Hi,

I have exactly the same problem for a long time, but this is not a DBeaver issue... It is a PostgreSQL JDBC driver issue.

Regards.

Yes, I know the problem is in jdbc driver. BUT we have it working on our prod servers.
We have a file, which has this in it:

pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
renewTGT=true
debug=true
client=true;
};

and everything works!
May be I'll ask this question on postgres forum also

Maybe this post could point you in the right direction (assuming you're on Windows 7): http://info.michael-simons.eu/2012/07/23/java-7-jaas-and-kerberos-single-sign-on-vs-newer-windows-systems/

Or from the Oracle docs: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html

Thank you very very very very very very much!
This one helped http://info.michael-simons.eu/2012/07/23/java-7-jaas-and-kerberos-single-sign-on-vs-newer-windows-systems/

С уважением,
Лёсин Евгений
Главный специалист службы СДБО ФЛ, ИБ «Открытие Онлайн»
Вн. 18-6734
Моб. +7 900 312 22 20

From: kyleflan [mailto:[email protected]]
Sent: Friday, June 02, 2017 5:13 PM
To: serge-rider/dbeaver
Cc: Лёсин Евгений Андреевич; Author
Subject: Re: [serge-rider/dbeaver] Error while connecting postgres db with Kerberos autentification (#1737)

Maybe this post could point you in the right direction (assuming you're on Windows 7): http://info.michael-simons.eu/2012/07/23/java-7-jaas-and-kerberos-single-sign-on-vs-newer-windows-systems/

Or from the Oracle docs: http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/tutorials/LoginConfigFile.html

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/serge-rider/dbeaver/issues/1737#issuecomment-305783219, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AbyoHT-8qnqx_i-fdb9ho4Xrp4NNT5xMks5sAApBgaJpZM4Nt-6q.

I'm having the same problem, but with Linux.
What should I do to solve it?

Thanks in advance,
ced

You run DBeaver under Linux, try connecting to DB with Kerberos and connection fails?

С уважением,
Лёсин Евгений
Главный специалист службы СДБО ФЛ, ИБ «Открытие Онлайн»
Вн. 18-6734
Моб. +7 900 312 22 20

From: ced75 [mailto:[email protected]]
Sent: Tuesday, June 06, 2017 1:37 PM
To: serge-rider/dbeaver
Cc: Лёсин Евгений Андреевич; Author
Subject: Re: [serge-rider/dbeaver] Error while connecting postgres db with Kerberos autentification (#1737)

I'm having the same problem, but with Linux.
What should I do to solve it?

Thanks in advance,
ced

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/serge-rider/dbeaver/issues/1737#issuecomment-306433887, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AbyoHVeBNb_nQrCwe8Q2Q7jS-T9TzkO-ks5sBR2egaJpZM4Nt-6q.

Yes, with the same error message:
GSS Authentication failed
javax.security.auth.login.LoginException: No LoginModules configured for pgjdbc

I don’t have any Linux machine with desktop right now to try it =(
But, as I understood from rpm, dbeaver binary (/usr/share/dbeaver/dbeaver) reads this configuration file - /usr/share/dbeaver/dbeaver.ini, and it has this section: -vmargs-Xms64m-Xmx1024m, which is responsible for JVM parameters.
So try edit this file like “….-vmargs-Xms64m-Xmx1024m-Djava.security.auth.login.config=/path/to/pgjdbc.conf”, and fill pgjdbc.conf with

pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
renewTGT=true
debug=true
};

Have you done “kinit username” to get ticket from server? What “klist” shows?

С уважением,
Лёсин Евгений
Главный специалист службы СДБО ФЛ, ИБ «Открытие Онлайн»
Вн. 18-6734
Моб. +7 900 312 22 20

From: ced75 [mailto:[email protected]]
Sent: Tuesday, June 06, 2017 3:29 PM
To: serge-rider/dbeaver
Cc: Лёсин Евгений Андреевич; Author
Subject: Re: [serge-rider/dbeaver] Error while connecting postgres db with Kerberos autentification (#1737)

Yes, with the same error message:
GSS Authentication failed
javax.security.auth.login.LoginException: No LoginModules configured for pgjdbc

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHubhttps://github.com/serge-rider/dbeaver/issues/1737#issuecomment-306458255, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AbyoHZrZr9Qjp0sA5swCdVL7fACuBTgoks5sBTfmgaJpZM4Nt-6q.

