I'm trying to use the pgadmin4 container image with kerberos, according to https://www.pgadmin.org/docs/pgadmin4/development/kerberos.html.
The pgadmin webinterface keeps telling me "Delegated credentials not supplied." But the Authorization header is transmitted properly. What am I doing wrong`?
Here is a curl dump:
Command line:
kinit myuser
curl -v --negotiate --user : http://***MYHOST***/login
Output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* Trying 172.28.28.133:80...
* TCP_NODELAY set
* Connected to ***MYHOST*** (172.28.28.133) port 80 (#0)
* Server auth using Negotiate with user ''
> GET /login HTTP/1.1
> Host: ***MYHOST***
> Authorization: Negotiate YIIHcQYGKwYBBQUCoIIHZTCCB2GgDTALBgkqhkiG9xIBAgKiggdOBIIHSmCCB0YGCSqGSIb3EgECAgEAboIHNTCCBzGgAwIBBaEDAgEOogcDBQAgAAAAo4IGPmGCBjowggY2oAMCAQWhExsRU1RNVUtXSy5CQVlFUk4uREWiMDAuoAMCAQOhJzAlGwRIVFRQGx1rbS1zdi1wdnpneS5zdG11a3drLmJheWVybi5kZaOCBeYwggXioAMCARKhAwIBA6KCBdQEggXQtZ7JwhBlAL9jYph/dpFItqKVlbvYGTTr4so1jNMScrNGjtbMTs8AiCIiTEC1XHI581TUekGZxSVa9pMRwqrb+IY7qTz70SCcIlwz5IYIdGFNd1ilHpHu6FAlsNY6l+/sGFWmexxxw4yXosUav8Z8uMuDkwA8fVt3mTxWHx3oHvDE4V5QROljW2CaGIFousTAd4hYJt9Z50SRIWMChQCXpCbxP8H6F0tgRvhPUtDw/QS8/njaRUTiHdLfgoqcNEnEE+nissopwI8Ougo8xi1AQRxOfxiloBQz9IcrEwxE+mOKFka9+S9vVGRPd8oKY2vJQ9DtPauQKsgXpmfdnz/wCTKe1tM163ygwTkOlc4Q/hIMKxQefaw/+dRf7BtejZh+7cwDpsWd4KwplN05Nvg+sfbHcFVGZDRjz380cGdM1Tk/8IbLs/eQ91hSE/L9FnflkVr9VYeNryFInlsFdujfmNKz4drij13RL3PiaPZFMh12FZLOhgk9frVDd4bPrzQqSbJSBCPc7oygyHPVosipLD4LWp7I498KwvHWkpZwu9GoAEfLd3zDpVgGfSzmnW/q3TvTVd5ZQ2bA9y4P2KIYI5Pum4hBbk4m57bi4PTueMvO3sAaWh/lPDlL+4eKLz5UOVvt8k9/BOkS0qghcZ07g6smDTFRGLhzQ/YzTPa0qeeMtXx+zb3crF9WJhLqT9ldo1vHuiidkHVRGvdVSs+7RfqMETwi1SLWaukLIi2h/6hjvPt35uFBqG6wDMTrVKSJ0IlaWPLk475ymjZW8gPzF/+eDZpyUMxsmiDDKDE9sh1Fs8MjPPcwN+U7iGE7EloUXSQacEZVhm4qxrCpd7RMoQiGx0s5u/1Fz4LVQdFJe2OekPE1+rzNbKSyLFwRYrIvYWj238RmAYirP/CA/fzAyWzXpa0sNfYTnG05OLDd2d69pwkUCiFrpg2shTDNaCBTwfFfFndMLOHTO2kcBK74P1gtVIRyGYkGasCs0BjXPbxQXWe22F2Jiw6gz5Db6+3slax4LPjqj7eXeVPxm7RZf+SGdxR8czcQHGQIC2FVByGn9nrx2NafWswwPzH69JAMPVcuZ4JnYUhBvQtfaJM1V/D+grXZlLQQgEFMtC83duuBx/bd62d6IAmRi21MFUGMCtkEZZWtru2+uLQJdWCZxOVM2PIRdGeCidQkvPq9ZvYsv+w4GvSatGNDZ0lLL6at7OhxhFuASnj5rhTuzPpGE2Gi7K3nOXSIxZaQLjXhH8PwvjEnR2IXaF9/6zIZyHlCdsZGoBx1M7IRJ+TmO4e9BPaffJ0xdf7d6drnTXTQ+NuemXJQmJWJKLNNnVWWANgVvgYYpPXo4i0xCpBWsLAgcIfccJywuFNCy2XLZf2MoLzhTNyhjfq4NWtCn5NaPJkw9FrHxdDCWnvjFhuA5OYaK6P2n3qffTZ/tuzDmFP8Kr0su2hu8Jp1uFBc2UJnWyCTha29VYZFE9Z5YJGxpg3Bq5emoLy35EBgO8Ajwep60rpnyXjY1ccmp4xCNcln0Ov1SjZNhunEn75j8xjH5QT2u82N7n4mPJCxmx2+ak6KsEGvUeVM/hHFstRvKZFIrzXIBGtUmBF/Hr8tsfV9vaGx3KvkJbqnoBFgDy/nNNG+oHSQfJPtsRhIh71f/VjqWY5NTSEvcGD9D4s7BUhdAmd4rVKQKAQIxZ1KWnUM4BYEuuK4W/e78A3/5fL3R+T0jRHeILwvn4jSg7WWRi5haFfnBkaXluHKKClX/L9DvQZ+Q24jUtqBirGx13LKugoA1bQ7ikTD5+Llkhw3oDFqKCLqIMfhBXPn2DaxnHPtegQZtseSAAbclBuMs0FJEiTqezX/biXi+WRefFvLe0YipmoiPtk+8mY2Y0zvXVYHV7seRouPLMOOuQ/dUF3r/DdUM3YQZ/npJj01aAOrLRo27fsIxSpICa4pRHkhJd6cKimxGM+54X/Xgmp4nqjhjXpXm8JJpIHZMIHWoAMCARKigc4Egctw0nI37RdiCCegpezUxbbUdj9JjEG3dh3tSnX3LdDIbfZryAmGpQIZLZ7SmNgBwijqbqtlbld9KO+QlvguNy+e/DxjFuwz+OmY5hH7yLrWjW5Gz5p5gd6eM7YNDl6nEsYSchg16m7sTil3MifIpHO0lbVPpdxeSTAU/yf/0I+7cXOi9lzXkOHhSl7XEe7NIPNplwdEWSerBWz+EcGwyPIe1hto/e/2+wGkgj+jMzj5SdFt6mxokuRsjuto/rdF6gBaIh5IfOhil1ofRQ==
