Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vOehD-00023n-25 for pgadmin-support@arkaria.postgresql.org; Thu, 27 Nov 2025 16:18:15 +0000 Received: from localhost ([127.0.0.1] helo=malur.postgresql.org) by malur.postgresql.org with esmtp (Exim 4.96) (envelope-from ) id 1vOehB-007KoI-12 for pgadmin-support@arkaria.postgresql.org; Thu, 27 Nov 2025 16:18:13 +0000 Received: from magus.postgresql.org ([2a02:c0:301:0:ffff::29]) by malur.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.96) (envelope-from ) id 1vOd2a-006nRZ-0A for pgadmin-support@lists.postgresql.org; Thu, 27 Nov 2025 14:32:12 +0000 Received: from mail-il1-x12e.google.com ([2607:f8b0:4864:20::12e]) by magus.postgresql.org with esmtps (TLS1.3) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (Exim 4.96) (envelope-from ) id 1vOd2Y-001nb6-0u for pgadmin-support@lists.postgresql.org; Thu, 27 Nov 2025 14:32:12 +0000 Received: by mail-il1-x12e.google.com with SMTP id e9e14a558f8ab-43346da8817so5176305ab.0 for ; Thu, 27 Nov 2025 06:32:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1764253928; x=1764858728; darn=lists.postgresql.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=jw/ZNj17sFGpZk6eWiRAQvbNHoLgBiESQrt5SMgZXJM=; b=IE5429UiZBwirVtAJ/WgWbW5VSigPzFMDNYk25NG7EV77b/yApQQJ31Bhu/ZUG0lnu uH5M2OYVaWW82M78ZbV4SL51R+ctooctkOI7xRDBFPwMBI2rZqp6OdjdQtfY8LiZiuJZ fArMDtv9OWLPcHlQS/+Nc4TQQOwaGfzFUl1IddU9QgPd4sMUi6m5M3C5iP9kq76cLR1D by+mEgV+S6RIJ3N8NOu+VPKXQFLbGDs5k2rrKInCwweoBsJBVnAXyHl1NKEmLJiaF2yK kjOaqZyLnfY8g3Qr+MRbM2NUiNFUBjvtpRGYBTKOWvcOYb+o9MQXXm3FTYg+1iBJAxHa B4Jw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1764253928; x=1764858728; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=jw/ZNj17sFGpZk6eWiRAQvbNHoLgBiESQrt5SMgZXJM=; b=BX85TLvjeCOqYC7LBjKrgLXQrKg1jRRr2MgiNUPsT7W+IQdGjW8J69zB6U0H3lP/UW 1kUKQzQNNvhvptFO7mvafMtTsB+EWG2YFoSe78h1/gGuiKIojLHqWR7sZ3Sv/mt8Qf/0 z42EQYi4H4n3PjH4yTC75XxrAJslR/E659TbwsCYK9R5ua6uQrV2QWLwGGnoP5IT6vHU WH2ftHJfeYi9lWqHdQBBObg/wJgVeoxJ/xOiXXxL9uPDyBTYrm4pqdiDuZ1vTO4gGDs8 /qzpCGGXFg8KsgfXI0orF16ukXJChxFLDw8vmz2kO0GrOyKkgnqI/mdHOah8/i6DwhyP c1nQ== X-Gm-Message-State: AOJu0YxFPQ4PsvZ/yeGD41KV0QXrdRc6nyGhA1/qwTWi1xjQO7UDXoIk 3TNXhFjZcMTEK+eveuDyiA+MArDDxQ8YT4a5uaVJR+lwiGb8Z5R7MuWU32BadMS9De1koeTkuti aJWVP5Gu6dX082SjVEv+Q44MwhiBNWE/BAVqb X-Gm-Gg: ASbGncvWhThPO64yClcSuUPVT1RhYKE1yohu9b5DXUCmR8i3NTcUq3lT9lHJfvc1skn CtkNA1d0De4V/NfUpWDR8mJpNamMXToYFn+rb1d2M98DM/qkHPnZ+O7/BBdzNEjTmYgTqLsxNjg 7OLejPyryO75QJF3KS4L6wwp+1gANmPgKd5aIskB1rd3P4GqnijlvSqe78Cq0+m0vRnHne3dCTV JaVKsT9HtWPa1RWlDfBUpRvQG1VKVoOx6ojuifJEeHU1BLp8O3Lxec5/8sGK2WXh6FmbF1b X-Google-Smtp-Source: AGHT+IHCcf1mEIXNRA46bapqkHiXTZ4nmJD8rJKaRv8sJ/gt5Dv/lCoWLTYthQhXkUwVjBGS6m4uFaCAHWijoQUubGE= X-Received: by 2002:a05:6e02:2707:b0:433:713d:a289 with SMTP id e9e14a558f8ab-435b905d55bmr200808155ab.7.1764253928084; Thu, 27 Nov 2025 06:32:08 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Haiko Sawatzky Date: Thu, 27 Nov 2025 11:31:56 -0300 X-Gm-Features: AWmQ_bmJaIg8EdGKQiHWn3ZyPVfEFAqfCpx7MS5KPB_SizzgRuJHAB6x0bBu9JY Message-ID: Subject: Re: Kerberos authentication in pgAdmin4 server To: Khushboo Vashi Cc: pgadmin-support@lists.postgresql.org Content-Type: multipart/alternative; boundary="000000000000ad594406449460ca" List-Id: List-Help: List-Subscribe: List-Post: List-Owner: List-Archive: Archived-At: Precedence: bulk --000000000000ad594406449460ca Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hello Khushboo. Yes I have enabled the kerberos auth switch in the postgres connection. I've also done some more troubleshooting, and in my opinion, I have proven that the ticket that the pgAdmin container creates for my user is correct, by logging into the Postgres server using psql: I can log into pgAdmin successfully via Firefox on Windows. The pgAdmin container will then have a ticket for my user in /var/lib/pgadmin/krbccache/. I can exec into the running pgAdmin container, and use the generated ticket to log into the Postgresql server using psql: faaa414c9552:/pgadmin4$ ls -la /var/lib/pgadmin/krbccache/ total 16 drwxr-xr-x 2 pgadmin root 4096 Nov 27 11:02 . drwxrwxr-x 6 pgadmin root 4096 Nov 27 11:03 .. -rw------- 1 pgadmin root 3104 Nov 27 09:52 pgadmin_cache_testuser@AD.DOMAIN.LAB faaa414c9552:/pgadmin4# /usr/local/pgsql-17/psql --host test-postgres1.ad.domain.lab --dbname postgres --username