Обсуждение: Windows binary install and gssapi support

Поиск
Список
Период
Сортировка

Windows binary install and gssapi support

От
Grant McKenzie
Дата:
Hello,

Postgres supports a connection string parameter 'gsslib'. This is documented here:


When I install the psycopg2 binary distribution on windows, I see the error below.

C:\Users\grant>pip install psycopg2-binary
Collecting psycopg2-binary
  Downloading psycopg2_binary-2.7.4-cp27-cp27m-win32.whl (859kB)
    100% |################################| 860kB 882kB/s
Installing collected packages: psycopg2-binary
Successfully installed psycopg2-binary-2.7.4
You are using pip version 9.0.1, however version 10.0.0 is available.
You should consider upgrading via the 'python -m pip install --upgrade pip' command.

C:\Users\grant>python
Python 2.7.10 (default, May 23 2015, 09:40:32) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import psycopg2
>>> psycopg2.connect( 'postgresql://localhost/postgres?gsslib=gssapi' )
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Python27\lib\site-packages\psycopg2\__init__.py", line 129, in connect
    dsn = _ext.make_dsn(dsn, **kwargs)
  File "C:\Python27\lib\site-packages\psycopg2\extensions.py", line 155, in make_dsn
    parse_dsn(dsn)
psycopg2.ProgrammingError: invalid dsn: invalid URI query parameter: "gsslib"

C:\Users\grant>python --version
Python 2.7.10

C:\Users\grant>ver

Microsoft Windows [Version 10.0.16299.371]


I am speculating here, but perhaps the libpq library that was used to build the package was not built using the --with-gssapi switch described here?


Thanks


Re: Windows binary install and gssapi support

От
Jason Erickson
Дата:
Grant,

You are correct, the libpq library is not built with the gsslib library.  Several years back I noticed the gsslib option when doing a review of the options for libpq and attempted to include the library with some minimal effort but without success.  Since we build the psycopg2 windows binaries with the compiler version that was used to build the respective Python version, we also use that compiler version to build the dependent libraries as well.  At the time, linking in the MIT Kerberos library was more involved then download, compile, and link.  Since it has been a few years, it might be worth revisiting it again.

-jason


On Sat, Apr 14, 2018 at 6:35 PM, Grant McKenzie <grant.r.mckenzie@gmail.com> wrote:
Hello,

Postgres supports a connection string parameter 'gsslib'. This is documented here:


When I install the psycopg2 binary distribution on windows, I see the error below.

C:\Users\grant>pip install psycopg2-binary
Collecting psycopg2-binary
  Downloading psycopg2_binary-2.7.4-cp27-cp27m-win32.whl (859kB)
    100% |################################| 860kB 882kB/s
Installing collected packages: psycopg2-binary
Successfully installed psycopg2-binary-2.7.4
You are using pip version 9.0.1, however version 10.0.0 is available.
You should consider upgrading via the 'python -m pip install --upgrade pip' command.

C:\Users\grant>python
Python 2.7.10 (default, May 23 2015, 09:40:32) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import psycopg2
>>> psycopg2.connect( 'postgresql://localhost/postgres?gsslib=gssapi' )
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Python27\lib\site-packages\psycopg2\__init__.py", line 129, in connect
    dsn = _ext.make_dsn(dsn, **kwargs)
  File "C:\Python27\lib\site-packages\psycopg2\extensions.py", line 155, in make_dsn
    parse_dsn(dsn)
psycopg2.ProgrammingError: invalid dsn: invalid URI query parameter: "gsslib"

C:\Users\grant>python --version
Python 2.7.10

C:\Users\grant>ver

Microsoft Windows [Version 10.0.16299.371]


I am speculating here, but perhaps the libpq library that was used to build the package was not built using the --with-gssapi switch described here?


Thanks



Re: Windows binary install and gssapi support

От
Grant McKenzie
Дата:

Thanks Jason.

The build process for windows still seems quite involved:

https://www.postgresql.org/docs/10/static/install-windows-full.html

That said, the predominance of Kerberos authentication in enterprises these days would make support of this a welcome addition I'm sure.

On 4/14/2018 10:28 PM, Jason Erickson wrote:
Grant,

You are correct, the libpq library is not built with the gsslib library.  Several years back I noticed the gsslib option when doing a review of the options for libpq and attempted to include the library with some minimal effort but without success.  Since we build the psycopg2 windows binaries with the compiler version that was used to build the respective Python version, we also use that compiler version to build the dependent libraries as well.  At the time, linking in the MIT Kerberos library was more involved then download, compile, and link.  Since it has been a few years, it might be worth revisiting it again.