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: gunicorn
< Date: Tue, 07 Sep 2021 15:24:47 GMT
< Connection: keep-alive
< Content-Type: text/html; charset=utf-8
< Content-Length: 6073
< X-Frame-Options: SAMEORIGIN
< Content-Security-Policy: default-src ws: http: data: blob: 'unsafe-inline' 'unsafe-eval';
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Set-Cookie: pga4_session=f372e462-19be-4c4b-926f-d23469d51237!ckfFYMTygG5gvVXmXlhZglyHop4=; Expires=Wed, 08-Sep-2021 15:24:47 GMT; HttpOnly; Path=/; SameSite=Lax
<
{ [6073 bytes data]
<!DOCTYPE html>
<!--[if lt IE 7]>
<html class="no-js lt-ie9 lt-ie8 lt-ie7" lang="en"> <![endif]-->
<!--[if IE 7]>
<html class="no-js lt-ie9 lt-ie8" lang="en"> <![endif]-->
<!--[if IE 8]>
<html class="no-js lt-ie9" lang="en"> <![endif]-->
<!--[if gt IE 8]><!-->
<html class="no-js" lang="en"> <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>pgAdmin 4</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<!-- To set pgAdmin4 shortcut icon in browser -->
<link rel="shortcut icon" href="/favicon.ico?ver=50600"/>
<!-- Base template stylesheets -->
<link type="text/css" rel="stylesheet" href="/static/js/generated/style.css?ver=50600"/>
<link type="text/css" rel="stylesheet" href="/static/js/generated/pgadmin.style.css?ver=50600"/>
<link type="text/css" rel="stylesheet" href="/static/js/generated/pgadmin.css?ver=50600"/>
<!--View specified stylesheets-->
<script type="application/javascript">
/* This is used to change publicPath of webpack at runtime */
window.resourceBasePath = "/static/js/generated/";
</script>
<!-- Base template scripts -->
<script type="application/javascript"
src="/static/vendor/require/require.min.js?ver=50600"></script>
<script type="application/javascript">
require.config({
baseUrl: '',
urlArgs: 'ver=50600',
waitSeconds: 0,
shim: {},
paths: {
sources: "/static/js",
datagrid: "/static/js/generated/datagrid",
sqleditor: "/static/js/generated/sqleditor",
'pgadmin.browser.utils': "/browser/" + "js/utils",
'pgadmin.browser.endpoints': "/browser/" + "js/endpoints",
'pgadmin.browser.messages': "/browser/" + "js/messages",
'pgadmin.browser.constants': "/browser/" + "js/constants",
'pgadmin.server.supported_servers': "/browser/" + "server/supported_servers",
'pgadmin.user_management.current_user': "/user_management/" + "current_user",
'translations': "/tools/" + "translations"
}
});
</script>
<!-- View specified scripts -->
<script type="application/javascript" src="/static/js/generated/vendor.main.js?ver=50600" ></script>
<script type="application/javascript" src="/static/js/generated/vendor.others.js?ver=50600" ></script>
<script type="application/javascript" src="/static/js/generated/pgadmin_commons.js?ver=50600" ></script>
</head>
<body>
<!--[if lt IE 7]>
<p class="browsehappy">You are using an <strong>outdated</strong> browser. Please <a href="http://browsehappy.com/">upgrade
your browser</a> to improve your experience.</p>
<![endif]-->
<div class="container-fluid h-100 login_page">
<div style="position: fixed; top: 20px; right: 20px; width: 400px; z-index: 9999">
<div class="alert alert-danger alert-dismissible fade show" role="alert">
Delegated credentials not supplied.
