I'm trying to configure my PostgreSql database ("mydb") in order to give login rights to the windows "LocalSystem" account.
I've created a user in my database named LocalSystem
SQL> CREATE USER LocalSystem;
Then, I've tried using SSPI config in pg_hba.conf, but maybe I've misconfigured the configuration line:
# TYPE DATABASE USER ADDRESS METHOD
host mydb LocalSystem 127.0.0.1/32 sspi
When I run a command using psql, I'm asked to provide a password...which i didn't expect..
EDIT:
I've also tried to map my domain account to a postgres user, using
pg_ident.conf
#MAPNAME SYSTEM-USERNAME PG-USERNAME
postgresname domain\username postgresname
pg_hba.conf
# TYPE DATABASE USER ADDRESS METHOD
host mydb postgresname 127.0.0.1/32 sspi
Does someone know what should I do?
Thanks
It asks for the password of the Postgres account, not the Windows account. you can set the Postgres password through ALTER ROLE or in psql using the \password command
You need to add new mapping line to pg_ident.conf:
anyMappingName "SYSTEM#NT AUTHORITY" postgresUserName
Add this mapping to all active lines in pg_hba.conf:
host mydb all 127.0.0.1/32 sspi map=anyMappingName
Then you should connect to postgres db as postgresUserName user. I mean you should define Username in your connection string, and also define IntegratedSecurity as TRUE.
For example, postgresUserName can be "LocalSystem" user, that you created in postgres db earlier, or superuser "postgres".
Related
I have a PostgreSQL database. I have a library that accesses said database. I have test code to test that library.
Previously everything worked fine, but this morning my test logs have errors like this:
ERROR: permission denied for table configuration
In an attempt to narrow down the problem I created a script to recreate the database and all permissions from scratch. It is based upon countless similar scripts I have used previously. It starts like this:
DROP DATABASE boards_db;
DROP OWNED BY test_user;
DROP USER test_user;
CREATE USER test_user WITH PASSWORD 'testing';
CREATE DATABASE boards_db WITH ENCODING='UTF8' OWNER = test_user;
\c boards_db
GRANT ALL PRIVILEGES ON DATABASE boards_db to test_user;
ALTER DEFAULT PRIVILEGES GRANT ALL ON TABLES TO test_user;
ALTER DEFAULT PRIVILEGES GRANT ALL ON SEQUENCES TO test_user;
CREATE TABLE IF NOT EXISTS sessions (
user_id INTEGER PRIMARY KEY,
admin BOOLEAN NOT NULL,
session_id TEXT
);
In trying to debug this issue I foolishly meddled with the pg_hba.conf file. It now looks as below, and I can now log on as the test user (or other users) without specifying a hostname, thanks to the line "local all all md5" that I added
# Database administrative login by Unix domain socket
local all postgres peer
# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all md5
local all all peer
# IPv4 local connections:
host all all 127.0.0.1/32 md5
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
However, I STILL cannot actually do anything with any of the tables in the database.
$ psql -W -U test_user -d boards_db
Password:
psql (12.9 (Ubuntu 12.9-0ubuntu0.20.04.1))
Type "help" for help.
boards_db=> select * from sessions;
ERROR: permission denied for table sessions
The trick of setting default privileges before creating all the tables etc. has worked before in a multitude of database. Why doesn't it work here? Why can test_user not access the tables?
I am following a tutorial on how to create a to do app with PERN stack.
(working on ubuntu 18.4, postgres version 12.3)
I did install the PostrgreSQL, server is running on 5000 and I am able to enter to the database from the command line with "psql -U postgres" but when I try to connect database with the server I am getting this error: password authentication failed for user "postgres".
I was not asked to give any password to the user "postgres" while instalation so I left the password in the db file empty.
My db file looks like this:
const Pool = require("pg").Pool;
const pool = new Pool({
user: "postgres",
password: "",
host: "localhost",
port: 5432,
database: "perntodo",
});
module.exports = pool;
what can I co?
I did set the postrgres authentication in pg_hba.conf file from peer to trust as I found in another issue on stockoverflow, but the error keeps appearing.
The immediate fix would be to eliminate:
host: "localhost"
from your connection settings. This would force the connection to be made on local which would be equivalent to what you are doing with psql -U postgres.
The longer term fix would be to use psql -U postgres to connect and then ALTER ROLE postgres WITH PASSWORD '<some_pwd>'. This would give this ROLE a password. You can do this with other roles that already exist by using ALTER or when you CREATE a new role in the create statement.
The connection authentication methods are controlled by the pg_hba.conf file. A full explanation of what it does is available here:
https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
If the above does not answer all your questions then come back with specific concerns.
Don't use user postgres to connect your application to PostgreSQL.
Create separate user for application.
Grant to application user strict permissions only for schemes and tables what it need access.
Add pg_hba.conf record for application user
Enjoy
If I go as per your error message, then you need to reset postgres password. And I believe the default isnt working or you might have forgotten after resetting it.
Please follow below tutorial for resetting password:-
https://docs.bitnami.com/aws/infrastructure/postgresql/administration/change-reset-password/
or refer the answer for below:-
What is the default password for Postgres
I'm using Postgresql, and I have a database named django_db and a user manuel. I want to connect to this database by this user, I tried this \c django_db manuel but I get this error:
FATAL: Peer authentication failed for user "manuel"
Previous connection kept
How can I solve this problem?