-jason


On Sat, Apr 14, 2018 at 6:35 PM, Grant McKenzie <grant.r.mckenzie@gmail.com> wrote:
Hello,

Postgres supports a connection string parameter 'gsslib'. This is documented here:


When I install the psycopg2 binary distribution on windows, I see the error below.

C:\Users\grant>pip install psycopg2-binary
Collecting psycopg2-binary
  Downloading psycopg2_binary-2.7.4-cp27-cp27m-win32.whl (859kB)
    100% |################################| 860kB 882kB/s
Installing collected packages: psycopg2-binary
Successfully installed psycopg2-binary-2.7.4
You are using pip version 9.0.1, however version 10.0.0 is available.
You should consider upgrading via the 'python -m pip install --upgrade pip' command.

C:\Users\grant>python
Python 2.7.10 (default, May 23 2015, 09:40:32) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import psycopg2
>>> psycopg2.connect( 'postgresql://localhost/postgres?gsslib=gssapi' )
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\Python27\lib\site-packages\psycopg2\__init__.py", line 129, in connect
    dsn = _ext.make_dsn(dsn, **kwargs)
  File "C:\Python27\lib\site-packages\psycopg2\extensions.py", line 155, in make_dsn
    parse_dsn(dsn)
psycopg2.ProgrammingError: invalid dsn: invalid URI query parameter: "gsslib"

C:\Users\grant>python --version
Python 2.7.10

C:\Users\grant>ver

Microsoft Windows [Version 10.0.16299.371]


I am speculating here, but perhaps the libpq library that was used to build the package was not built using the --with-gssapi switch described here?


Thanks




Re: Windows binary install and gssapi support

От
Stephen Frost
Дата:
Greetings,

* Grant McKenzie (mckenzig@optonline.net) wrote:
> That said, the predominance of Kerberos authentication in enterprises these
> days would make support of this a welcome addition I'm sure.

We always build with SSPI on Windows platforms.

You don't really need (or want) GSSAPI on Windows systems because we've
got SSPI there..

Is there some reason that people are trying to get GSSAPI on Windows
instead of just using SSPI..?  I'd expect that to be very rare these
days..

Thanks!

Stephen
Вложения

Re: Windows binary install and gssapi support

От
Grant McKenzie
Дата:
Hello Stephen,

in a heterogeneous environment with a server running on linux and a mix of clients running on windows and linux, would you not want to use GSSAPI?

Thanks.


On Tue, Apr 17, 2018 at 12:00 PM, Stephen Frost <sfrost@snowman.net> wrote:
Greetings,

* Grant McKenzie (mckenzig@optonline.net) wrote:
> That said, the predominance of Kerberos authentication in enterprises these
> days would make support of this a welcome addition I'm sure.

We always build with SSPI on Windows platforms.

You don't really need (or want) GSSAPI on Windows systems because we've
got SSPI there..

Is there some reason that people are trying to get GSSAPI on Windows
instead of just using SSPI..?  I'd expect that to be very rare these
days..

Thanks!

Stephen

Re: Windows binary install and gssapi support

От
Stephen Frost
Дата:
Greetings Grant,

* Grant McKenzie (grant.r.mckenzie@gmail.com) wrote:
> in a heterogeneous environment with a server running on linux and a mix of
> clients running on windows and linux, would you not want to use GSSAPI?

We generally prefer in-line responses instead of "top-posting" on the PG
mailing lists.

In that mixed environment, you would typically have either:

One Realm run by the Active Directory system, with the Linux hosts
configured to use GSSAPI and joined to the Active Directory environment
and then using SSPI on the Windows clients.

or

Two realms, one run on the Active Directory system and one run on a
Linux host using an MIT KDC or Heimdal, with a cross-realm trust between
the two (at least one-way, for the Windows clients to be trusted by the
Linux servers, or two-way, if you have the need to go the other
direction also), and then the Windows systems running SSPI and the Linux
systems using GSSAPI.

What is perhaps not being understood here is that SSPI is Kerberos on
Windows using the Active Directory system.  There's no need to also have
GSSAPI enabled on the Windows systems- that would just be adding in
libraries and complications that aren't necessary in an Active Directory
environment.  If you're running Windows clients and *not* using Active
Directory, then there might be a reason to use GSSAPI on Windows and
Kerberos For Windows from MIT, but that's extremely rare these days...

Thanks!

Stephen
Вложения