testuser --command "values(session_user);" column1 --------- testuser (1 row) Then I did another test (I mentioned doing this test in my last message, but it turns out yesterday I had broken my SPN, so that's why it wasn't working yesterday). I copied my user ticket from /var/lib/pgadmin/krbccache/ to /tmp/krb5cc_5050, and then I could successfully connect to my postgres server from within pgAdmin (in my Firefox browser). So to me, it looks like the libpq library is not checking for the correct ticket path, sort of like I understand the last message in the thread I mentioned in my last message ( https://www.postgresql.org/message-id/CAFOhELe6QLp1ZJevkupqE9np%3DY7GRWVd2W= F_e4xbOM%2BxzO1W_A%40mail.gmail.com ). Just for some additional information, I have Postgres configured with "gss include_realm=3D0 krb_realm=3DAD.DOMAIN.LAB" in the hba file, and in my connection I specify the fqdn for the Postgres host, my username without the realm, and switch on kerberos authentication. On Thu, Nov 27, 2025 at 2:22=E2=80=AFAM Khushboo Vashi < khushboo.vashi@enterprisedb.com> wrote: > Hi, > > While creating the server, have you checked the `Kerberos authentication > ?' field? > > On Wed, Nov 26, 2025 at 8:57=E2=80=AFPM Haiko Sawatzky > wrote: > >> Hello. >> >> I've been having seemingly the same issue as in the following thread: >> https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJevkupqE9np%3DY= 7GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d5922b1fa9b4ee88= 0 >> I would like to see if someone can help me diagnose what I'm doing wrong= . >> >> My environment is: >> * pgAdmin4 server version 9.10, running in a Docker container >> (dpage/pgadmin4:9.10) - Ubuntu server VM >> * Postgresql server configured for Kerberos authentication - Ubuntu >> server VM >> * Our company is using Microsoft Windows Active Directory >> >> What I have working: >> * Logging into Postgresql directly with my Microsoft Active Directory >> user using Kerberos (from Windows & Linux) >> * Logging into pgAdmin web with my Microsoft Active Directory user >> using Kerberos (currently only on Firefox on Windows) >> >> What's currently not working for me is the Kerberos authentication from >> within pgAdmin to the Postgresql server. The container logs this the mom= ent >> I try to connect to the Postgresql server: >> pgadmin-1 | Error: connection failed: connection to server at >> "", port 5432 failed: GSSAPI continuation error: No credenti= als >> were supplied, or the credentials were unavailable or inaccessible: No >> Kerberos credentials available (default cache: FILE:/tmp/krb5cc_5050) >> >> I do however find a ticket for my Kerberos session in the cache director= y: >> docker exec -ti pgadmin-test-pgadmin-1 bash -c 'ls -la >> /var/lib/pgadmin/krbccache/' >> total 12 >> drwxr-xr-x 2 pgadmin root 4096 Nov 26 09:42 . >> drwxrwxr-x 6 pgadmin root 4096 Nov 26 09:42 .. >> -rw------- 1 pgadmin root 1533 Nov 26 09:42 >> pgadmin_cache_testuser@AD.DOMAIN.LAB >> >> I've tried, just to see if it would do a login: >> * Create an environment variable for the whole container KRB5CCNAME as >> the absolute path to my Kerberos ticket in krbccache >> * copy the ticket in /var/lib/pgadmin/krbccache/ to /tmp/krb5cc_5050 >> The environment variable had no affect, but copying the ticket >> to /tmp/krb5cc_5050 changed the error that I got to: >> pgadmin-1 | Error: connection failed: connection to server at >> "", port 5432 failed: connection to server at ""= , >> port 5432 failed: GSSAPI continuation error: Unspecified GSS failure. >> Minor code may provide more information: The ticket isn't for us >> >> Another issue I've already worked around: the documentation specifies to >> set an environment variable for "KRB_KTNAME" or set "KRB_KTNAME" in the >> pgAdmin config, and that this should work instead of needing to configur= e >> "default_keytab_name" in krb5.conf. But this has not worked for me at al= l, >> I can't go without explicitly creating a krb5.conf file that specifies >> "default_keytab_name =3D /path/to/keytab". But as I said, when I configu= re >> this in krb5.conf, the login into pgAdmin using Kerberos works. >> > --000000000000ad594406449460ca Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hello Khushboo.
Yes I have enabled the kerberos auth switch in the postgres = connection.

