On Tue, Nov 12, 2013 at 6:56 AM, Christian Ullrich <chris@xxxxxxxxxxxxxx> wrote:
* From: Brian Crowell
Great!
> On Mon, Nov 11, 2013 at 10:51 PM, Brian Crowell <brian@xxxxxxxxxx> wrote:
> > I think I'm getting closer though. I have psql on Windows successfully
> > authenticating, so I can't be too far off.
>
> Got it.
Hmm. That is related one problem I've been having with SSPI auth from libpq/ODBC. The database treats the claimed user name case-sensitively when looking up the user info in pg_authid, and if the user logged on to Windows with a name differing in case from what the database thinks it is, authentication fails. Npgsql sending it always in lower case is precisely what I landed on as a workaround (basically overriding libpq's automatic user name detection in the ODBC connection string by appending a UID option).
> The NpgsqlPasswordPacket class has a bug: a utility function it calls
> appends a null character to the data, which completely screws up GSSAPI.
> Now that I fixed that, I've got successful integrated authentication from
> Windows to PostgreSQL on Linux.
>
> However:
>
> * If I don't specify my username, Npgsql sends it in lowercase "bcrowell"
Yes, windows is really annoying in this regard. It preserves what you *logged in* with as your username - not what's stored in Active Directory or the SAM.
> * Use "kerberos" package in AcquireCredentialsHandle call instead ofAs long as it is the client that does that, it should be fine. According to the documentation on SSPI packages, it is valid for the client SSPI to send a GSSAPI token to a server using the Negotiate package (instead of going through SPNEGO to arrive at the same protocol).
> "negotiate"
I believe it should be ok, yes.
> Also, in my case, it doesn't seem to matter for the SPN whether theYeah, I think that bit about "you have to make the service name uppercase in postgresql.conf" is some kind of oral tradition that everyone quotes at everyone else. I have been using SSPI and GSSAPI since the days of Windows 2000, and it has always worked quite well without it.
> service name is "postgres" or "POSTGRES." I've got PostgreSQL set to
I think it also depends on which kerberos libraries you have on each end. I've certainly had a lot of issues with it in the past, with Windows 2000 AD controllers and I think also Windows 2003.
The client gets its service ticket, with only one service name in it, before contacting the server, so it cannot know what the server wants to see.
> "postgres", and Npgsql is specifying "POSTGRES", but I also at some point
> configured two sets of SPNs on the domain for uppercase and lowercase, so
> I don't know if that's a mitigating factor.
Congratulations on getting it to work. I'm a bit envious that you beat me to it (GSS auth interop between PostgreSQL on Windows and others is kind of my hobby), but the sooner, the better.
+1 :)
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
