| From: | Christian Ullrich <chris(at)chrullrich(dot)net> |
|---|---|
| To: | pgsql-general(at)postgresql(dot)org |
| Subject: | Re: GSSAPI server side on Linux, SSPI client side on Windows |
| Date: | 2013-11-05 19:04:00 |
| Message-ID: | 52794120.1000005@chrullrich.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
* Francisco Figueiredo Jr. wrote:
> On Tue, Nov 5, 2013 at 2:35 PM, Christian Ullrich <chris(at)chrullrich(dot)net
> <mailto:chris(at)chrullrich(dot)net>> wrote:
>
> * Stephen Frost wrote:
>
> * Brian Crowell (brian(at)fluggo(dot)com <mailto:brian(at)fluggo(dot)com>) wrote:
>
> However, the eventual goal was to connect to this same
> server from a
> .NET app running on Windows, and here I've run into a snag.
> The Npgsql
> library does not support GSSAPI—it only supports SSPI, which is
> nearly-but-not-enough-like the same thing to count in this
> situation,
>
>
> Uhhh, why not?
>
>
> Because the server on Linux sends AUTH_REQ_GSS, which Npgsql does
> not recognize.
>
> I tried to fix it using the reverse of they one-line fix that worked
> in both JDBC and libpq. There, the problem was that they only
> supported GSSAPI and had no clue about SSPI (except libpq on
> Windows). The fix was to basically declare GSSAPI and SSPI to be the
> same. It didn't work.
>
> In Npgsql's case, the problem is the other way around -- it only
> knows SSPI. While making GSSAPI the same as SSPI should work in
> principle, there must be some difference somewhere.
>
>
>
> Did you make your changes in the NpgsqlState.cs file?
Yes.
> Also, while checking this part of the code, it seems Npgsql isn't
> handling the AuthenticationGSS message. It is only handling
> AuthenticationGSSContinue messages.
>
> I think you could try adding the AuthenticationGSS case to Npgsql
> and see if it can authenticate correctly. You could add a second
> switch case below the case
> AuthenticationRequestType.AuthenticationSSPI and see if Npgsql can
> also handle the GSS authentication correctly.
That is exactly what I did.
I remember from my work on libpq that there is a slight difference in
how it handles the two authentication types, but there it is just a flag
for whether to treat the user name case-sensitively or not. Here, I
control the case of the user part of the UPN, the claimed user name in
the startup packet, and the role name in the database, and I know they
are all identical. Therefore it should not matter for now whether Npgsql
has similar logic already. To make GSSAPI support production-ready, I
may have to add it, of course.
--
Christian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christian Ullrich | 2013-11-05 19:06:53 | Re: GSSAPI server side on Linux, SSPI client side on Windows |
| Previous Message | Steve Crawford | 2013-11-05 18:29:17 | Re: Junk date getting uploaded into date field |