| From: | Christian Ullrich <chris(at)chrullrich(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: GSSAPI server side on Linux, SSPI client side on Windows |
| Date: | 2013-11-05 17:35:55 |
| Message-ID: | 52792C7B.7010104@chrullrich.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
* Stephen Frost wrote:
> * Christian Ullrich (chris(at)chrullrich(dot)net) wrote:
>> I tried to fix it using the reverse of they one-line fix that worked
>> in both JDBC and libpq. There, the problem was that they only
>> supported GSSAPI and had no clue about SSPI (except libpq on
>> Windows). The fix was to basically declare GSSAPI and SSPI to be the
>> same. It didn't work.
>
> If Npgsql does the same as libpq-on-Windows, it should all work just
> fine..
Hence my suspicion that it doesn't. I did not have the time to compare
every function call yet.
>> In Npgsql's case, the problem is the other way around -- it only
>> knows SSPI. While making GSSAPI the same as SSPI should work in
>> principle, there must be some difference somewhere.
>
> Well, what happened after you hacked Npgsql? It's possible there's a
Nov 1 10:21:44 infra1 postgres[24864]: [7-1] FATAL: GSSAPI
authentication failed for user "chris"
Nov 1 10:25:27 infra1 postgres[25030]: [7-1] FATAL: accepting GSS
security context failed
Nov 1 10:25:27 infra1 postgres[25030]: [7-2] DETAIL: An unsupported
mechanism was requested: Unknown error
Nov 1 10:26:28 infra1 postgres[25079]: [7-1] FATAL: accepting GSS
security context failed
Nov 1 10:26:28 infra1 postgres[25079]: [7-2] DETAIL: An unsupported
mechanism was requested: Unknown error
Nov 1 10:30:41 infra1 postgres[25193]: [7-1] FATAL: canceling
authentication due to timeout
Nov 1 10:31:50 infra1 postgres[25277]: [7-1] FATAL: accepting GSS
security context failed
Nov 1 10:31:50 infra1 postgres[25277]: [7-2] DETAIL: An unsupported
mechanism was requested: Unknown error
Nov 1 10:39:31 infra1 postgres[25587]: [7-1] FATAL: accepting GSS
security context failed
Nov 1 10:39:31 infra1 postgres[25587]: [7-2] DETAIL: Unspecified GSS
failure. Minor code may provide more information:
Nov 1 10:44:32 infra1 postgres[25778]: [7-1] FATAL: accepting GSS
security context failed
Nov 1 10:44:32 infra1 postgres[25778]: [7-2] DETAIL: Unspecified GSS
failure. Minor code may provide more information:
Nov 1 10:44:56 infra1 postgres[25789]: [7-1] FATAL: accepting GSS
security context failed
Nov 1 10:44:56 infra1 postgres[25789]: [7-2] DETAIL: Unspecified GSS
failure. Minor code may provide more information:
At some point during that I changed the principal that Npgsql gets its
service ticket for from POSTGRES/<IP address> to POSTGRES/<host name>.
There is a comment in the source that it does not work with the host
name, with no more details, and I chose not to believe that. The result
did nothing to prove me right, though. I think it was where the errors
change from "accepting context failed" to "unspecified error", but I may
be wrong.
The GSSAPI error messages are of the usual helpful kind, even including
the colon that is followed by no detail.
I will spend more time on it once I have managed to keep my job this week.
--
Christian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jing Fan | 2013-11-05 18:03:41 | Re: WITH RECURSIVE doesn't work properly for me |
| Previous Message | Stephen Frost | 2013-11-05 16:59:06 | Re: GSSAPI server side on Linux, SSPI client side on Windows |