Hello all,
I'm having a problem using GSS authentication with PostgreSQL 8.4.4 on a
Windows 2008 server. I need GSSAPI instead of SSPI for the JDBC driver.
We are using SSPI with the ODBC driver at the moment, and it works fine.
The problem is this: For three days in a row now, I have tried changing
the configuration to use GSSAPI instead of SSPI. I created a keytab, set
it in postgresql.conf, restarted the service. Immediately after that, I
could authenticate successfully, using both drivers and any applications
we have (including psql, of course).
The next morning, users arrived and began connecting to the server.
Within an hour, GSSAPI authentication started to fail for every logon.
Switching back to SSPI fixed this immediately.
I think I have traced the problem back to a file called "postgres" in
the service account's TEMP directory. This appears to be the Kerberos
replay cache. I noticed that this file stopped changing (based on the
modification time) at the same time GSS authentication stopped working.
Instead, a number of temporary files started appearing in this
directory, one for each failed logon.
Process Explorer shows that the backend first reads the "postgres" file,
then writes a temporary file. It then tries to delete the "postgres"
file and fails with a "sharing violation". In other words, some other
process still has the file opened, so it cannot be deleted.
It also shows that each backend that used GSSAPI authentication has an
open handle to the file. I tried closing these handles, on the theory
that they must have been leaked (why would the Kerberos library need the
replay cache once authentication has completed?), and as soon as I did,
GSSAPI authentication started working again.
What can I do to fix this? As far as I can tell, PostgreSQL already
ships with libraries from the latest Kerberos for Windows release (even
though KfW 3.2.2 is three years old by now).
Thanks in advance for any help.
--
Christian