Search Postgresql Archives

Re: GSSAPI server side on Linux, SSPI client side on Windows

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

* Francisco Figueiredo Jr. wrote:


On Tue, Nov 5, 2013 at 2:35 PM, Christian Ullrich <chris@xxxxxxxxxxxxxx
<mailto:chris@xxxxxxxxxxxxxx>> wrote:

    * Stephen Frost wrote:

        * Brian Crowell (brian@xxxxxxxxxx <mailto:brian@xxxxxxxxxx>) wrote:

            However, the eventual goal was to connect to this same
            server from a
            .NET app running on Windows, and here I've run into a snag.
            The Npgsql
            library does not support GSSAPI—it only supports SSPI, which is
            nearly-but-not-enough-like the same thing to count in this
            situation,


        Uhhh, why not?


    Because the server on Linux sends AUTH_REQ_GSS, which Npgsql does
    not recognize.

    I tried to fix it using the reverse of they one-line fix that worked
    in both JDBC and libpq. There, the problem was that they only
    supported GSSAPI and had no clue about SSPI (except libpq on
    Windows). The fix was to basically declare GSSAPI and SSPI to be the
    same. It didn't work.

    In Npgsql's case, the problem is the other way around -- it only
    knows SSPI. While making GSSAPI the same as SSPI should work in
    principle, there must be some difference somewhere.



Did you make your changes in the NpgsqlState.cs file?


Yes.


Also, while checking this part of the code, it seems Npgsql isn't
handling the AuthenticationGSS message. It is only handling
AuthenticationGSSContinue messages.

>
> I think you could try adding the  AuthenticationGSS case to Npgsql
> and see if it can authenticate correctly. You could add a second
> switch case below the case
> AuthenticationRequestType.AuthenticationSSPI and see if Npgsql can
> also handle the GSS authentication correctly.

That is exactly what I did.
I remember from my work on libpq that there is a slight difference in how it handles the two authentication types, but there it is just a flag for whether to treat the user name case-sensitively or not. Here, I control the case of the user part of the UPN, the claimed user name in the startup packet, and the role name in the database, and I know they are all identical. Therefore it should not matter for now whether Npgsql has similar logic already. To make GSSAPI support production-ready, I may have to add it, of course. 

--
Christian




--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Postgresql Jobs]     [Postgresql Admin]     [Postgresql Performance]     [Linux Clusters]     [PHP Home]     [PHP on Windows]     [Kernel Newbies]     [PHP Classes]     [PHP Books]     [PHP Databases]     [Postgresql & PHP]     [Yosemite]
  Powered by Linux