I've also done some more trou= bleshooting, and in my opinion, I have proven that the ticket that=C2=A0the= pgAdmin container creates for my=C2=A0user is correct, by logging into the= Postgres server using psql:
I can log into pgAdmin successfully via Firefox on Windows. The pgAdmin= container will then have a ticket for my user in=C2=A0/var/lib/pgadmin/krb= ccache/. I can exec into the running pgAdmin container, and use the generat= ed ticket to log into the Postgresql server using psql:
faaa414c9552:/pgadmin4$ ls -la /var/lib/pgadmin/krbc= cache/
total 16
drwxr-xr-x =C2=A0 =C2=A02 pgadmin =C2=A0root =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A04096 Nov 27 11:02 .
drwxrwxr-x =C2=A0 =C2=A06= pgadmin =C2=A0root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04096 Nov 27 11:03 ..<= br>-rw------- =C2=A0 =C2=A01 pgadmin =C2=A0root =C2=A0 =C2=A0 =C2=A0 =C2=A0= =C2=A03104 Nov 27 09:52 pgadmin_cache_testuser@AD.DOMAIN.LAB
faaa414c95= 52:/pgadmin4# /usr/local/pgsql-17/psql --host test-postgres1.ad.domain.lab = --dbname postgres --username testuser --command "values(session_user);= "
=C2=A0column1
---------
=C2=A0testuser
(1 row)

