MIME-Version: 1.0
From: Haiko Sawatzky <haikosaw69@gmail.com>
Date: Wed, 26 Nov 2025 11:45:36 -0300
Message-ID: 
 <CAE1OE9cZsfMSDW-4oZyfnvk2ryDUkmHkwGW5F_8v6BdmcCCMJw@mail.gmail.com>
Subject: Kerberos authentication in pgAdmin4 server
To: pgadmin-support@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000b39e320644807380"
Archived-At: 
 <https://www.postgresql.org/message-id/CAE1OE9cZsfMSDW-4oZyfnvk2ryDUkmHkwGW5F_8v6BdmcCCMJw%40mail.gmail.com>
Precedence: bulk

--000000000000b39e320644807380
Content-Type: text/plain; charset="UTF-8"

Hello.

I've been having seemingly the same issue as in the following thread:
https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJevkupqE9np%3DY7GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d5922b1fa9b4ee880
I would like to see if someone can help me diagnose what I'm doing wrong.

My environment is:
  * pgAdmin4 server version 9.10, running in a Docker container
(dpage/pgadmin4:9.10) - Ubuntu server VM
  * Postgresql server configured for Kerberos authentication - Ubuntu
server VM
  * Our company is using Microsoft Windows Active Directory

What I have working:
  * Logging into Postgresql directly with my Microsoft Active Directory
user using Kerberos (from Windows & Linux)
  * Logging into pgAdmin web with my Microsoft Active Directory user using
Kerberos (currently only on Firefox on Windows)

What's currently not working for me is the Kerberos authentication from
within pgAdmin to the Postgresql server. The container logs this the moment
I try to connect to the Postgresql server:
pgadmin-1  | Error: connection failed: connection to server at
"<ip-address>", port 5432 failed: GSSAPI continuation error: No credentials
were supplied, or the credentials were unavailable or inaccessible: No
Kerberos credentials available (default cache: FILE:/tmp/krb5cc_5050)

I do however find a ticket for my Kerberos session in the cache directory:
docker exec -ti pgadmin-test-pgadmin-1 bash -c 'ls -la
/var/lib/pgadmin/krbccache/'
total 12
drwxr-xr-x    2 pgadmin  root          4096 Nov 26 09:42 .
drwxrwxr-x    6 pgadmin  root          4096 Nov 26 09:42 ..
-rw-------    1 pgadmin  root          1533 Nov 26 09:42
pgadmin_cache_testuser@AD.DOMAIN.LAB

I've tried, just to see if it would do a login:
  * Create an environment variable for the whole container KRB5CCNAME as
the absolute path to my Kerberos ticket in krbccache
  * copy the ticket in /var/lib/pgadmin/krbccache/ to /tmp/krb5cc_5050
The environment variable had no affect, but copying the ticket
to /tmp/krb5cc_5050 changed the error that I got to:
pgadmin-1  | Error: connection failed: connection to server at
"<ip-address>", port 5432 failed: connection to server at "<ip-address>",
port 5432 failed: GSSAPI continuation error: Unspecified GSS failure.
Minor code may provide more information: The ticket isn't for us

Another issue I've already worked around: the documentation specifies to
set an environment variable for "KRB_KTNAME" or set "KRB_KTNAME" in the
pgAdmin config, and that this should work instead of needing to configure
"default_keytab_name" in krb5.conf. But this has not worked for me at all,
I can't go without explicitly creating a krb5.conf file that specifies
"default_keytab_name = /path/to/keytab". But as I said, when I configure
this in krb5.conf, the login into pgAdmin using Kerberos works.

