Re: GSSAPI server side on Linux, SSPI client side on Windows

Em 12/11/2013 03:37, "Brian Crowell" <brian@fluggo.com> escreveu:
>
> On Mon, Nov 11, 2013 at 10:51 PM, Brian Crowell <brian@fluggo.com> wrote:
> > I think I'm getting closer though. I have psql on Windows successfully
> > authenticating, so I can't be too far off.
>
> Got it.
>
> The NpgsqlPasswordPacket class has a bug: a utility function it calls
> appends a null character to the data, which completely screws up
> GSSAPI. Now that I fixed that, I've got successful integrated
> authentication from Windows to PostgreSQL on Linux.
>

That's great!

We have made a lot of changes to those utility functions and now we have methods which don't append that null char.

> However:
>
> * If I don't specify my username, Npgsql sends it in lowercase "bcrowell"
> * Npgsql isn't sending the realm, and I've got PostgreSQL configured
> to expect it
>
> Otherwise, it's working. As far as I know, the changes necessary are:
>
> * Use hostname in the SPN instead of IP address
> * Use "kerberos" package in AcquireCredentialsHandle call instead of "negotiate"
> * Fix PGUtil.WriteBytes to not send the extra null (this method is
> only used by NpgsqlPasswordPacket, but this fix will most likely break
> other authentication methods)
> * As stated above, may need to specify username manually (UserName =
> "BCrowell@DOMAIN.COM"); I want to fix this
>
> If I figure out the username issue, I'll submit a patch.
>

Excellent, Brian!

I'm looking forward your patch.
Npgsql source can be found at github.com/npgsql/Npgsql

If you need any help to understand Npgsql, please let me know. Unfortunately as I'm not the original developer of the sspi code, I may not be very helpful on this specific issue, but I can help you out regarding other parts of Npgsql code.

> Also, in my case, it doesn't seem to matter for the SPN whether the
> service name is "postgres" or "POSTGRES." I've got PostgreSQL set to
> "postgres", and Npgsql is specifying "POSTGRES", but I also at some
> point configured two sets of SPNs on the domain for uppercase and
> lowercase, so I don't know if that's a mitigating factor.
>

It would be awesome if you could write a little guide about how to configure PostgreSQL to work with sspi authentication from Windows.
I could add it to our Npgsql user manual...

Thank you all for having a look at those Npgsql authentication issues.

> —Brian
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general