Thanks for your help,

I get a different error message now:
GSS Authentication failed
javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication

The kinit has been down and klist references my server:
06/06/2017 17:11:43 07/06/2017 02:51:07 postgres/inv-exp.ign.fr@
renew until 07/06/2017 16:51:07
06/06/2017 17:11:43 07/06/2017 02:51:07 postgres/inv-exp.ign.[email protected]
renew until 07/06/2017 16:51:07

This error most likely means, that you get ticket under one user, and run app under another.

Is inv-exp.ign.fr – server, where DB is running?

If yes, than it is wrong.
Try to run «kdestroy», then «kinit USR1», where USR1 – user, which is in pg_ident.conf file on DB server.

This «klist» output should be right:

klist

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: USR1@IGN.***-**-**@OPEN.RUFR

Even after a kdestroy en new kinit, I get the same error message.
This is always the same problem I am facing with kerberos and JDBC... Kerberos authentication works fine with psql, but not with jdbc.

No, than shouldn’t matter.
Try to install postgres on your local machine and run «psql -U DB_user -p DB_port -h DB_host». It should give you same error (Unable to get…)

There isn't any activity about this ticket very long time. It will be closed. However, if you think that it is actual just let us know.

Sorry, I just saw this. Kinit works fine via the included jre/bin/kinit.exe in the zip version. This must be due to your kerberos setup.

Ours:

jdbc:hive2://{host}.domain.com:{port}/;principal=hive/{host}.domain.com,@DOMAIN.COM

Hi,

I'm still facing problems with kerberos authentication.

I have modified /usr/share/dbeaver/dbeaver.ini in that way:
-startup
plugins/org.eclipse.equinox.launcher_1.4.0.v20161219-1356.jar
--launcher.library
plugins/org.eclipse.equinox.launcher.gtk.linux.x86_64_1.1.550.v20170928-1359
-showsplash
-vmargs
-XX:+IgnoreUnrecognizedVMOptions
--add-modules=ALL-SYSTEM
-Duser.language=en
-Xms64m
-Xmx1024m
-Djava.security.auth.login.config=/home/CDuprez/pgjdbc.conf

But now, I get the following error message:
GSS Authentication failed
GSS Authentication failed
GSS Authentication failed
java.io.IOException: Configuration Error:
Line 7: expected [option key]
Configuration Error:
Line 7: expected [option key]
Configuration Error:
Line 7: expected [option key]

