GSSAPI continuation error: The ticket isn't for us
Article ID: 296934
Updated On:
Products
VMware Tanzu Greenplum
Issue/Introduction
When setting up Kerberos authentication, the error can occur - 'GSSAPI continuation error: The ticket isn't for us'
This error indicates a mismatch between the ticket and authenticator - typically because the principal name does not match the service ticket name.
When GSSAPI uses Kerberos, it uses a standard principal in the format servicename/hostname@realm. The default service name for Greenplum is 'postgres' (lowercase). Some Kerberos implementations might require a different service name, such as Microsoft Active Directory which requires the service name to be in upper case (POSTGRES).
This error indicates a mismatch between the ticket and authenticator - typically because the principal name does not match the service ticket name.
The ticket isn't for us Ticket/authenticator don't match Cause: There was a mismatch between the ticket and the authenticator. The principal name in the request might not have matched the service principal's name. Either because the ticket was being sent with an FQDN name of the principal while the service expected a non-FQDN name, or a non-FDQN name was sent when the service expected an FQDN name. Solution: If you get this error when you are running applications other than kprop, investigate whether the server's keytab file is correct.
When GSSAPI uses Kerberos, it uses a standard principal in the format servicename/hostname@realm. The default service name for Greenplum is 'postgres' (lowercase). Some Kerberos implementations might require a different service name, such as Microsoft Active Directory which requires the service name to be in upper case (POSTGRES).
Environment
Product Version: 6.25
Resolution
To alter the service name, users must alter the connection parameter krbsrvname to the desired name.
$ cat ~/.pg_service.conf [data] host=hostname dbname=database port=5432 user=userid krbsrvname=POSTGRES ...
Feedback
Yes
No
Powered by
