Added support to connect PostgreSQL servers via Kerberos authentication. Fixes #6158

2025-01-23 23:13:38 -06:00 · 2021-05-03 16:10:45 +05:30 · 2021-05-03 16:10:45 +05:30 · 72f3730c34
commit 72f3730c34
parent aa9a4c30d3
28 changed files with 509 additions and 90 deletions
--- a/docs/en_US/release_notes_5_3.rst
+++ b/docs/en_US/release_notes_5_3.rst
@ -9,6 +9,7 @@ This release contains a number of bug fixes and new features since the release o
 New features
 ************

+| `Issue #6158 <https://redmine.postgresql.org/issues/6158>`_ -  Added support to connect PostgreSQL servers via Kerberos authentication.

 Housekeeping
 ************
--- a/web/config.py
+++ b/web/config.py
@ -634,6 +634,9 @@ KRB_KTNAME = '<KRB5_KEYTAB_FILE>'

 KRB_AUTO_CREATE_USER = True

+KERBEROS_CCACHE_DIR = os.path.join(DATA_DIR, 'krbccache')
+
+
 ##########################################################################
 # Local config settings
 ##########################################################################
--- a/web/migrations/versions/d0bc9f32b2b9_.py
+++ b/web/migrations/versions/d0bc9f32b2b9_.py
@ -0,0 +1,28 @@
+
+"""empty message
+
+Revision ID: d0bc9f32b2b9
+Revises: c6974f64df08
+Create Date: 2021-04-27 12:40:08.899712
+
+"""
+from alembic import op
+import sqlalchemy as sa
+from pgadmin.model import db
+
+# revision identifiers, used by Alembic.
+revision = 'd0bc9f32b2b9'
+down_revision = 'c6974f64df08'
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    db.engine.execute(
+        'ALTER TABLE server ADD COLUMN kerberos_conn INTEGER DEFAULT 0'
+    )
+
+
+def downgrade():
+    # pgAdmin only upgrades, downgrade not implemented.
+    pass
--- a/web/pgadmin/authenticate/init.py
+++ b/web/pgadmin/authenticate/init.py
@ -13,10 +13,13 @@ import flask
 import pickle
 from flask import current_app, flash, Response, request, url_for,\
    render_template
-from flask_security import current_user
+from flask_babelex import gettext
+from flask_security import current_user, login_required
 from flask_security.views import _security, _ctx
 from flask_security.utils import config_value, get_post_logout_redirect, \
    get_post_login_redirect, logout_user
+from pgadmin.utils.ajax import make_json_response, internal_server_error
+import os

 from flask import session

@ -34,7 +37,9 @@ class AuthenticateModule(PgAdminModule):
    def get_exposed_url_endpoints(self):
        return ['authenticate.login',
                'authenticate.kerberos_login',
-                'authenticate.kerberos_logout']
+                'authenticate.kerberos_logout',
+                'authenticate.kerberos_update_ticket',
+                'authenticate.kerberos_validate_ticket']


 blueprint = AuthenticateModule(MODULE_NAME, __name__, static_url_path='')
@ -55,6 +60,12 @@ def kerberos_login():
@pgCSRFProtect.exempt
 def kerberos_logout():
    logout_user()
+    if 'KRB5CCNAME' in session:
+        # Remove the credential cache
+        cache_file_path = session['KRB5CCNAME'].split(":")[1]
+        if os.path.exists(cache_file_path):
+            os.remove(cache_file_path)
+
    return Response(render_template("browser/kerberos_logout.html",
                                    login_url=url_for('security.login'),
                                    ))
@ -165,6 +176,8 @@ class AuthSourceManager():

            if self.form.data['email'] and self.form.data['password'] and \
                    source.get_source_name() == KERBEROS:
+                msg = gettext('pgAdmin internal user authentication'
+                              ' is not enabled, please contact administrator.')
                continue

            status, msg = source.authenticate(self.form)
@ -173,9 +186,11 @@ class AuthSourceManager():
            # OR When kerberos authentication failed while accessing pgadmin,
            # we need to break the loop as no need to authenticate further
            # even if the authentication sources set to multiple
-            if not status and (hasattr(msg, 'status') and
+            if not status:
+                if (hasattr(msg, 'status') and
                    msg.status == '401 UNAUTHORIZED') or\
-                (source.get_source_name() == KERBEROS and
+                        (source.get_source_name() ==
+                         KERBEROS and
                         request.method == 'GET'):
                    break

@ -224,3 +239,58 @@ def init_app(app):
    AuthSourceRegistry.load_auth_sources()

    return auth_sources
+
+
+@blueprint.route("/kerberos/update_ticket",
+                 endpoint="kerberos_update_ticket", methods=["GET"])
+@pgCSRFProtect.exempt
+@login_required
+def kerberos_update_ticket():
+    """
+    Update the kerberos ticket.
+    """
+    from werkzeug.datastructures import Headers
+    headers = Headers()
+
+    authorization = request.headers.get("Authorization", None)
+
+    if authorization is None:
+        # Send the Negotiate header to the client
+        # if Kerberos ticket is not found.
+        headers.add('WWW-Authenticate', 'Negotiate')
+        return Response("Unauthorised", 401, headers)
+    else:
+        source = get_auth_sources(KERBEROS)
+        auth_header = authorization.split()
+        in_token = auth_header[1]
+
+        # Validate the Kerberos ticket
+        status, context = source.negotiate_start(in_token)
+        if status:
+            return Response("Ticket updated successfully.")
+
+        return Response(context, 500)
+
+
+@blueprint.route("/kerberos/validate_ticket",
+                 endpoint="kerberos_validate_ticket", methods=["GET"])
+@pgCSRFProtect.exempt
+@login_required
+def kerberos_validate_ticket():
+    """
+    Return the kerberos ticket lifetime left after getting the
+    ticket from the credential cache
+    """
+    import gssapi
+
+    try:
+        del_creds = gssapi.Credentials(store={'ccache': session['KRB5CCNAME']})
+        creds = del_creds.acquire(store={'ccache': session['KRB5CCNAME']})
+    except Exception as e:
+        current_app.logger.exception(e)
+        return internal_server_error(errormsg=str(e))
+
+    return make_json_response(
+        data={'ticket_lifetime': creds.lifetime},
+        status=200
+    )
--- a/web/pgadmin/authenticate/kerberos.py
+++ b/web/pgadmin/authenticate/kerberos.py
@ -10,7 +10,7 @@
 """A blueprint module implementing the Spnego/Kerberos authentication."""

