MIME-Version: 1.0
References: 
 <CAE1OE9cZsfMSDW-4oZyfnvk2ryDUkmHkwGW5F_8v6BdmcCCMJw@mail.gmail.com>
In-Reply-To: 
 <CAE1OE9cZsfMSDW-4oZyfnvk2ryDUkmHkwGW5F_8v6BdmcCCMJw@mail.gmail.com>
From: Khushboo Vashi <khushboo.vashi@enterprisedb.com>
Date: Thu, 27 Nov 2025 10:52:16 +0530
Message-ID: 
 <CAFOhELf+SF0PRfZpF-4MZ-XFF9UB1KSP+Vmqb4_iaaq4+Bi0Qw@mail.gmail.com>
Subject: Re: Kerberos authentication in pgAdmin4 server
To: Haiko Sawatzky <haikosaw69@gmail.com>
Cc: pgadmin-support@lists.postgresql.org
Content-Type: multipart/alternative; boundary="000000000000dc49de06448cb2dd"
Archived-At: 
 <https://www.postgresql.org/message-id/CAFOhELf%2BSF0PRfZpF-4MZ-XFF9UB1KSP%2BVmqb4_iaaq4%2BBi0Qw%40mail.gmail.com>
Precedence: bulk

--000000000000dc49de06448cb2dd
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

While creating the server, have you checked the `Kerberos authentication ?'
field?

On Wed, Nov 26, 2025 at 8:57=E2=80=AFPM Haiko Sawatzky <haikosaw69@gmail.co=
m> wrote:

> Hello.
>
> I've been having seemingly the same issue as in the following thread:
> https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJevkupqE9np%3DY7=
GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d5922b1fa9b4ee880
> I would like to see if someone can help me diagnose what I'm doing wrong.
>
> My environment is:
>   * pgAdmin4 server version 9.10, running in a Docker container
> (dpage/pgadmin4:9.10) - Ubuntu server VM
>   * Postgresql server configured for Kerberos authentication - Ubuntu
> server VM
>   * Our company is using Microsoft Windows Active Directory
>
> What I have working:
>   * Logging into Postgresql directly with my Microsoft Active Directory
> user using Kerberos (from Windows & Linux)
>   * Logging into pgAdmin web with my Microsoft Active Directory user usin=
g
> Kerberos (currently only on Firefox on Windows)
>
> What's currently not working for me is the Kerberos authentication from
> within pgAdmin to the Postgresql server. The container logs this the mome=
nt
> I try to connect to the Postgresql server:
> pgadmin-1  | Error: connection failed: connection to server at
> "<ip-address>", port 5432 failed: GSSAPI continuation error: No credentia=
ls
> were supplied, or the credentials were unavailable or inaccessible: No
> Kerberos credentials available (default cache: FILE:/tmp/krb5cc_5050)
>
> I do however find a ticket for my Kerberos session in the cache directory=
:
> docker exec -ti pgadmin-test-pgadmin-1 bash -c 'ls -la
> /var/lib/pgadmin/krbccache/'
> total 12
> drwxr-xr-x    2 pgadmin  root          4096 Nov 26 09:42 .
> drwxrwxr-x    6 pgadmin  root          4096 Nov 26 09:42 ..
> -rw-------    1 pgadmin  root          1533 Nov 26 09:42
> pgadmin_cache_testuser@AD.DOMAIN.LAB
>
> I've tried, just to see if it would do a login:
>   * Create an environment variable for the whole container KRB5CCNAME as
> the absolute path to my Kerberos ticket in krbccache
>   * copy the ticket in /var/lib/pgadmin/krbccache/ to /tmp/krb5cc_5050
> The environment variable had no affect, but copying the ticket
> to /tmp/krb5cc_5050 changed the error that I got to:
> pgadmin-1  | Error: connection failed: connection to server at
> "<ip-address>", port 5432 failed: connection to server at "<ip-address>",
> port 5432 failed: GSSAPI continuation error: Unspecified GSS failure.
> Minor code may provide more information: The ticket isn't for us
>
> Another issue I've already worked around: the documentation specifies to
> set an environment variable for "KRB_KTNAME" or set "KRB_KTNAME" in the
> pgAdmin config, and that this should work instead of needing to configure
> "default_keytab_name" in krb5.conf. But this has not worked for me at all=
,
> I can't go without explicitly creating a krb5.conf file that specifies
> "default_keytab_name =3D /path/to/keytab". But as I said, when I configur=
e
> this in krb5.conf, the login into pgAdmin using Kerberos works.
>

