How to setup community edition dbeaver connect to kerberos authenticated GPDB
Article ID: 296931
Updated On:
Products
VMware Tanzu Greenplum
Issue/Introduction
This is a follow up article for "How to setup kerberos authentication on gpdb v6 with Windows active directory kerberos." Since community edition dbeaver and enterprise version dbeaver used different UI when setup advanced authentication, this article focus on community edition dbeaver.
Environment
Product Version: 6.25
Resolution
- Download and install community edition dbeaver for window : https://dbeaver.io/download/
- Download and install MIT kerberos client for windows : https://kerberos.org/dist/
- add below content to C:\ProgramData\MIT\Kerberos5\krb5.ini
[libdefaults]
debug = true
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
default_realm = VC.LOCA
[realms]
VC.LOCA = {
kdc = wserver2019.vc.loca
admin_server = wserver2019.vc.loca
default_realm = VC.LOCA
}
[domain_realm]
.vc.loca = VC.LOCA
vc.loca = VC.LOCA
4. add two items for windows system environment: (make sure the related directory exist)5. put below content into c:\kb\krb5.conf (this location can be changed, but need to be the same as setup in dbeaver.ini file)
# Configuration snippets may be placed in this directory as well
[libdefaults]
#default_cc_type = FILE
#default_ccache_name = FILE:/tmp/krb5cc_501
debug = true
# default_etypes = aes256-cts-hmac-sha1-96
dns_lookup_kdc = false
dns_lookup_realm = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
# rdns = false
# pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
default_realm = VC.LOCA
#default_ccache_name = KEYRING:persistent:%{uid}
# kdc = wserver2019.vc.loca:88
# admin_server = wserver2019.vc.loca:749
[realms]
VC.LOCA = {
kdc = wserver2019.vc.loca
admin_server = wserver2019.vc.loca
default_realm = VC.LOCA
}
[domain_realm]
.vc.loca = VC.LOCA
vc.loca = VC.LOCA
6. put below content into c:\kb\pgjdbc.conf
pgjdbc {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt=false
useTicketCache=true
renewTGT=true
debug=true;
};
7. Add below content to the END of C:\Users\Administrator\AppData\Local\DBeaver\dbeaver.ini (this file could located other location, such as C:\Program Files\DBeaver, depends on the dbeaver directory choosed during installation).
-Ddbeaver.distribution.type=exe -Djavax.security.auth.useSubjectCredsOnly=false -Djava.security.krb5.conf=c:\kb\krb5.conf -Dsun.security.krb5.debug=true -Djava.security.auth.login.config=c:\kb\pgjdbc.conf8. open a windows command window, run below commands to acquire kerberos ticket. Both commands work, the keytab file is the same from the previous article. (window klist may not work, return no result, so I copy the MIT kerberos klist tool into C:\windows\system32, then it works fine)
C:\Users\Administrator>kdestroy C:\Users\Administrator>kinit -kt c:\temp\gpdb4.keytab gpdb/admin C:\Users\Administrator>kdestroy C:\Users\Administrator>kinit gpdb/admin Password for gpdb/[email protected]: C:\Users\Administrator>kinit -kt c:\temp\gpdb4.keytab gpdb/admin C:\Users\Administrator>klist Ticket cache: FILE:c:\temp\kerb5cache Default principal: gpdb/[email protected] Valid starting Expires Service principal 09/06/23 14:47:14 09/07/23 00:47:14 krbtgt/[email protected] renew until 09/13/23 14:47:149. open dbeaver, setup a new connection, add gpdb master hostname, port, username and password (password used to create the keytab).
Test connection :
dbeaver logs can be found : C:\Users\Administrator\AppData\Roaming\DBeaverData\workspace6\.metadata\
Feedback
Yes
No
Powered by