--000000000000b39e320644807380
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr"><font face=3D"monospace">Hello.<br><br>I&=
#39;ve=C2=A0been having seemingly the same issue as in the following thread=
: <a href=3D"https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJevku=
pqE9np%3DY7GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d5922b=
1fa9b4ee880" target=3D"_blank">https://www.postgresql.org/message-id/flat/C=
AFOhELe6QLp1ZJevkupqE9np%3DY7GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e7=
8a396033b6d4d5922b1fa9b4ee880</a><br>I would like to see if someone can hel=
p me diagnose what I&#39;m doing wrong.</font></div><div dir=3D"ltr"><font =
face=3D"monospace"><br></font></div><div dir=3D"ltr"><font face=3D"monospac=
e">My environment is:</font><div><font face=3D"monospace">=C2=A0 * pgAdmin4=
 server version 9.10, running in a Docker container (dpage/pgadmin4:9.10) -=
 Ubuntu=C2=A0</font><span style=3D"font-family:monospace">server</span><spa=
n style=3D"font-family:monospace">=C2=A0VM</span></div><div><font face=3D"m=
onospace">=C2=A0 * Postgresql server configured for Kerberos authentication=
=C2=A0- Ubuntu server VM</font></div><div><font face=3D"monospace">=C2=A0 *=
 Our company is using Microsoft Windows Active Directory</font></div><div><=
font face=3D"monospace"><br></font></div><div><font face=3D"monospace">What=
 I have working:<br>=C2=A0 * Logging into Postgresql directly with my Micro=
soft Active Directory user using Kerberos (from Windows &amp; Linux)</font>=
</div><div><font face=3D"monospace">=C2=A0 *=C2=A0Logging into pgAdmin web =
with my Microsoft Active Directory user using Kerberos (currently only on F=
irefox on Windows)<br><br>What&#39;s=C2=A0currently not working for me is t=
he Kerberos authentication from within pgAdmin to the Postgresql server. Th=
e container logs this the moment I try to connect to the Postgresql server:=
<br>pgadmin-1 =C2=A0| Error: connection failed: connection to server at &qu=
ot;&lt;ip-address&gt;&quot;, port 5432 failed: GSSAPI continuation error: N=
o credentials were supplied, or the credentials were unavailable or inacces=
sible: No Kerberos credentials available (default cache: FILE:/tmp/krb5cc_5=
050)<br><br>I do however find a ticket for my Kerberos session in the cache=
 directory:<br>docker exec -ti pgadmin-test-pgadmin-1 bash -c &#39;ls -la /=
var/lib/pgadmin/krbccache/&#39;<br>total 12<br>drwxr-xr-x =C2=A0 =C2=A02 pg=
admin =C2=A0root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04096 Nov 26 09:42 .<br>d=
rwxrwxr-x =C2=A0 =C2=A06 pgadmin =C2=A0root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A04096 Nov 26 09:42 ..<br>-rw------- =C2=A0 =C2=A01 pgadmin =C2=A0root =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A01533 Nov 26 09:42 pgadmin_cache_testuser@AD.=
DOMAIN.LAB<br><br>I&#39;ve=C2=A0tried, just to see if it would do a login:<=
/font></div><div><font face=3D"monospace">=C2=A0 * Create an environment va=
riable for the whole container <span style=3D"color:rgb(0,0,0)">KRB5CCNAME =
as the absolute path to my Kerberos ticket in </span>krbccache</font></div>=
<div><font face=3D"monospace">=C2=A0 *=C2=A0copy the ticket in /var/lib/pga=
dmin/krbccache/ to /tmp/krb5cc_5050</font></div><div><font face=3D"monospac=
e">The environment variable had no affect, but copying the ticket to=C2=A0/=
tmp/krb5cc_5050 changed the=C2=A0error that I got to:</font></div><div><fon=
t face=3D"monospace">pgadmin-1 =C2=A0| Error: connection failed: connection=
 to server at &quot;&lt;ip-address&gt;&quot;, port 5432 failed: connection =
to server at &quot;&lt;ip-address&gt;&quot;, port 5432 failed: GSSAPI conti=
nuation error: Unspecified GSS failure.=C2=A0 Minor code may provide more i=
nformation: The ticket isn&#39;t for us<br></font></div><div><font face=3D"=
monospace"><br></font></div><div><font face=3D"monospace">Another issue I&#=
39;ve=C2=A0already worked around: the documentation specifies to set an env=
ironment variable for &quot;KRB_KTNAME&quot;=C2=A0or set &quot;KRB_KTNAME&q=
uot; in the pgAdmin config,=C2=A0and that this should work instead of needi=
ng to configure &quot;default_keytab_name&quot; in krb5.conf. But this has =
not worked for me at all, I can&#39;t go without explicitly creating a krb5=
.conf file that specifies &quot;default_keytab_name =3D /path/to/keytab&quo=
t;. But as I said, when I configure this in krb5.conf, the login into pgAdm=
in using Kerberos works.</font></div></div>
</div>

--000000000000b39e320644807380--