Active 
> Directory server.
> 
> Maybe it *shoud* connect to a local (that is on the local host) 
> authentication/active directory service, but I do not know enough 
> Windows to know how I would see that in the "Process Monitor" trace.
> 
> I can see that psql.exe is accessing the Windows Registry and that it's 
> accessing various DLLs, among others the kerberos library, and various 
> config files, such as the krb5.conf file, but I can not see it accessing 
> a keytab.
> 
> Again I do not know *exactly* how Active Directory/Kerberos access works 
> on Windows, but I *suspect* that the protocol on a Windows client is 
> *not* using keytab file.
> 
> I do see that `psql.exe` is trying to access a `ccapiserver.exe` file, 
> that is not there.
> 
> Question: is a `ccapiserver.exe` executable required in order to be able 
> to access tickets from a Kerberos client on a Windows client?
> 
> Other question: is the error "Internal credentials cache error" the root 
> cause of psql.exe not being able to authenticate against Active 
> Directory (I am supposing that the error "Internal credentials cache 
> error" refers to the kerberos client not being able to access the 
> *existing* tickets. But in "theory" psql.exe could try getting a ticket 
> *without* accessing the existing tickets? So it wouldn't have to 
> forcibly fail there?).
> 
> And another question: is there any way to make GSS more talkative? At 
> this moment all that I can get as logs is the above "computer says no". 
> I was able to set the kerberos log to a local file, but that just tells 
> me that the client now wants to do authentication and that's that.
> 
> So that's as far as I got and I'm a bit at the end of my wisdom and a 
> would very, very much appreciate:
> 
> * help on how to proceed from here
> * pointers to how configure krb5.conf-wise a given Windows executable 
> that links against GSS so that it can authenticate against active directory
> * any help and pointer or debugging help
> * has anybody been able to authenticate from Windows against Active 
> Directory and how did you do that respectively how did you set it up?
> 
> Any help would be very, very much appreciated, thank you.
> *t
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos

More information about the Kerberos mailing list