 import base64
-from os import environ
+from os import environ, path

 from werkzeug.datastructures import Headers
 from flask_babelex import gettext
@ -128,19 +128,37 @@ class KerberosAuthentication(BaseAuthentication):
        if out_token and not context.complete:
            return False, out_token
        if context.complete:
+            deleg_creds = context.delegated_creds
+            if not hasattr(deleg_creds, 'name'):
+                error_msg = gettext('Delegated credentials not supplied.')
+                current_app.logger.error(error_msg)
+                return False, Exception(error_msg)
+            try:
+                cache_file_path = path.join(
+                    config.KERBEROS_CCACHE_DIR, 'pgadmin_cache_{0}'.format(
+                        deleg_creds.name)
+                )
+                CCACHE = 'FILE:{0}'.format(cache_file_path)
+                store = {'ccache': CCACHE}
+                deleg_creds.store(store, overwrite=True, set_default=True)
+                session['KRB5CCNAME'] = CCACHE
+            except Exception as e:
+                current_app.logger.exception(e)
+                return False, e
+
            return True, context
        else:
            return False, None

    def negotiate_end(self, context):
-        # Free gss_cred_id_t
+        # Free Delegated Credentials
        del_creds = getattr(context, 'delegated_creds', None)
        if del_creds:
            deleg_creds = context.delegated_creds
            del(deleg_creds)

    def __auto_create_user(self, username):
-        """Add the ldap user to the internal SQLite database."""
+        """Add the kerberos user to the internal SQLite database."""
        username = str(username)
        if config.KRB_AUTO_CREATE_USER:
            user = User.query.filter_by(
--- a/web/pgadmin/authenticate/static/js/kerberos.js
+++ b/web/pgadmin/authenticate/static/js/kerberos.js
@ -0,0 +1,59 @@
+import url_for from 'sources/url_for';
+import userInfo from 'pgadmin.user_management.current_user';
+import pgConst from 'pgadmin.browser.constants';
+
+function fetch_ticket() {
+  // Fetch the Kerberos Updated ticket through SPNEGO
+  return fetch(url_for('authenticate.kerberos_update_ticket')
+  )
+    .then(function(response){
+      if (response.status >= 200 && response.status < 300) {
+        return Promise.resolve(response);
+      } else {
+        return Promise.reject(new Error(response.statusText));
+      }
+    });
+}
+
+function fetch_ticket_lifetime () {
+  // Fetch the Kerberos ticket lifetime left
+
+  return fetch(url_for('authenticate.kerberos_validate_ticket')
+  )
+    .then(
+      function(response){
+        if (response.status >= 200 && response.status < 300) {
+          return response.json();
+        } else {
+          return Promise.reject(new Error(response.statusText));
+        }
+      }
+    )
+    .then(function(response){
+      let ticket_lifetime = response.data.ticket_lifetime;
+      if (ticket_lifetime > 0) {
+        return Promise.resolve(ticket_lifetime);
+      } else {
+        return Promise.reject();
+      }
+    });
+
+}
+
+function validate_kerberos_ticket() {
+  // Ping pgAdmin server every 10 seconds
+  // to fetch the Kerberos ticket lifetime left
+  if (userInfo['current_auth_source'] != pgConst['KERBEROS']) return;
+
+  return setInterval(function() {
+    let newPromise = fetch_ticket_lifetime();
+    newPromise.then(
+      function() {
+        return;
+      },
+      fetch_ticket
+    );
+  }, 10000);
+}
+
+export {fetch_ticket, validate_kerberos_ticket, fetch_ticket_lifetime};
--- a/web/pgadmin/browser/init.py
+++ b/web/pgadmin/browser/init.py
@ -50,7 +50,7 @@ from pgadmin.utils.master_password import validate_master_password, \
    set_crypt_key, process_masterpass_disabled
 from pgadmin.model import User
 from pgadmin.utils.constants import MIMETYPE_APP_JS, PGADMIN_NODE,\
-    INTERNAL, KERBEROS
+    INTERNAL, KERBEROS, LDAP

 try:
    from flask_security.views import default_render_json
@ -197,7 +197,8 @@ class BrowserModule(PgAdminModule):
        for name, script in [
            [PGADMIN_BROWSER, 'js/browser'],
            ['pgadmin.browser.endpoints', 'js/endpoints'],
-            ['pgadmin.browser.error', 'js/error']
+            ['pgadmin.browser.error', 'js/error'],
+            ['pgadmin.browser.constants', 'js/constants']
        ]:
            scripts.append({
                'name': name,
@ -864,6 +865,18 @@ def exposed_urls():
    )


+@blueprint.route("/js/constants.js")
+@pgCSRFProtect.exempt
+def app_constants():
+    return make_response(
+        render_template('browser/js/constants.js',
+                        INTERNAL=INTERNAL,
+                        LDAP=LDAP,
+                        KERBEROS=KERBEROS),
+        200, {'Content-Type': MIMETYPE_APP_JS}
+    )
+
+
@blueprint.route("/js/error.js")
@pgCSRFProtect.exempt
@login_required
--- a/web/pgadmin/browser/server_groups/servers/init.py
+++ b/web/pgadmin/browser/server_groups/servers/init.py
@ -253,7 +253,8 @@ class ServerModule(sg.ServerGroupPluginModule):
                errmsg=errmsg,
                user_id=server.user_id,
                user_name=server.username,
-                shared=server.shared
+                shared=server.shared,
+                is_kerberos_conn=bool(server.kerberos_conn),
            )