Make sure the user manuel has access to the database django_db in the pg_hba.conf file, e.g.
host django_db manuel your_ip_adress md5
Or if you prefer to give this user access to all databases
host all manuel your_ip_adress md5
After modifying your pg_hba.conf you have to either restart postgres or simply reload the file using the following function:
SELECT pg_reload_conf();
Unless you have a user mapping in place, only the OS user named 'manuel' can connect as the PostgreSQL user named 'manuel'. This is what "peer authentication" means.
You have many choices here. Try this as an OS user named 'manuel', or change from peer to some other type of authentication (in pg_hba.conf), or create a pg_ident.conf file (and then configure pg_hba.conf to use it) that allows the OS user you actually are to login as PostgreSQL user 'manuel'.
I am trying to set my local postgresql so it does not have a password. I understand that this has to be done in the pg_hba.conf file and to acceess that file I have to be a postgres user. But to be a postgres user, I have to login with su postgres and enter the password that I don't have.
Any solution to this (I am on OSX)?
You're confusing several different concepts about the security model.
There is a postgres operating system user, which the PostgreSQL server runs as in order to isolate its data files and to limit damage in case of a security breach or application bug. PostgreSQL won't run as root for security. This user doesn't generally have a password, but you can change to it via the root account using sudo - you can sudo to this user with something like sudo -i -u postgres.
There is also a postgres database user, the default database superuser. This user doesn't generally have a password by default, but pg_hba.conf allows the postgres operating system user to connect as the postgres PostgreSQL user using peer authentication.
If you want you can change the configuration so that you use a password for the postgres database user, so you can psql -U postgres from any system user account:
ALTER USER postgres WITH ENCRYPTED PASSWORD 'blahblah';
Edit pg_hba.conf ("hba" is "host-based authentication") to use md5 authentication for local and host connections.
Re-start or re-load PostgreSQL
Similarly, if you want to allow any system user to connect as any database user without a password, you must modify pg_hba.conf and set trust as the authentication mode for local and host connection types. Please only use trust authentication for testing.
To learn more, see the client authentication chapter in the PostgreSQL documentation.
I'm pretty new to PostreSQL. I've spent all morning trying to get user logins working properly, and I'm terribly frustrated by now!
So, I have a PostGIS database, version 9.2, as part of the OpenGeo suite of software. I could access the database with the postgres user, but want to make a group role and user with access to a database so that it can create tables and update/select/delete etc. in that database.
I can create a user, that works, and I can login with that user. I can create a group role and assign privileges to the role. I can then add the user to the group role, and then can NO LONGER LOGIN!
It even got so that when I added the user postgres to the group, that user can't login. I remove the group but the inability to login persists.
Now, I have played with pg_hba.conf a lot. And I can now login as postgres, but only if 'trust' is enabled, and I can't login with any software, such as PGAdminIII.
It would be great to get some advice as to what is going wrong, and to enable authenticated logins again.
pg_hba:
Code:
# Database administrative login by Unix domain socket
local all postgres trust
local all gisadmin trust
# TYPE DATABASE USER ADDRESS METHOD
local all opengeo md5
local all opengeo md5
# "local" is for Unix domain socket connections only
local all all md5
# IPv4 local connections:
host all all 127.0.0.1/32 md5
host all gisadmin localhost trust
# IPv6 local connections:
host all all ::1/128 md5
# Allow replication connections from localhost, by a user with the
# replication privilege.
#local replication postgres peer
#host replication postgres 127.0.0.1/32 md5
#host replication postgres ::1/128 md5
Just as a final note, I would like to be able to login via a SSH tunnel. I could do that originally with the 'postgres' user, but now that I added and removed that user from a group, I can't.
Edit: the error messages...
If I login via SSH tunnel in PGAdmin with the correct password, I get the error "FATAL: password authentication failed for the user ..."
If I try to login via SSH tunnel in PGAdmin without a password, while the trust option is set, I get the error: "error connecting to the server: fe_sendauth: no password supplied".
The first error still happens when logging in locally, just via SSH and psql, but the second one goes away and I can log in.
output of \du+:
output of \dg+
I think this behaviour may be related with pgAdminIII, because i'm having similar issues and it seems every time i connect to my db as postgres using pgAIII and look at the definition tab in user properties, the check box for the "expiring date" is checked and either 1/1/1970 or 31/12/1969 are set as expiring date. The solution proposed by Daniel works, so it's obvious the problem is the expiration of the password.
Seems that this bug was corrected in pgAdmin 1.16.2 as you can see in the changelog:
http://www.pgadmin.org/development/changelog.php
Cheers
In the \du+ output, the Password valid until 1970-01-01 00:00:00+00... look quite suspicious. Strictly speaking, the passwords for gisadmin, postgisrw and postgres are no longer valid so that might explain why password-based authentication methods fail for these accounts.
You may try ALTER USER username valid until 'infinity' on these accounts and see if that solves the problem.
Also when connecting to PG through a SSH tunnel, be aware that the pg_hba.conf entries starting with host are ignored. These entries are only considered for connections to Unix domain sockets. Sometimes users confuse that with connections from localhost to itself.