<button onclick="hide()" type="button" class="close" data-dismiss="alert" aria-label="Close"><span
aria-hidden="true">×</span></button>
</div>
</div>
<script>
function hide(){
var target = event.target || event.srcElement;
if (target.type === undefined)
target=target.parentNode;
target.parentNode.classList.remove("show");
}
</script>
<div class="row h-100 align-items-center justify-content-center">
<div class="col-md-6"><div class="pr-4">
<img src="/static/img/login.svg?ver=50600" alt="Login">
</div>
</div>
<div class="col-md-3">
<div class="panel-header text-color h4"><i class="app-icon pg-icon" aria-hidden="true"></i> pgAdmin 4</div>
<div class="panel-body">
<div class="d-block text-color pb-3 h5">Login</div>
<form action="/authenticate/login" method=
100 6073 100 6073 0 0 197k 0 --:--:-- --:--:-- --:--:-- 197k
* Connection #0 to host ***MYHOST*** left intact
"POST" name="login_user_form">
<input id="next" name="next" type="hidden" value="">
<input id="csrf_token" name="csrf_token" type="hidden" value="ImY4Y2U0NDVmOTZhYmNiYWM2MjU1Njk2YWUxNGU2ZTM2NjlmODgxODQi.YTeEPw.goqhnkaxNASl3A7wzXHiKeqEWis">
<div class="form-group mb-3 ">
<input class="form-control" placeholder="Email Address / Username" name="email"
type="text" autofocus>
</div>
<div class="form-group mb-3 ">
<input class="form-control" placeholder="Password" name="password"
type="password" autofocus>
</div>
<button name="internal_button" disabled class="btn btn-primary btn-block btn-login" type="submit" value="Login">Login</button>
<div class="form-group row mb-3 c user-language">
<div class="col-7"><span class="help-block"><a href="/browser/reset_password" class="text-white">Forgotten your password</a>?</span></div>
<div class="col-5">
<select class="form-control" name="language" value="en">
<option value="en" selected>English</option>
<option value="zh" >Chinese (Simplified)</option>
<option value="cs" >Czech</option>
<option value="fr" >French</option>
<option value="de" >German</option>
<option value="it" >Italian</option>
<option value="ja" >Japanese</option>
<option value="ko" >Korean</option>
<option value="pl" >Polish</option>
<option value="ru" >Russian</option>
<option value="es" >Spanish</option>
</select>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
<script type="application/javascript">
</script>
</body>
</html>
EDIT: Please understand that I have hidden host, user and realm to disguise my employer.
Further details from inside the container:
/pgadmin4 # klist -k -t /etc/krb5.keytab
Keytab name: FILE:/etc/krb5.keytab
KVNO Timestamp Principal
---- ----------------- --------------------------------------------------------
3 01/01/70 00:00:00 HTTP/***MYHOST***@***MYREALM***
/pgadmin4 # kinit ***MYUSER***
Password for ***MYUSER***@***MYREALM***: ***
/pgadmin4 #
... so I concluded my keytab is correct, my kerberos configuration works (due to the fact that kinit works) (?)
By the way, I am using the same keytab with the same serviceprincipalname on the same host with a webserver container that works - so I do not suspect problems with the serviceprincipalname in general(?)
