* From: Brian Crowell
> On Mon, Nov 11, 2013 at 10:51 PM, Brian Crowell <brian@fluggo.com> wrote:
> > I think I'm getting closer though. I have psql on Windows successfully
> > authenticating, so I can't be too far off.
>
> Got it.
Great!
> The NpgsqlPasswordPacket class has a bug: a utility function it calls
> appends a null character to the data, which completely screws up GSSAPI.
> Now that I fixed that, I've got successful integrated authentication from
> Windows to PostgreSQL on Linux.
>
> However:
>
> * If I don't specify my username, Npgsql sends it in lowercase "bcrowell"
Hmm. That is related one problem I've been having with SSPI auth from libpq/ODBC. The database treats the claimed user
namecase-sensitively when looking up the user info in pg_authid, and if the user logged on to Windows with a name
differingin case from what the database thinks it is, authentication fails. Npgsql sending it always in lower case is
preciselywhat I landed on as a workaround (basically overriding libpq's automatic user name detection in the ODBC
connectionstring by appending a UID option).
> * Use "kerberos" package in AcquireCredentialsHandle call instead of
> "negotiate"
As long as it is the client that does that, it should be fine. According to the documentation on SSPI packages, it is
validfor the client SSPI to send a GSSAPI token to a server using the Negotiate package (instead of going through
SPNEGOto arrive at the same protocol).
> Also, in my case, it doesn't seem to matter for the SPN whether the
> service name is "postgres" or "POSTGRES." I've got PostgreSQL set to
Yeah, I think that bit about "you have to make the service name uppercase in postgresql.conf" is some kind of oral
traditionthat everyone quotes at everyone else. I have been using SSPI and GSSAPI since the days of Windows 2000, and
ithas always worked quite well without it.
> "postgres", and Npgsql is specifying "POSTGRES", but I also at some point
> configured two sets of SPNs on the domain for uppercase and lowercase, so
> I don't know if that's a mitigating factor.
The client gets its service ticket, with only one service name in it, before contacting the server, so it cannot know
whatthe server wants to see.
Congratulations on getting it to work. I'm a bit envious that you beat me to it (GSS auth interop between PostgreSQL on
Windowsand others is kind of my hobby), but the sooner, the better.
--
Christian