Then I did another test=C2=A0(I=C2=A0mentioned doing=C2=A0this test in my last messag= e, but it turns out yesterday I had broken my SPN,=C2=A0so that's why i= t wasn't working yesterday).
I copied=C2=A0my user ticket from=C2=A0/var/lib/pgadmin/krbccache/ to=C2=A0/tmp/krb5cc_5050, and then= I could successfully connect to my postgres server from within=C2=A0pgAdmi= n (in my Firefox browser).
So to me,= it looks like the libpq library is not checking for the correct ticket pat= h, sort of like I understand the last message in the thread I mentioned in = my last message (htt= ps://www.postgresql.org/message-id/CAFOhELe6QLp1ZJevkupqE9np%3DY7GRWVd2WF_e= 4xbOM%2BxzO1W_A%40mail.gmail.com).

J= ust for some additional information, I have Postgres configured with "= gss include_realm=3D0 krb_realm=3DAD.DOMAIN.LAB" in the hba file, and = in my connection I specify the fqdn for the Postgres host, my username with= out the realm, and switch on kerberos authentication.
On Thu, Nov 27, 2025 at 2:22=E2=80=AFAM Khushboo Vashi <khushboo.vashi@enterprisedb= .com> wrote:
Hi,

While creating the s= erver, have you checked the `Kerberos authentication ?' field?=C2=A0
On = Wed, Nov 26, 2025 at 8:57=E2=80=AFPM Haiko Sawatzky <haikosaw69@gmail.com> wrote:<= br>
Hello.

I've=C2=A0been= having seemingly the same issue as in the following thread: https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJev= kupqE9np%3DY7GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d592= 2b1fa9b4ee880
I would like to see if someone can help me diagnose wh= at I'm doing wrong.

My environmen= t is:
=C2=A0 * pgAdmin4 server version = 9.10, running in a Docker container (dpage/pgadmin4:9.10) - Ubuntu=C2=A0server=C2=A0VM
=C2=A0= * Postgresql server configured for Kerberos authentication=C2=A0- Ubuntu s= erver VM
=C2=A0 * Our company is = using Microsoft Windows Active Directory

What I have working:=
=C2=A0 * Logging into Postgresql directly with my Microsoft Active Dire= ctory user using Kerberos (from Windows & Linux)
=C2=A0 *=C2=A0Logging into pgAdmin web with my Microsof= t Active Directory user using Kerberos (currently only on Firefox on Window= s)

What's=C2=A0currently not working for me is the Kerberos auth= entication from within pgAdmin to the Postgresql server. The container logs= this the moment I try to connect to the Postgresql server:
pgadmin-1 = =C2=A0| Error: connection failed: connection to server at "<ip-addr= ess>", port 5432 failed: GSSAPI continuation error: No credentials = were supplied, or the credentials were unavailable or inaccessible: No Kerb= eros credentials available (default cache: FILE:/tmp/krb5cc_5050)

I = do however find a ticket for my Kerberos session in the cache directory:docker exec -ti pgadmin-test-pgadmin-1 bash -c 'ls -la /var/lib/pgadmi= n/krbccache/'
total 12
drwxr-xr-x =C2=A0 =C2=A02 pgadmin =C2=A0ro= ot =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04096 Nov 26 09:42 .
drwxrwxr-x =C2= =A0 =C2=A06 pgadmin =C2=A0root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04096 Nov 2= 6 09:42 ..
-rw------- =C2=A0 =C2=A01 pgadmin =C2=A0root =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A01533 Nov 26 09:42 pgadmin_cache_testuser@AD.DOMAIN.LAB<= br>
I've=C2=A0tried, just to see if it would do a login:
=C2=A0 * Create an environment variable for = the whole container KRB5CCNAME as the abso= lute path to my Kerberos ticket in krbccache
=C2=A0 *=C2=A0copy the ticket in /var/lib/pgadmin/krbcca= che/ to /tmp/krb5cc_5050
The envi= ronment variable had no affect, but copying the ticket to=C2=A0/tmp/krb5cc_= 5050 changed the=C2=A0error that I got to:
pgadmin-1 =C2=A0| Error: connection failed: connection to server = at "<ip-address>", port 5432 failed: connection to server a= t "<ip-address>", port 5432 failed: GSSAPI continuation err= or: Unspecified GSS failure.=C2=A0 Minor code may provide more information:= The ticket isn't for us
=
Another issue I've=C2=A0= already worked around: the documentation specifies to set an environment va= riable for "KRB_KTNAME"=C2=A0or set "KRB_KTNAME" in the= pgAdmin config,=C2=A0and that this should work instead of needing to confi= gure "default_keytab_name" in krb5.conf. But this has not worked = for me at all, I can't go without explicitly creating a krb5.conf file = that specifies "default_keytab_name =3D /path/to/keytab". But as = I said, when I configure this in krb5.conf, the login into pgAdmin using Ke= rberos works.
--000000000000ad594406449460ca--