Here is what I get in the DBeaver log file:
2017-11-21 17:17:21.940 - Connection failed (postgres-jdbc-15fdf54c057-4ad4e18acc15f8e0)
2017-11-21 17:17:21.940 - org.jkiss.dbeaver.model.exec.DBCConnectException: GSS Authentication failed
org.jkiss.dbeaver.model.exec.DBCConnectException: GSS Authentication failed
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:190)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.openConnection(PostgreDataSource.java:365)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCExecutionContext.connect(JDBCExecutionContext.java:79)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.initializeMainContext(JDBCDataSource.java:115)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.(JDBCDataSource.java:109)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.(JDBCDataSource.java:98)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.(PostgreDataSource.java:75)
at org.jkiss.dbeaver.ext.postgresql.PostgreDataSourceProvider.openDataSource(PostgreDataSourceProvider.java:89)
at org.jkiss.dbeaver.registry.DataSourceDescriptor.connect(DataSourceDescriptor.java:714)
at org.jkiss.dbeaver.runtime.jobs.ConnectJob.run(ConnectJob.java:70)
at org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:95)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:56)
Caused by: org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.Driver$ConnectThread.getResult(Driver.java:401)
at org.postgresql.Driver.connect(Driver.java:259)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:176)
... 11 more
Caused by: java.lang.SecurityException: java.io.IOException: Configuration Error:
Line 7: expected [option key]
at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:137)
at sun.security.provider.ConfigFile.(ConfigFile.java:102)
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at java.lang.Class.newInstance(Class.java:442)
at javax.security.auth.login.Configuration$2.run(Configuration.java:255)
at javax.security.auth.login.Configuration$2.run(Configuration.java:247)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.Configuration.getConfiguration(Configuration.java:246)
at javax.security.auth.login.LoginContext$1.run(LoginContext.java:245)
at javax.security.auth.login.LoginContext$1.run(LoginContext.java:243)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.init(LoginContext.java:243)
at javax.security.auth.login.LoginContext.(LoginContext.java:417)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:56)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:594)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:222)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.(PgConnection.java:194)
at org.postgresql.Driver.makeConnection(Driver.java:450)
at org.postgresql.Driver.access$100(Driver.java:60)
at org.postgresql.Driver$ConnectThread.run(Driver.java:360)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.IOException: Configuration Error:
Line 7: expected [option key]
at sun.security.provider.ConfigFile$Spi.ioException(ConfigFile.java:666)
at sun.security.provider.ConfigFile$Spi.match(ConfigFile.java:562)
at sun.security.provider.ConfigFile$Spi.parseLoginEntry(ConfigFile.java:477)
at sun.security.provider.ConfigFile$Spi.readConfig(ConfigFile.java:427)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:329)
at sun.security.provider.ConfigFile$Spi.init(ConfigFile.java:271)
at sun.security.provider.ConfigFile$Spi.(ConfigFile.java:135)
... 24 more

1. What is in your /home/CDuprez/pgjdbc.conf file?
2. Try -Djava.security.auth.login.config=file:/home/CDuprez/pgjdbc.conf instead

Here is my pgjdbc.conf content:
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
renewTGT=true
debug=true
};

I've just tried -Djava.security.auth.login.config=file:/home/CDuprez/pgjdbc.conf but I get exactly the same error.

You need another one ";" :

pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=true
useTicketCache=true
renewTGT=true
debug=true;
};

OK, thanks.
Now, I'm back to the same error as before:
GSS Authentication failed
GSS Authentication failed
GSS Authentication failed
Unable to obtain Principal Name for authentication
Unable to obtain Principal Name for authentication

do you have all of this? yum install krb5-workstation krb5-libs krb5-auth-dialog
did you fill krb5.conf?
again? what klist shows?

My Linux distribution is Mint (ubuntu-like). There are no packages like krb5-workstation or krb5-libs.
I have installed krb5-auth-dialog.
I have a /etc/krb5.conf referencing my realm: IGN.FR
Here is a result of klist:
Ticket cache: FILE:/tmp/krb5cc_1001_TBImlO
Default principal: [email protected]

Valid starting Expires Service principal
22/11/2017 15:15:15 23/11/2017 01:15:15 krbtgt/IGN.[email protected]
renew until 23/11/2017 15:15:15

I have no problem to connect to my PostgreSQL database using Kerberos authentication with psql. The problem always occurs using jdbc drivers.

what is a database.url you connect to? this should be like jdbc:postgresql://db_host:db_port/db_name?kerberosServerName=postgres&jaasApplicationName=pgjdbc&user=CDuprez

Good question... Since I'm trying to connect with tools developped with Java, I don't know the exact database url.
Is it possible to get it in DBeaver?

Is it a DBeaver output error?
"GSS Authentication failed
GSS Authentication failed
GSS Authentication failed
Unable to obtain Principal Name for authentication
Unable to obtain Principal Name for authentication"

