Assurez-vous que l'hôte que vous avez utilisé lorsque vous avez généré le fichier keytab est le même que celui de la commande psql, comme indiqué dans l'exemple suivant :
Sauf indication contraire, le contenu de cette page est régi par une licence Creative Commons Attribution 4.0, et les échantillons de code sont régis par une licence Apache 2.0. Pour en savoir plus, consultez les Règles du site Google Developers. Java est une marque déposée d'Oracle et/ou de ses sociétés affiliées.
Dernière mise à jour le 2025/09/04 (UTC).
[[["Facile à comprendre","easyToUnderstand","thumb-up"],["J'ai pu résoudre mon problème","solvedMyProblem","thumb-up"],["Autre","otherUp","thumb-up"]],[["Difficile à comprendre","hardToUnderstand","thumb-down"],["Informations ou exemple de code incorrects","incorrectInformationOrSampleCode","thumb-down"],["Il n'y a pas l'information/les exemples dont j'ai besoin","missingTheInformationSamplesINeed","thumb-down"],["Problème de traduction","translationIssue","thumb-down"],["Autre","otherDown","thumb-down"]],["Dernière mise à jour le 2025/09/04 (UTC)."],[],[],null,["# Troubleshoot Active Directory integration in AlloyDB Omni\n\nSelect a documentation version: Current (16.8.0)keyboard_arrow_down\n\n- [Current (16.8.0)](/alloydb/omni/current/docs/troubleshoot-active-directory-integration)\n- [16.8.0](/alloydb/omni/16.8.0/docs/troubleshoot-active-directory-integration)\n- [16.3.0](/alloydb/omni/16.3.0/docs/troubleshoot-active-directory-integration)\n\n\u003cbr /\u003e\n\nThis document describes errors you might encounter when you integrate Active Directory in AlloyDB Omni. Examples of errors and recommended fixes are also provided.\n\n\u003cbr /\u003e\n\nActive Directory integration with AlloyDB Omni fails\n----------------------------------------------------\n\nWhen Active Directory isn't working, follow these steps to resolve the issue:\n\n1. Verify the keytab file.\n Make sure that you can connect to the Active Directory server using the\n keytab that you obtained:\n\n ```\n kinit -kt PATH_TO_KEYTAB_FILE postgres/DBCLUSTER_HOST@REALM\n ```\n2. Verify the host.\n\n Make sure that the host you used when you generated the keytab file is the same host\n in the psql command, as shown in the following example: \n\n ```\n KTPass /princ postgres/DBCLUSTER_HOST@REALM /Pass PASSWORD /mapuser postgres /crypto ALL /ptype KRB5_NT_Principal /out OUTPUT_PATH\n\n psql -h DBCLUSTER_HOST -d DB_NAME -U USERNAME@REALM\n ```\n\n Make sure that \u003cvar translate=\"no\"\u003eDBCLUSTER_HOST\u003c/var\u003e is the same in both commands.\n3. Verify the `krb5.conf` file.\n\n Verify the contents of the `krb5.conf` file on the client. Make sure that the\n `krb5.conf` file contents are correct for your configuration. \n\n ```\n cat /etc/krb5.conf\n ```\n\n The following is the expected output: \n\n ```\n [libdefaults]\n default_realm = REALM\n [realms]\n REALM = {\n kdc = KDC_HOST\n admin_server = ADMIN_SERVER\n }\n [domain_realm]\n HOST_DOMAIN_1 = REALM\n HOST_DOMAIN_2 = REALM\n ```\n4. Verify the HBA entries and status.\n\n 1. Run the following commands and send the logs to the [AlloyDB Omni product team](https://docs.google.com/forms/d/e/1FAIpQLSfLhBlJbtPJuvXcAS7WSF4J_CcCfO7tSWdCLqztAg1PhLX_vw/viewform).\n\n ```\n psql -h DBCLUSTER_HOST -U postgres -d postgres\n ```\n\n `psql` prompts you for the `postgres` user's password: \n\n ```\n Password for user postgres:\n ```\n\n `psql` returns the following output: \n\n ```\n psql (17.5 (Ubuntu 17.5-0ubuntu0.25.04.1), server 16.3)\n SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: none)\n Type \"help\" for help.\n ```\n 2. Run the following command in the `psql` prompt:\n\n ```\n postgres=# table pg_hba_file_rules ;\n ```\n\n Output similar to the following example is returned. \n\n ```\n rule_number | file_name | line_number | type | database | user_name | address | netmask | auth_method | options | error\n -------------+--------------------------------------+-------------+---------+----------+--------------------+-----------+-----------------------------------------+-------------+--------------------------+-----------------------------------------------------\n 1 | /var/lib/postgresql/data/pg_hba.conf | 1 | host | {all} | {alloydbadmin} | 127.0.0.1 | 255.255.255.255 | trust | |\n | /var/lib/postgresql/data/pg_hba.conf | 2 | hostssl | {all} | {alloydbadmin} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 3 | hostssl | {all} | {alloydbpgbouncer} | 0.0.0.0 | 0.0.0.0 | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 4 | hostssl | {all} | {alloydbpgbouncer} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 5 | hostssl | {all} | {alloydbadmin} | all | | reject | | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 6 | | | | | | | | invalid CIDR mask in address \"0.0.0.0/1000\"\n 2 | /var/lib/postgresql/data/pg_hba.conf | 7 | local | {all} | {all} | | | trust | |\n ```\n5. Review error messages in the `error` column, which can help you identify\n configuration issues.\n\n6. Print the debug level `krb5` logs.\n\n ```\n export KRB5_TRACE=/dev/stderr\n kinit AD_USER@REALM\n psql -h DBCLUSTER_HOST -d DB_NAME -U USERNAME@REALM\n ```\n | **Note:** For more information about this issue, open the `postgres.log` file.\n\npsql: error: connection to server on socket \"/tmp/.s.PGSQL.5432\" failed: FATAL: role \"user2\" does not exist\n-----------------------------------------------------------------------------------------------------------\n\n**Description**\n\nThis error occurs when a system user, who is trying to connect, doesn't have a\nPostgreSQL user created, or doesn't have a role mapped.\n\n**Recommended fix**\n\nCreate a role in PostgreSQL with the required username, or add an entry for this\nuser to the `pg_ident.conf` file. \n\n psql (16.3)\n Type \"help\" for help.\n\n postgres=# CREATE ROLE user2 WITH LOGIN;\n CREATE ROLE\n\nServer restart fails with error: \"could not load /var/lib/postgresql/data/pg_hba.conf\"\n--------------------------------------------------------------------------------------\n\n**Description**\n\nThe server restart failed because the `pg_hba.conf` contains invalid entries.\n\n**Recommended fix**\n\nCheck the `pg_hba.conf` file for invalid entries.\n\nFATAL: LDAP group synchronization failed\n----------------------------------------\n\n**Description**\n\nLDAP synchronization fails when the user tries to sign in.\n\n**Recommended fix**\n\n1. Sign in as the `postgres` user and run the following:\n\n ```\n CREATE EXTENSION google_pg_auth;\n ```\n2. Check the `postgresql.log` file for information about why the LDAP sign-in\n failed.\n\n ```\n cat /obs/diagnostic/postgresql.log | grep google_pg_auth\n ```\n\nWhat's next\n-----------\n\n- [Integrate Active Directory with AlloyDB Omni](/alloydb/omni/current/docs/integrate-active-directory)"]]