--000000000000dc49de06448cb2dd
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div>Hi,</div><div><br></div><div>While creating the serve=
r, have you checked the `Kerberos authentication ?&#39; field?=C2=A0</div><=
br><div class=3D"gmail_quote gmail_quote_container"><div dir=3D"ltr" class=
=3D"gmail_attr">On Wed, Nov 26, 2025 at 8:57=E2=80=AFPM Haiko Sawatzky &lt;=
<a href=3D"mailto:haikosaw69@gmail.com">haikosaw69@gmail.com</a>&gt; wrote:=
<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8=
ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"ltr=
"><div dir=3D"ltr"><font face=3D"monospace">Hello.<br><br>I&#39;ve=C2=A0bee=
n having seemingly the same issue as in the following thread: <a href=3D"ht=
tps://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJevkupqE9np%3DY7GRWV=
d2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d5922b1fa9b4ee880" ta=
rget=3D"_blank">https://www.postgresql.org/message-id/flat/CAFOhELe6QLp1ZJe=
vkupqE9np%3DY7GRWVd2WF_e4xbOM%2BxzO1W_A%40mail.gmail.com#0e78a396033b6d4d59=
22b1fa9b4ee880</a><br>I would like to see if someone can help me diagnose w=
hat I&#39;m doing wrong.</font></div><div dir=3D"ltr"><font face=3D"monospa=
ce"><br></font></div><div dir=3D"ltr"><font face=3D"monospace">My environme=
nt is:</font><div><font face=3D"monospace">=C2=A0 * pgAdmin4 server version=
 9.10, running in a Docker container (dpage/pgadmin4:9.10) - Ubuntu=C2=A0</=
font><span style=3D"font-family:monospace">server</span><span style=3D"font=
-family:monospace">=C2=A0VM</span></div><div><font face=3D"monospace">=C2=
=A0 * Postgresql server configured for Kerberos authentication=C2=A0- Ubunt=
u server VM</font></div><div><font face=3D"monospace">=C2=A0 * Our company =
is using Microsoft Windows Active Directory</font></div><div><font face=3D"=
monospace"><br></font></div><div><font face=3D"monospace">What I have worki=
ng:<br>=C2=A0 * Logging into Postgresql directly with my Microsoft Active D=
irectory user using Kerberos (from Windows &amp; Linux)</font></div><div><f=
ont face=3D"monospace">=C2=A0 *=C2=A0Logging into pgAdmin web with my Micro=
soft Active Directory user using Kerberos (currently only on Firefox on Win=
dows)<br><br>What&#39;s=C2=A0currently not working for me is the Kerberos a=
uthentication from within pgAdmin to the Postgresql server. The container l=
ogs this the moment I try to connect to the Postgresql server:<br>pgadmin-1=
 =C2=A0| Error: connection failed: connection to server at &quot;&lt;ip-add=
ress&gt;&quot;, port 5432 failed: GSSAPI continuation error: No credentials=
 were supplied, or the credentials were unavailable or inaccessible: No Ker=
beros credentials available (default cache: FILE:/tmp/krb5cc_5050)<br><br>I=
 do however find a ticket for my Kerberos session in the cache directory:<b=
r>docker exec -ti pgadmin-test-pgadmin-1 bash -c &#39;ls -la /var/lib/pgadm=
in/krbccache/&#39;<br>total 12<br>drwxr-xr-x =C2=A0 =C2=A02 pgadmin =C2=A0r=
oot =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04096 Nov 26 09:42 .<br>drwxrwxr-x =C2=
=A0 =C2=A06 pgadmin =C2=A0root =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A04096 Nov 2=
6 09:42 ..<br>-rw------- =C2=A0 =C2=A01 pgadmin =C2=A0root =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A01533 Nov 26 09:42 pgadmin_cache_testuser@AD.DOMAIN.LAB<=
br><br>I&#39;ve=C2=A0tried, just to see if it would do a login:</font></div=
><div><font face=3D"monospace">=C2=A0 * Create an environment variable for =
the whole container <span style=3D"color:rgb(0,0,0)">KRB5CCNAME as the abso=
lute path to my Kerberos ticket in </span>krbccache</font></div><div><font =
face=3D"monospace">=C2=A0 *=C2=A0copy the ticket in /var/lib/pgadmin/krbcca=
che/ to /tmp/krb5cc_5050</font></div><div><font face=3D"monospace">The envi=
ronment variable had no affect, but copying the ticket to=C2=A0/tmp/krb5cc_=
5050 changed the=C2=A0error that I got to:</font></div><div><font face=3D"m=
onospace">pgadmin-1 =C2=A0| Error: connection failed: connection to server =
at &quot;&lt;ip-address&gt;&quot;, port 5432 failed: connection to server a=
t &quot;&lt;ip-address&gt;&quot;, port 5432 failed: GSSAPI continuation err=
or: Unspecified GSS failure.=C2=A0 Minor code may provide more information:=
 The ticket isn&#39;t for us<br></font></div><div><font face=3D"monospace">=
<br></font></div><div><font face=3D"monospace">Another issue I&#39;ve=C2=A0=
already worked around: the documentation specifies to set an environment va=
riable for &quot;KRB_KTNAME&quot;=C2=A0or set &quot;KRB_KTNAME&quot; in the=
 pgAdmin config,=C2=A0and that this should work instead of needing to confi=
gure &quot;default_keytab_name&quot; in krb5.conf. But this has not worked =
for me at all, I can&#39;t go without explicitly creating a krb5.conf file =
that specifies &quot;default_keytab_name =3D /path/to/keytab&quot;. But as =
I said, when I configure this in krb5.conf, the login into pgAdmin using Ke=
rberos works.</font></div></div>
</div>
</blockquote></div></div>

--000000000000dc49de06448cb2dd--