    @property
@ -547,7 +548,8 @@ class ServerNode(PGChildNodeView):
                    if server.tunnel_password is not None else False,
                    errmsg=errmsg,
                    user_name=server.username,
-                    shared=server.shared
+                    shared=server.shared,
+                    is_kerberos_conn=bool(server.kerberos_conn)
                )
            )

@ -614,7 +616,8 @@ class ServerNode(PGChildNodeView):
                if server.tunnel_password is not None else False,
                errmsg=errmsg,
                shared=server.shared,
-                user_name=server.username
+                user_name=server.username,
+                is_kerberos_conn=bool(server.kerberos_conn)
            ),
        )

@ -721,7 +724,8 @@ class ServerNode(PGChildNodeView):
            'tunnel_username': 'tunnel_username',
            'tunnel_authentication': 'tunnel_authentication',
            'tunnel_identity_file': 'tunnel_identity_file',
-            'shared': 'shared'
+            'shared': 'shared',
+            'kerberos_conn': 'kerberos_conn',
        }

        disp_lbl = {
@ -985,7 +989,8 @@ class ServerNode(PGChildNodeView):
            'tunnel_username': tunnel_username,
            'tunnel_identity_file': server.tunnel_identity_file
            if server.tunnel_identity_file else None,
-            'tunnel_authentication': tunnel_authentication
+            'tunnel_authentication': tunnel_authentication,
+            'kerberos_conn': bool(server.kerberos_conn),
        }

        return ajax_response(response)
@ -1072,7 +1077,8 @@ class ServerNode(PGChildNodeView):
                tunnel_authentication=data.get('tunnel_authentication', 0),
                tunnel_identity_file=data.get('tunnel_identity_file', None),
                shared=data.get('shared', None),
-                passfile=data.get('passfile', None)
+                passfile=data.get('passfile', None),
+                kerberos_conn=1 if data.get('kerberos_conn', False) else 0,
            )
            db.session.add(server)
            db.session.commit()
@ -1154,7 +1160,8 @@ class ServerNode(PGChildNodeView):
                    else 'pg',
                    version=manager.version
                    if manager and manager.version
-                    else None
+                    else None,
+                    is_kerberos_conn=bool(server.kerberos_conn),
                )
            )

@ -1348,7 +1355,7 @@ class ServerNode(PGChildNodeView):
                except Exception as e:
                    current_app.logger.exception(e)
                    return internal_server_error(errormsg=str(e))
-        if 'password' not in data:
+        if 'password' not in data and server.kerberos_conn is False:
            conn_passwd = getattr(conn, 'password', None)
            if conn_passwd is None and not server.save_password and \
                    server.passfile is None and server.service is None:
@ -1400,6 +1407,9 @@ class ServerNode(PGChildNodeView):
                "Could not connect to server(#{0}) - '{1}'.\nError: {2}"
                .format(server.id, server.name, errmsg)
            )
+            if errmsg.find('Ticket expired') != -1:
+                return internal_server_error(errmsg)
+
            return self.get_response_for_password(server, 401, True,
                                                  True, errmsg)
        else:
@ -1467,6 +1477,7 @@ class ServerNode(PGChildNodeView):
                    'is_password_saved': bool(server.save_password),
                    'is_tunnel_password_saved': True
                    if server.tunnel_password is not None else False,
+                    'is_kerberos_conn': bool(server.kerberos_conn),
                }
            )

--- a/web/pgadmin/browser/server_groups/servers/databases/init.py
+++ b/web/pgadmin/browser/server_groups/servers/databases/init.py
@ -490,6 +490,7 @@ class DatabaseView(PGChildNodeView):
                        did, errmsg
                    )
                )
+
                return internal_server_error(errmsg)
            else:
                current_app.logger.info(
--- a/web/pgadmin/browser/server_groups/servers/databases/static/js/database.js
+++ b/web/pgadmin/browser/server_groups/servers/databases/static/js/database.js
@ -10,9 +10,10 @@
 define('pgadmin.node.database', [
  'sources/gettext', 'sources/url_for', 'jquery', 'underscore',
  'sources/utils', 'sources/pgadmin', 'pgadmin.browser.utils',
-  'pgadmin.alertifyjs', 'pgadmin.backform', 'pgadmin.browser.collection',
+  'pgadmin.alertifyjs', 'pgadmin.backform',
+  'pgadmin.authenticate.kerberos', 'pgadmin.browser.collection',
  'pgadmin.browser.server.privilege', 'pgadmin.browser.server.variable',
-], function(gettext, url_for, $, _, pgadminUtils, pgAdmin, pgBrowser, Alertify, Backform) {
+], function(gettext, url_for, $, _, pgadminUtils, pgAdmin, pgBrowser, Alertify, Backform, Kerberos) {

  if (!pgBrowser.Nodes['coll-database']) {
    pgBrowser.Nodes['coll-database'] =
@ -556,6 +557,20 @@ define('pgadmin.node.database', [
          onFailure = function(
            xhr, status, error, _model, _data, _tree, _item, _status
          ) {
+            if (xhr.status != 200 && xhr.responseText.search('Ticket expired') !== -1) {
+              tree.addIcon(_item, {icon: 'icon-server-connecting'});
+              let fetchTicket = Kerberos.fetch_ticket();
+              fetchTicket.then(
+                function() {
+                  connect_to_database(_model, _data, _tree, _item, _wasConnected);
+                },
+                function(error) {
+                  tree.setInode(_item);
+                  tree.addIcon(_item, {icon: 'icon-database-not-connected'});
+                  Alertify.pgNotifier(error, xhr, gettext('Connect  to database.'));
+                }
+              );
+            } else {
              if (!_status) {
                tree.setInode(_item);
                tree.addIcon(_item, {icon: 'icon-database-not-connected'});
@ -574,6 +589,7 @@ define('pgadmin.node.database', [
                  }
                }, 100);
              });
+            }
          },
          onSuccess = function(
            res, model, _data, _tree, _item, _connected
@ -640,6 +656,7 @@ define('pgadmin.node.database', [
          if (xhr.status === 410) {
            error = gettext('Error: Object not found - %s.', error);
          }
+
          return onFailure(
            xhr, status, error, obj, data, tree, item, wasConnected
          );
--- a/web/pgadmin/browser/server_groups/servers/static/js/server.js
+++ b/web/pgadmin/browser/server_groups/servers/static/js/server.js
@ -13,11 +13,13 @@ define('pgadmin.node.server', [
  'pgadmin.server.supported_servers', 'pgadmin.user_management.current_user',
  'pgadmin.alertifyjs', 'pgadmin.backform',
  'sources/browser/server_groups/servers/model_validation',
+  'pgadmin.authenticate.kerberos',
+  'pgadmin.browser.constants',
  'pgadmin.browser.server.privilege',
 ], function(
  gettext, url_for, $, _, Backbone, pgAdmin, pgBrowser,
  supported_servers, current_user, Alertify, Backform,
-  modelValidation
+  modelValidation, Kerberos, pgConst,
 ) {

  if (!pgBrowser.Nodes['server']) {
@ -904,20 +906,36 @@ define('pgadmin.node.server', [
              }
            },
          }),
+        },{
+          id: 'kerberos_conn', label: gettext('Kerberos authentication?'), type: 'switch',
+          group: gettext('Connection'), 'options': {
+            'onText':  gettext('True'), 'offText':  gettext('False'), 'size': 'mini',
+          }, disabled: function() {
+            if (current_user['current_auth_source'] != pgConst['KERBEROS'])
+              return true;
+            return false;
+          },
        },{
          id: 'password', label: gettext('Password'), type: 'password', maxlength: null,
-          group: gettext('Connection'), control: 'input', mode: ['create'], deps: ['connect_now'],
+          group: gettext('Connection'), control: 'input', mode: ['create'],
+          deps: ['connect_now', 'kerberos_conn'],
          visible: function(model) {
            return model.get('connect_now') && model.isNew();
          },
+          disabled: function(model) {
+            if (model.get('kerberos_conn'))
+              return true;
+
+            return false;
+          },
        },{
          id: 'save_password', controlLabel: gettext('Save password?'),
          type: 'checkbox', group: gettext('Connection'), mode: ['create'],
-          deps: ['connect_now'], visible: function(model) {
+          deps: ['connect_now', 'kerberos_conn'], visible: function(model) {
            return model.get('connect_now') && model.isNew();
          },
-          disabled: function() {
-            if (!current_user.allow_save_password)
+          disabled: function(model) {
+            if (!current_user.allow_save_password || model.get('kerberos_conn'))
              return true;

            return false;
@ -1279,7 +1297,19 @@ define('pgadmin.node.server', [
            }

          }
-
+          if (xhr.status != 200 && xhr.responseText.search('Ticket expired') !== -1) {
+            tree.addIcon(_item, {icon: 'icon-server-connecting'});
+            let fetchTicket = Kerberos.fetch_ticket();
+            fetchTicket.then(
+              function() {
+                connect_to_server(_node, _data, _tree, _item, _wasConnected);
+              },
+              function() {
+                tree.addIcon(_item, {icon: 'icon-server-not-connected'});
+                Alertify.pgNotifier('Connection error', xhr, gettext('Connect to server.'));
+              }
+            );
+          } else {
            Alertify.pgNotifier('error', xhr, error, function(msg) {
              setTimeout(function() {
                if (msg == 'CRYPTKEY_SET') {
@ -1292,6 +1322,7 @@ define('pgadmin.node.server', [
                }
              }, 100);
            });
+          }
        },
        onSuccess = function(res, node, _data, _tree, _item, _wasConnected) {
          if (res && res.data) {
--- a/web/pgadmin/browser/static/js/browser.js
+++ b/web/pgadmin/browser/static/js/browser.js
@ -12,19 +12,22 @@ define('pgadmin.browser', [
  'sources/gettext', 'sources/url_for', 'require', 'jquery', 'underscore',
  'bootstrap', 'sources/pgadmin', 'pgadmin.alertifyjs', 'bundled_codemirror',
  'sources/check_node_visibility', './toolbar', 'pgadmin.help',
-  'sources/csrf', 'sources/utils', 'sources/window', 'pgadmin.browser.utils',
-  'wcdocker', 'jquery.contextmenu', 'jquery.aciplugin', 'jquery.acitree',
+  'sources/csrf', 'sources/utils', 'sources/window', 'pgadmin.authenticate.kerberos',
+  'pgadmin.browser.utils', 'wcdocker', 'jquery.contextmenu', 'jquery.aciplugin',
+  'jquery.acitree',
  'pgadmin.browser.preferences', 'pgadmin.browser.messages',
  'pgadmin.browser.menu', 'pgadmin.browser.panel', 'pgadmin.browser.layout',
  'pgadmin.browser.runtime', 'pgadmin.browser.error', 'pgadmin.browser.frame',
  'pgadmin.browser.node', 'pgadmin.browser.collection', 'pgadmin.browser.activity',
  'sources/codemirror/addon/fold/pgadmin-sqlfoldcode',
-  'pgadmin.browser.keyboard', 'sources/tree/pgadmin_tree_save_state','jquery.acisortable', 'jquery.acifragment',
+  'pgadmin.browser.keyboard', 'sources/tree/pgadmin_tree_save_state','jquery.acisortable',
+  'jquery.acifragment',
 ], function(
  tree,
  gettext, url_for, require, $, _,
  Bootstrap, pgAdmin, Alertify, codemirror,
-  checkNodeVisibility, toolBar, help, csrfToken, pgadminUtils, pgWindow
+  checkNodeVisibility, toolBar, help, csrfToken, pgadminUtils, pgWindow,
+  Kerberos
 ) {
  window.jQuery = window.$ = $;
  // Some scripts do export their object in the window only.
@ -38,6 +41,8 @@ define('pgadmin.browser', [

  csrfToken.setPGCSRFToken(pgAdmin.csrf_token_header, pgAdmin.csrf_token);

+  Kerberos.validate_kerberos_ticket();
+
  var panelEvents = {};
  panelEvents[wcDocker.EVENT.VISIBILITY_CHANGED] = function() {
    if (this.isVisible()) {
--- a/web/pgadmin/browser/templates/browser/js/constants.js
+++ b/web/pgadmin/browser/templates/browser/js/constants.js
@ -0,0 +1,17 @@
+/////////////////////////////////////////////////////////////
+//
+// pgAdmin 4 - PostgreSQL Tools
+//
+// Copyright (C) 2013 - 2021, The pgAdmin Development Team
+// This software is released under the PostgreSQL Licence
+//
+//////////////////////////////////////////////////////////////
+
+
+define('pgadmin.browser.constants', [], function() {
+  return {
+    'INTERNAL': '{{ INTERNAL }}',
+    'LDAP': '{{ LDAP }}',
+    'KERBEROS': '{{ KERBEROS }}'
+  }
+});
--- a/web/pgadmin/browser/tests/test_kerberos_with_mocking.py
+++ b/web/pgadmin/browser/tests/test_kerberos_with_mocking.py
@ -12,6 +12,7 @@ from pgadmin.utils.route import BaseTestGenerator
 from regression.python_test_utils import test_utils as utils
 from pgadmin.authenticate.registry import AuthSourceRegistry
 from unittest.mock import patch, MagicMock
+from werkzeug.datastructures import Headers


 class KerberosLoginMockTestCase(BaseTestGenerator):
@ -30,6 +31,11 @@ class KerberosLoginMockTestCase(BaseTestGenerator):
            auth_source=['kerberos'],
            auto_create_user=True,
            flag=2
+        )),
+        ('Spnego/Kerberos Update Ticket', dict(
+            auth_source=['kerberos'],
+            auto_create_user=True,
+            flag=3
        ))
    ]

@ -54,8 +60,13 @@ class KerberosLoginMockTestCase(BaseTestGenerator):
                self.skipTest(
                    "Can not run Kerberos Authentication in the Desktop mode."
                )
-
            self.test_authorized()
+        elif self.flag == 3:
+            if app_config.SERVER_MODE is False:
+                self.skipTest(
+                    "Can not run Kerberos Authentication in the Desktop mode."
+                )
+            self.test_update_ticket()

    def test_unauthorized(self):
        """
@ -73,13 +84,7 @@ class KerberosLoginMockTestCase(BaseTestGenerator):
        passed on to the routed method.
        """

-        class delCrads:
-            def __init__(self):
-                self.initiator_name = 'user@PGADMIN.ORG'
-        del_crads = delCrads()
-
-        AuthSourceRegistry.registry['kerberos'].negotiate_start = MagicMock(
-            return_value=[True, del_crads])
+        del_crads = self.mock_negotiate_start()
        res = self.tester.login(None,
                                None,
                                True,
@ -89,6 +94,33 @@ class KerberosLoginMockTestCase(BaseTestGenerator):
        respdata = 'Gravatar image for %s' % del_crads.initiator_name
        self.assertTrue(respdata in res.data.decode('utf8'))

+    def mock_negotiate_start(self):
+        class delCrads:
+            def __init__(self):
+                self.initiator_name = 'user@PGADMIN.ORG'
+
+        del_crads = delCrads()
+
+        AuthSourceRegistry.registry['kerberos'].negotiate_start = MagicMock(
+            return_value=[True, del_crads])
+        return del_crads
+
+    def test_update_ticket(self):
+        # Response header should include the Negotiate header in the first call
+        response = self.tester.get('/authenticate/kerberos/update_ticket')
+        self.assertEqual(response.status_code, 401)
+        self.assertEqual(response.headers.get('www-authenticate'), 'Negotiate')
+
+        # When we send the Kerberos Ticket, it should return  success
+        del_crads = self.mock_negotiate_start()
+
+        krb_token = Headers({})
+        krb_token['Authorization'] = 'Negotiate CTOKEN'
+
+        response = self.tester.get('/authenticate/kerberos/update_ticket',
+                                   headers=krb_token)
+        self.assertEqual(response.status_code, 200)
+
    def tearDown(self):
        self.app.PGADMIN_EXTERNAL_AUTH_SOURCE = 'ldap'

--- a/web/pgadmin/misc/bgprocess/processes.py
+++ b/web/pgadmin/misc/bgprocess/processes.py
@ -24,10 +24,11 @@ import logging
 from pgadmin.utils import u_encode, file_quote, fs_encoding, \
    get_complete_file_path, get_storage_directory, IS_WIN
 from pgadmin.browser.server_groups.servers.utils import does_server_exists
+from pgadmin.utils.constants import KERBEROS

 import pytz
 from dateutil import parser
-from flask import current_app
+from flask import current_app, session
 from flask_babelex import gettext as _
 from flask_security import current_user

@ -278,13 +279,16 @@ class BatchProcess(object):
        env['PROCID'] = self.id
        env['OUTDIR'] = self.log_dir
        env['PGA_BGP_FOREGROUND'] = "1"
+        if config.SERVER_MODE and session and \
+                session['_auth_source_manager_obj']['current_source'] == \
+                KERBEROS:
+            env['KRB5CCNAME'] = session['KRB5CCNAME']

        if self.env:
            env.update(self.env)

        if cb is not None:
            cb(env)
-
        if os.name == 'nt':
            DETACHED_PROCESS = 0x00000008
            from subprocess import CREATE_NEW_PROCESS_GROUP
--- a/web/pgadmin/model/init.py
+++ b/web/pgadmin/model/init.py
@ -29,7 +29,7 @@ from flask_sqlalchemy import SQLAlchemy
 #
 ##########################################################################

-SCHEMA_VERSION = 28
+SCHEMA_VERSION = 29

 ##########################################################################
 #
@ -184,6 +184,7 @@ class Server(db.Model):
    tunnel_identity_file = db.Column(db.String(64), nullable=True)
    tunnel_password = db.Column(db.String(64), nullable=True)
    shared = db.Column(db.Boolean(), nullable=False)
+    kerberos_conn = db.Column(db.Boolean(), nullable=False)

    @property
    def serialize(self):
--- a/web/pgadmin/setup/data_directory.py
+++ b/web/pgadmin/setup/data_directory.py
@ -9,6 +9,8 @@

 import os
 import getpass
+from flask import current_app
+from pgadmin.utils.constants import KERBEROS

 FAILED_CREATE_DIR = \
    "ERROR  : Failed to create the directory {}:\n           {}"
@ -104,3 +106,20 @@ def create_app_data_directory(config):
                getpass.getuser(),
                config.APP_VERSION))
        exit(1)
+
+    # Create Kerberos Credential Cache directory (if not present).
+    if config.SERVER_MODE and KERBEROS in config.AUTHENTICATION_SOURCES:
+        try:
+            _create_directory_if_not_exists(config.KERBEROS_CCACHE_DIR)
+        except PermissionError as e:
+            print(FAILED_CREATE_DIR.format(config.KERBEROS_CCACHE_DIR, e))
+            print(
+                "HINT   : Create the directory {}, ensure it is writable by\n"
+                "'{}', and try again, or, create a config_local.py file\n"
+                " and override the KERBEROS_CCACHE_DIR setting per\n"
+                " https://www.pgadmin.org/docs/pgadmin4/{}/config_py.html".
+                format(
+                    config.KERBEROS_CCACHE_DIR,
+                    getpass.getuser(),
+                    config.APP_VERSION))
+            exit(1)
--- a/web/pgadmin/templates/base.html
+++ b/web/pgadmin/templates/base.html
@ -48,6 +48,7 @@
                    'pgadmin.browser.utils': "{{ url_for('browser.index') }}" + "js/utils",
                    'pgadmin.browser.endpoints': "{{ url_for('browser.index') }}" + "js/endpoints",
                    'pgadmin.browser.messages': "{{ url_for('browser.index') }}" + "js/messages",
+                    'pgadmin.browser.constants': "{{ url_for('browser.index') }}" + "js/constants",
                    'pgadmin.server.supported_servers': "{{ url_for('browser.index') }}" + "server/supported_servers",
                    'pgadmin.user_management.current_user': "{{ url_for('user_management.index') }}" + "current_user",
                    'translations': "{{ url_for('tools.index') }}" + "translations"
--- a/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js
+++ b/web/pgadmin/tools/backup/static/js/backup_dialog_wrapper.js
@ -13,6 +13,8 @@ import gettext from '../../../../static/js/gettext';
 import url_for from '../../../../static/js/url_for';
 import _ from 'underscore';
 import {DialogWrapper} from '../../../../static/js/alertify/dialog_wrapper';
+import {fetch_ticket_lifetime} from  '../../../../authenticate/static/js/kerberos';
+import userInfo from 'pgadmin.user_management.current_user';

 export class BackupDialogWrapper extends DialogWrapper {
  constructor(dialogContainerSelector, dialogTitle, typeOfDialog,
@ -165,10 +167,29 @@ export class BackupDialogWrapper extends DialogWrapper {
      );

      this.setExtraParameters(selectedTreeNode, treeInfo);
+      let backupDate = this.view.model.toJSON();
+
+      if(userInfo['auth_sources'] == 'KERBEROS' && (backupDate.type == 'globals' || backupDate.type == 'server')) {
+        let newPromise = fetch_ticket_lifetime();
+        newPromise.then(
+          function(lifetime) {
+            if (lifetime < 1800 && lifetime  > 0) {
+              dialog.alertify.warning(
+                'You have '+ (Math.round(parseInt(lifetime)/60)).toString() +' minutes left on your ticket - if the dump takes longer than that, it may fail."'
+              );
+            }
+          },
+          function() {
+            dialog.alertify.warning(
+              gettext('Please renew your kerberos ticket, it has been expired.')
+            );
+          }
+        );
+      }

      axios.post(
        baseUrl,
-        this.view.model.toJSON()
+        backupDate
      ).then(function (res) {
        if (res.data.success) {
          dialog.alertify.success(gettext('Backup job created.'), 5);
--- a/web/pgadmin/tools/debugger/static/js/debugger.js
+++ b/web/pgadmin/tools/debugger/static/js/debugger.js
@ -13,11 +13,11 @@ define([
  'backbone', 'pgadmin.backgrid', 'codemirror', 'pgadmin.backform',
  'pgadmin.tools.debugger.ui', 'pgadmin.tools.debugger.utils',
  'tools/datagrid/static/js/show_query_tool', 'sources/utils',
-  'wcdocker', 'pgadmin.browser.frame',
+  'pgadmin.authenticate.kerberos', 'wcdocker', 'pgadmin.browser.frame',
 ], function(
  gettext, url_for, $, _, Alertify, pgAdmin, pgBrowser, Backbone, Backgrid,
  CodeMirror, Backform, get_function_arguments, debuggerUtils, showQueryTool,
-  pgadminUtils,
+  pgadminUtils, Kerberos
 ) {
  var pgTools = pgAdmin.Tools = pgAdmin.Tools || {},
    wcDocker = window.wcDocker;
@ -472,9 +472,21 @@ define([
        .fail(function(xhr) {
          try {
            var err = JSON.parse(xhr.responseText);
+            if (err.errormsg.search('Ticket expired') !== -1) {
+              let fetchTicket = Kerberos.fetch_ticket();
+              fetchTicket.then(
+                function() {
+                  self.start_global_debugger();
+                },
+                function(error) {
+                  Alertify.alert(gettext('Debugger Error'), error);
+                }
+              );
+            } else {
              if (err.success == 0) {
                Alertify.alert(gettext('Debugger Error'), err.errormsg);
              }
+            }
          } catch (e) {
            console.warn(e.stack || e);
          }
--- a/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
+++ b/web/pgadmin/tools/sqleditor/static/js/sqleditor.js
@ -51,6 +51,7 @@ define('tools.querytool', [
  'sources/window',
  'sources/is_native',
  'sources/sqleditor/macro',
+  'pgadmin.authenticate.kerberos',
  'sources/../bundle/slickgrid',
  'pgadmin.file_manager',
  'slick.pgadmin.formatters',
@ -65,7 +66,7 @@ define('tools.querytool', [
  GeometryViewer, historyColl, queryHist, querySources,
  keyboardShortcuts, queryToolActions, queryToolNotifications, Datagrid,
  modifyAnimation, calculateQueryRunTime, callRenderAfterPoll, queryToolPref, queryTxnStatus, csrfToken, panelTitleFunc,
-  pgWindow, isNative, MacroHandler) {
+  pgWindow, isNative, MacroHandler, Kerberos) {
  /* Return back, this has been called more than once */
  if (pgAdmin.SqlEditor)
    return pgAdmin.SqlEditor;
@ -2454,10 +2455,24 @@ define('tools.querytool', [
              pgBrowser.report_error(gettext('Error fetching rows - %s.', xhr.statusText), xhr.responseJSON.errormsg, undefined, self.close.bind(self));
            }
          } else {
+            if (xhr.responseText.search('Ticket expired') !== -1) {
+              let fetchTicket = Kerberos.fetch_ticket();
+              fetchTicket.then(
+                function() {
+                  self.initTransaction();
+                },
+                function(error) {
                  pgBrowser.Events.trigger(
                    'pgadmin:query_tool:connected_fail:' + self.transId, xhr, error
                  );
                }
+              );
+            } else {
+              pgBrowser.Events.trigger(
+                'pgadmin:query_tool:connected_fail:' + self.transId, xhr, error
+              );
+            }
+          }
        });
      },

--- a/web/pgadmin/tools/user_management/init.py
+++ b/web/pgadmin/tools/user_management/init.py
@ -25,7 +25,7 @@ from pgadmin.utils.ajax import make_response as ajax_response, \
    make_json_response, bad_request, internal_server_error, forbidden
 from pgadmin.utils.csrf import pgCSRFProtect
 from pgadmin.utils.constants import MIMETYPE_APP_JS, INTERNAL,\
-    SUPPORTED_AUTH_SOURCES, KERBEROS
+    SUPPORTED_AUTH_SOURCES, KERBEROS, LDAP
 from pgadmin.utils.validation_utils import validate_email
 from pgadmin.model import db, Role, User, UserPreference, Server, \
    ServerGroup, Process, Setting, roles_users, SharedServer
@ -157,7 +157,6 @@ def script():
@pgCSRFProtect.exempt
@login_required
 def current_user_info():
-
    return Response(
        response=render_template(
            "user_management/js/current_user.js",
@ -176,7 +175,9 @@ def current_user_info():
            allow_save_tunnel_password='true' if
            config.ALLOW_SAVE_TUNNEL_PASSWORD and session[
                'allow_save_password'] else 'false',
-            auth_sources=config.AUTHENTICATION_SOURCES
+            auth_sources=config.AUTHENTICATION_SOURCES,
+            current_auth_source=session['_auth_source_manager_obj'][
+                'current_source'] if config.SERVER_MODE is True else INTERNAL
        ),
        status=200,
        mimetype=MIMETYPE_APP_JS
--- a/web/pgadmin/tools/user_management/static/js/user_management.js
+++ b/web/pgadmin/tools/user_management/static/js/user_management.js
@ -10,11 +10,11 @@
 define([
  'sources/gettext', 'sources/url_for', 'jquery', 'underscore', 'pgadmin.alertifyjs',
  'pgadmin.browser', 'backbone', 'backgrid', 'backform', 'pgadmin.browser.node', 'pgadmin.backform',
-  'pgadmin.user_management.current_user', 'sources/utils',
+  'pgadmin.user_management.current_user', 'sources/utils', 'pgadmin.browser.constants',
  'backgrid.select.all', 'backgrid.filter',
 ], function(
  gettext, url_for, $, _, alertify, pgBrowser, Backbone, Backgrid, Backform,
-  pgNode, pgBackform, userInfo, commonUtils,
+  pgNode, pgBackform, userInfo, commonUtils, pgConst,
 ) {

  // if module is already initialized, refer to that.
@ -25,7 +25,9 @@ define([
  var USERURL = url_for('user_management.users'),
    ROLEURL = url_for('user_management.roles'),
    SOURCEURL = url_for('user_management.auth_sources'),
-    DEFAULT_AUTH_SOURCE = 'internal',
+    DEFAULT_AUTH_SOURCE = pgConst['INTERNAL'],
+    LDAP = pgConst['LDAP'],
+    KERBEROS = pgConst['KERBEROS'],
    AUTH_ONLY_INTERNAL = (userInfo['auth_sources'].length  == 1 && userInfo['auth_sources'].includes(DEFAULT_AUTH_SOURCE)) ? true : false,
    userFilter = function(collection) {
      return (new Backgrid.Extension.ClientSideFilter({
@ -589,7 +591,17 @@ define([
              }
            } else {
              if (!!this.get('username') && this.collection.nonFilter.where({
-                'username': this.get('username'), 'auth_source': 'ldap',
+                'username': this.get('username'), 'auth_source': LDAP,
+              }).length > 1) {
+                errmsg = gettext('The username %s already exists.',
+                  this.get('username')
+                );
+
+                this.errorModel.set('username', errmsg);
+                return errmsg;
+              }
+              else if (!!this.get('username') && this.collection.nonFilter.where({
+                'username': this.get('username'), 'auth_source': KERBEROS,
              }).length > 1) {
                errmsg = gettext('The username %s already exists.',
                  this.get('username')
@ -1041,7 +1053,7 @@ define([
                  saveUser: function(m) {
                    var d = m.toJSON(true);

-                    if((m.isNew() && m.get('auth_source') == 'ldap' && (!m.get('username') || !m.get('auth_source') || !m.get('role')))
+                    if((m.isNew() && (m.get('auth_source') == LDAP || m.get('auth_source') == KERBEROS) && (!m.get('username') || !m.get('auth_source') || !m.get('role')))
                      || (m.isNew() && m.get('auth_source') == DEFAULT_AUTH_SOURCE &&  (!m.get('email') || !m.get('role') ||
                          !m.get('newPassword') || !m.get('confirmPassword') || m.get('newPassword') != m.get('confirmPassword')))
                      || (!m.isNew() && m.get('newPassword') != m.get('confirmPassword'))) {
--- a/web/pgadmin/tools/user_management/templates/user_management/js/current_user.js
+++ b/web/pgadmin/tools/user_management/templates/user_management/js/current_user.js
@ -15,6 +15,7 @@ define('pgadmin.user_management.current_user', [], function() {
        'name': '{{ name }}',
        'allow_save_password': {{ allow_save_password }},
        'allow_save_tunnel_password': {{ allow_save_tunnel_password }},
-        'auth_sources': {{ auth_sources }}
+        'auth_sources': {{ auth_sources }},
+        'current_auth_source': '{{ current_auth_source }}'
    }
 });
--- a/web/pgadmin/utils/driver/psycopg2/connection.py
+++ b/web/pgadmin/utils/driver/psycopg2/connection.py
@ -18,11 +18,13 @@ import select
 import datetime
 from collections import deque
 import psycopg2
-from flask import g, current_app
+import threading
+from flask import g, current_app, session
 from flask_babelex import gettext
 from flask_security import current_user
 from pgadmin.utils.crypto import decrypt, encrypt
 from psycopg2.extensions import encodings
+from os import environ

 import config
 from pgadmin.model import User
@ -38,6 +40,9 @@ from .encoding import get_encoding, configure_driver_encodings
 from pgadmin.utils import csv
 from pgadmin.utils.master_password import get_crypt_key
 from io import StringIO
+from pgadmin.utils.constants import KERBEROS
+
+lock = threading.Lock()

 _ = gettext

@ -313,6 +318,13 @@ class Connection(BaseConnection):
            os.environ['PGAPPNAME'] = '{0} - {1}'.format(
                config.APP_NAME, conn_id)

+            if config.SERVER_MODE and \
+                    session['_auth_source_manager_obj']['current_source'] == \
+                    KERBEROS and 'KRB5CCNAME' in session\
+                    and manager.kerberos_conn:
+                lock.acquire()
+                environ['KRB5CCNAME'] = session['KRB5CCNAME']
+
            pg_conn = psycopg2.connect(
                host=manager.local_bind_host if manager.use_ssh_tunnel
                else manager.host,
@ -340,7 +352,13 @@ class Connection(BaseConnection):
            if self.async_ == 1:
                self._wait(pg_conn)

+            if config.SERVER_MODE and \
+                    session['_auth_source_manager_obj']['current_source'] == \
+                    KERBEROS:
+                environ['KRB5CCNAME'] = ''
+
        except psycopg2.Error as e:
+            environ['KRB5CCNAME'] = ''
            manager.stop_ssh_tunnel()
            if e.pgerror:
                msg = e.pgerror
@ -358,6 +376,11 @@ class Connection(BaseConnection):
                )
            )
            return False, msg
+        finally:
+            if config.SERVER_MODE and \
+                    session['_auth_source_manager_obj']['current_source'] == \
+                    KERBEROS and lock.locked():
+                lock.release()

        # Overwrite connection notice attr to support
        # more than 50 notices at a time
@ -1438,7 +1461,6 @@ Failed to reset the connection to the server due to following error:
        Args:
            conn: connection object
        """
-
        while True:
            state = conn.poll()
            if state == psycopg2.extensions.POLL_OK:
--- a/web/pgadmin/utils/driver/psycopg2/server_manager.py
+++ b/web/pgadmin/utils/driver/psycopg2/server_manager.py
@ -105,6 +105,7 @@ class ServerManager(object):
            self.tunnel_identity_file = None
            self.tunnel_password = None

+        self.kerberos_conn = server.kerberos_conn
        for con in self.connections:
            self.connections[con]._release()

--- a/web/pgadmin/utils/master_password.py
+++ b/web/pgadmin/utils/master_password.py
@ -34,7 +34,7 @@ def get_crypt_key():
            and not config.SERVER_MODE and enc_key is None:
        return False, None
    elif config.SERVER_MODE and \
-            session['_auth_source_manager_obj']['source_friendly_name']\
+            session['_auth_source_manager_obj']['current_source']\
            == KERBEROS:
        return True, session['kerberos_key'] if 'kerberos_key' in session \
            else None
--- a/web/webpack.shim.js
+++ b/web/webpack.shim.js
@ -174,11 +174,13 @@ var webpackShimConfig = {
    'pgadmin.backgrid': path.join(__dirname, './pgadmin/static/js/backgrid.pgadmin'),

    'pgadmin.about': path.join(__dirname, './pgadmin/about/static/js/about'),
+    'pgadmin.authenticate.kerberos': path.join(__dirname, './pgadmin/authenticate/static/js/kerberos'),
    'pgadmin.browser': path.join(__dirname, './pgadmin/browser/static/js/browser'),
    'pgadmin.browser.bgprocess': path.join(__dirname, './pgadmin/misc/bgprocess/static/js/bgprocess'),
    'pgadmin.browser.collection': path.join(__dirname, './pgadmin/browser/static/js/collection'),
    'pgadmin.browser.datamodel': path.join(__dirname, './pgadmin/browser/static/js/datamodel'),
    'pgadmin.browser.endpoints': '/browser/js/endpoints',
+    'pgadmin.browser.constants': '/browser/js/constants',
    'pgadmin.browser.error': path.join(__dirname, './pgadmin/browser/static/js/error'),
    'pgadmin.browser.frame': path.join(__dirname, './pgadmin/browser/static/js/frame'),
    'pgadmin.browser.keyboard': path.join(__dirname, './pgadmin/browser/static/js/keyboard'),
@ -300,6 +302,7 @@ var webpackShimConfig = {
    'pgadmin.browser.messages',
    'pgadmin.browser.utils',
    'pgadmin.server.supported_servers',
+    'pgadmin.browser.constants',
  ],
  // Define list of pgAdmin common libraries to bundle them separately
  // into commons JS from app.bundle.js