[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-25 UTC."],[],[],null,["# Troubleshoot Active Directory integration in AlloyDB Omni\n\nSelect a documentation version: Current (16.8.0)keyboard_arrow_down\n\n- [Current (16.8.0)](/alloydb/omni/current/docs/troubleshoot-active-directory-integration)\n- [16.8.0](/alloydb/omni/16.8.0/docs/troubleshoot-active-directory-integration)\n- [16.3.0](/alloydb/omni/16.3.0/docs/troubleshoot-active-directory-integration)\n\n\u003cbr /\u003e\n\nThis document describes errors you might encounter when you integrate Active Directory in AlloyDB Omni. Examples of errors and recommended fixes are also provided.\n\n\u003cbr /\u003e\n\nActive Directory integration with AlloyDB Omni fails\n----------------------------------------------------\n\nWhen Active Directory isn't working, follow these steps to resolve the issue:\n\n1. Verify the keytab file.\n Make sure that you can connect to the Active Directory server using the\n keytab that you obtained:\n\n ```\n kinit -kt PATH_TO_KEYTAB_FILE postgres/DBCLUSTER_HOST@REALM\n ```\n2. Verify the host.\n\n Make sure that the host you used when you generated the keytab file is the same host\n in the psql command, as shown in the following example: \n\n ```\n KTPass /princ postgres/DBCLUSTER_HOST@REALM /Pass PASSWORD /mapuser postgres /crypto ALL /ptype KRB5_NT_Principal /out OUTPUT_PATH\n\n psql -h DBCLUSTER_HOST -d DB_NAME -U USERNAME@REALM\n ```\n\n Make sure that \u003cvar translate=\"no\"\u003eDBCLUSTER_HOST\u003c/var\u003e is the same in both commands.\n3. Verify the `krb5.conf` file.\n\n Verify the contents of the `krb5.conf` file on the client. Make sure that the\n `krb5.conf` file contents are correct for your configuration. \n\n ```\n cat /etc/krb5.conf\n ```\n\n The following is the expected output: \n\n ```\n [libdefaults]\n default_realm = REALM\n [realms]\n REALM = {\n kdc = KDC_HOST\n admin_server = ADMIN_SERVER\n }\n [domain_realm]\n HOST_DOMAIN_1 = REALM\n HOST_DOMAIN_2 = REALM\n ```\n4. Verify the HBA entries and status.\n\n 1. Run the following commands and send the logs to the [AlloyDB Omni product team](https://docs.google.com/forms/d/e/1FAIpQLSfLhBlJbtPJuvXcAS7WSF4J_CcCfO7tSWdCLqztAg1PhLX_vw/viewform).\n\n ```\n psql -h DBCLUSTER_HOST -U postgres -d postgres\n ```\n\n `psql` prompts you for the `postgres` user's password: \n\n ```\n Password for user postgres:\n ```\n\n `psql` returns the following output: \n\n ```\n psql (17.5 (Ubuntu 17.5-0ubuntu0.25.04.1), server 16.3)\n SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: none)\n Type \"help\" for help.\n ```\n 2. Run the following command in the `psql` prompt:\n\n ```\n postgres=# table pg_hba_file_rules ;\n ```\n\n Output similar to the following example is returned. \n\n ```\n rule_number | file_name | line_number | type | database | user_name | address | netmask | auth_method | options | error\n -------------+--------------------------------------+-------------+---------+----------+--------------------+-----------+-----------------------------------------+-------------+--------------------------+-----------------------------------------------------\n 1 | /var/lib/postgresql/data/pg_hba.conf | 1 | host | {all} | {alloydbadmin} | 127.0.0.1 | 255.255.255.255 | trust | |\n | /var/lib/postgresql/data/pg_hba.conf | 2 | hostssl | {all} | {alloydbadmin} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | trust | | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 3 | hostssl | {all} | {alloydbpgbouncer} | 0.0.0.0 | 0.0.0.0 | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 4 | hostssl | {all} | {alloydbpgbouncer} | ::1 | ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff | cert | {clientcert=verify-full} | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 5 | hostssl | {all} | {alloydbadmin} | all | | reject | | hostssl record cannot match because SSL is disabled\n | /var/lib/postgresql/data/pg_hba.conf | 6 | | | | | | | | invalid CIDR mask in address \"0.0.0.0/1000\"\n 2 | /var/lib/postgresql/data/pg_hba.conf | 7 | local | {all} | {all} | | | trust | |\n ```\n5. Review error messages in the `error` column, which can help you identify\n configuration issues.\n\n6. Print the debug level `krb5` logs.\n\n ```\n export KRB5_TRACE=/dev/stderr\n kinit AD_USER@REALM\n psql -h DBCLUSTER_HOST -d DB_NAME -U USERNAME@REALM\n ```\n | **Note:** For more information about this issue, open the `postgres.log` file.\n\npsql: error: connection to server on socket \"/tmp/.s.PGSQL.5432\" failed: FATAL: role \"user2\" does not exist\n-----------------------------------------------------------------------------------------------------------\n\n**Description**\n\nThis error occurs when a system user, who is trying to connect, doesn't have a\nPostgreSQL user created, or doesn't have a role mapped.\n\n**Recommended fix**\n\nCreate a role in PostgreSQL with the required username, or add an entry for this\nuser to the `pg_ident.conf` file. \n\n psql (16.3)\n Type \"help\" for help.\n\n postgres=# CREATE ROLE user2 WITH LOGIN;\n CREATE ROLE\n\nServer restart fails with error: \"could not load /var/lib/postgresql/data/pg_hba.conf\"\n--------------------------------------------------------------------------------------\n\n**Description**\n\nThe server restart failed because the `pg_hba.conf` contains invalid entries.\n\n**Recommended fix**\n\nCheck the `pg_hba.conf` file for invalid entries.\n\nFATAL: LDAP group synchronization failed\n----------------------------------------\n\n**Description**\n\nLDAP synchronization fails when the user tries to sign in.\n\n**Recommended fix**\n\n1. Sign in as the `postgres` user and run the following:\n\n ```\n CREATE EXTENSION google_pg_auth;\n ```\n2. Check the `postgresql.log` file for information about why the LDAP sign-in\n failed.\n\n ```\n cat /obs/diagnostic/postgresql.log | grep google_pg_auth\n ```\n\nWhat's next\n-----------\n\n- [Integrate Active Directory with AlloyDB Omni](/alloydb/omni/current/docs/integrate-active-directory)"]]