Yes. It is a popup window error.
The detailed log is the following:
2017-11-22 15:59:22.102 - Connection failed (postgres-jdbc-15fe43d9557-26e0ee3adb43e1b)
2017-11-22 15:59:22.103 - org.jkiss.dbeaver.model.exec.DBCConnectException: GSS Authentication failed
org.jkiss.dbeaver.model.exec.DBCConnectException: GSS Authentication failed
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:190)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.openConnection(PostgreDataSource.java:365)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCExecutionContext.connect(JDBCExecutionContext.java:79)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.initializeMainContext(JDBCDataSource.java:115)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.(JDBCDataSource.java:109)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.(JDBCDataSource.java:98)
at org.jkiss.dbeaver.ext.postgresql.model.PostgreDataSource.(PostgreDataSource.java:75)
at org.jkiss.dbeaver.ext.postgresql.PostgreDataSourceProvider.openDataSource(PostgreDataSourceProvider.java:89)
at org.jkiss.dbeaver.registry.DataSourceDescriptor.connect(DataSourceDescriptor.java:714)
at org.jkiss.dbeaver.runtime.jobs.ConnectJob.run(ConnectJob.java:70)
at org.jkiss.dbeaver.ui.dialogs.connection.ConnectionWizard$ConnectionTester.run(ConnectionWizard.java:213)
at org.jkiss.dbeaver.model.runtime.AbstractJob.run(AbstractJob.java:95)
at org.eclipse.core.internal.jobs.Worker.run(Worker.java:56)
Caused by: org.postgresql.util.PSQLException: GSS Authentication failed
at org.postgresql.Driver$ConnectThread.getResult(Driver.java:401)
at org.postgresql.Driver.connect(Driver.java:259)
at org.jkiss.dbeaver.model.impl.jdbc.JDBCDataSource.openConnection(JDBCDataSource.java:176)
... 12 more
Caused by: javax.security.auth.login.LoginException: Unable to obtain Principal Name for authentication
at com.sun.security.auth.module.Krb5LoginModule.promptForName(Krb5LoginModule.java:841)
at com.sun.security.auth.module.Krb5LoginModule.attemptAuthentication(Krb5LoginModule.java:704)
at com.sun.security.auth.module.Krb5LoginModule.login(Krb5LoginModule.java:617)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:755)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:195)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:682)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:680)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:587)
at org.postgresql.gss.MakeGSS.authenticate(MakeGSS.java:58)
at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:594)
at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:222)
at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49)
at org.postgresql.jdbc.PgConnection.(PgConnection.java:194)
at org.postgresql.Driver.makeConnection(Driver.java:450)
at org.postgresql.Driver.access$100(Driver.java:60)
at org.postgresql.Driver$ConnectThread.run(Driver.java:360)
at java.lang.Thread.run(Thread.java:748)
2017-11-22 16:15:33.809 - DBeaver is stopping
2017-11-22 16:15:33.809 - Stop RMI server

Do you run DBeaver under CDuprez? Are you sure?
This error means only one - a user you run DBeaver is not a user, you make "kinit".
Do you do kinit in terminal? Do you run DBeaver in terminal?

Yes, I run DBeaver under CDuprez.
Even when I launch DBeaver in a terminal after a "kinit", I get the same error.

Hi @ced75, in case that you haven't figured this one out yet, I had the same issue with same error messages. I have solved it by installing JCE - Java Cryptography Extensions. I suppose that your installation of Java does not have JCE, hence your Java clients are not able to use ciphers required by your KDC.
It is really unfortunate that no error message mentions this and I found it out by trial and error and following a hunch about the client not being able to open the ticket cache.
Hope this helps.

Hi.
Thanks for your help. The error message has changed:
GSS Authentication failed
GSS Authentication failed
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)
No valid credentials provided (Mechanism level: Failed to find any Kerberos tgt)

I haven't encountered such error, so just another hunch - can you log into the server with psql using kerberos ticket? So, is your ticket cache working? Do you have any tickets listed by klist? Also, could you share the debug output of dbeaver (ie. if you start dbeaver from konsole/xterm/...) from the moment you try to connect to the server?
I have ended with pretty easy configuration in /etc/pgjdbc.conf:

pgjdbc {
  com.sun.security.auth.module.Krb5LoginModule required
  doNotPrompt=true
  useTicketCache=true;
};

Plus I have added -Djava.security.auth.login.config=/etc/pgjdbc.conf to dbeaver.ini

There is no update on the ticket for more than a year.
Ticket is closed.
If the issue is still reproducible for you - feel free to reopen the ticket and add some details that could help to reproduce the issue or create the new one.