public inbox for [email protected]
help / color / mirror / Atom feedFrom: Khushboo Vashi <[email protected]>
To: Haiko Sawatzky <[email protected]>
Cc: [email protected]
Subject: Re: Kerberos authentication in pgAdmin4 server
Date: Thu, 27 Nov 2025 10:52:16 +0530
Message-ID: <CAFOhELf+SF0PRfZpF-4MZ-XFF9UB1KSP+Vmqb4_iaaq4+Bi0Qw@mail.gmail.com> (raw)
In-Reply-To: <CAE1OE9cZsfMSDW-4oZyfnvk2ryDUkmHkwGW5F_8v6BdmcCCMJw@mail.gmail.com>
References: <CAE1OE9cZsfMSDW-4oZyfnvk2ryDUkmHkwGW5F_8v6BdmcCCMJw@mail.gmail.com>
Hi,
While creating the server, have you checked the `Kerberos authentication ?'
field?
On Wed, Nov 26, 2025 at 8:57 PM Haiko Sawatzky <[email protected]> wrote:
> Hello.
>
> I've been having seemingly the same issue as in the following thread:
> https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJevkupqE9np%3DY7GRWVd2WF_e4xbOM%2BxzO1W_A%4...
> I would like to see if someone can help me diagnose what I'm doing wrong.
>
> My environment is:
> * pgAdmin4 server version 9.10, running in a Docker container
> (dpage/pgadmin4:9.10) - Ubuntu server VM
> * Postgresql server configured for Kerberos authentication - Ubuntu
> server VM
> * Our company is using Microsoft Windows Active Directory
>
> What I have working:
> * Logging into Postgresql directly with my Microsoft Active Directory
> user using Kerberos (from Windows & Linux)
> * Logging into pgAdmin web with my Microsoft Active Directory user using
> Kerberos (currently only on Firefox on Windows)
>
> What's currently not working for me is the Kerberos authentication from
> within pgAdmin to the Postgresql server. The container logs this the moment
> I try to connect to the Postgresql server:
> pgadmin-1 | Error: connection failed: connection to server at
> "<ip-address>", port 5432 failed: GSSAPI continuation error: No credentials
> were supplied, or the credentials were unavailable or inaccessible: No
> Kerberos credentials available (default cache: FILE:/tmp/krb5cc_5050)
>
> I do however find a ticket for my Kerberos session in the cache directory:
> docker exec -ti pgadmin-test-pgadmin-1 bash -c 'ls -la
> /var/lib/pgadmin/krbccache/'
> total 12
> drwxr-xr-x 2 pgadmin root 4096 Nov 26 09:42 .
> drwxrwxr-x 6 pgadmin root 4096 Nov 26 09:42 ..
> -rw------- 1 pgadmin root 1533 Nov 26 09:42
> [email protected]
>
> I've tried, just to see if it would do a login:
> * Create an environment variable for the whole container KRB5CCNAME as
> the absolute path to my Kerberos ticket in krbccache
> * copy the ticket in /var/lib/pgadmin/krbccache/ to /tmp/krb5cc_5050
> The environment variable had no affect, but copying the ticket
> to /tmp/krb5cc_5050 changed the error that I got to:
> pgadmin-1 | Error: connection failed: connection to server at
> "<ip-address>", port 5432 failed: connection to server at "<ip-address>",
> port 5432 failed: GSSAPI continuation error: Unspecified GSS failure.
> Minor code may provide more information: The ticket isn't for us
>
> Another issue I've already worked around: the documentation specifies to
> set an environment variable for "KRB_KTNAME" or set "KRB_KTNAME" in the
> pgAdmin config, and that this should work instead of needing to configure
> "default_keytab_name" in krb5.conf. But this has not worked for me at all,
> I can't go without explicitly creating a krb5.conf file that specifies
> "default_keytab_name = /path/to/keytab". But as I said, when I configure
> this in krb5.conf, the login into pgAdmin using Kerberos works.
>
reply
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Reply to all the recipients using the --to and --cc options:
reply via email
To: [email protected]
Cc: [email protected], [email protected], [email protected]
Subject: Re: Kerberos authentication in pgAdmin4 server
In-Reply-To: <CAFOhELf+SF0PRfZpF-4MZ-XFF9UB1KSP+Vmqb4_iaaq4+Bi0Qw@mail.gmail.com>
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox