GSS authentication fails on Windows (replay cache issue?)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hello all,
I'm having a problem using GSS authentication with PostgreSQL 8.4.4 on a Windows 2008 server. I need GSSAPI instead of SSPI for the JDBC driver. We are using SSPI with the ODBC driver at the moment, and it works fine.
The problem is this: For three days in a row now, I have tried changing the configuration to use GSSAPI instead of SSPI. I created a keytab, set it in postgresql.conf, restarted the service. Immediately after that, I could authenticate successfully, using both drivers and any applications we have (including psql, of course).
The next morning, users arrived and began connecting to the server. Within an hour, GSSAPI authentication started to fail for every logon. Switching back to SSPI fixed this immediately.
I think I have traced the problem back to a file called "postgres" in the service account's TEMP directory. This appears to be the Kerberos replay cache. I noticed that this file stopped changing (based on the modification time) at the same time GSS authentication stopped working. Instead, a number of temporary files started appearing in this directory, one for each failed logon.
Process Explorer shows that the backend first reads the "postgres" file, then writes a temporary file. It then tries to delete the "postgres" file and fails with a "sharing violation". In other words, some other process still has the file opened, so it cannot be deleted.
It also shows that each backend that used GSSAPI authentication has an open handle to the file. I tried closing these handles, on the theory that they must have been leaked (why would the Kerberos library need the replay cache once authentication has completed?), and as soon as I did, GSSAPI authentication started working again.
What can I do to fix this? As far as I can tell, PostgreSQL already ships with libraries from the latest Kerberos for Windows release (even though KfW 3.2.2 is three years old by now). 

Thanks in advance for any help.

--
Christian


--
Sent via pgsql-admin mailing list (pgsql-admin@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-admin
[Index of Archives]     [KVM ARM]     [KVM ia64]     [KVM ppc]     [Virtualization Tools]     [Spice Development]     [Libvirt]     [Libvirt Users]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite Questions]     [Linux Kernel]     [Linux SCSI]     [XFree86]

  Powered by Linux