| From: | "Francisco Figueiredo Jr(dot)" <francisco(at)npgsql(dot)org> |
|---|---|
| To: | Brian Crowell <brian(at)fluggo(dot)com> |
| Cc: | PgSql General <pgsql-general(at)postgresql(dot)org>, Christian Ullrich <chris(at)chrullrich(dot)net> |
| Subject: | Re: GSSAPI server side on Linux, SSPI client side on Windows |
| Date: | 2013-11-12 11:45:28 |
| Message-ID: | CACUQdMYVgq=xvCSDQ3vpKPCzHpVCoc5ZKTC_kJs6VbW_ua5n-A@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Em 12/11/2013 03:37, "Brian Crowell" <brian(at)fluggo(dot)com> escreveu:
>
> On Mon, Nov 11, 2013 at 10:51 PM, Brian Crowell <brian(at)fluggo(dot)com> wrote:
> > I think I'm getting closer though. I have psql on Windows successfully
> > authenticating, so I can't be too far off.
>
> Got it.
>
> The NpgsqlPasswordPacket class has a bug: a utility function it calls
> appends a null character to the data, which completely screws up
> GSSAPI. Now that I fixed that, I've got successful integrated
> authentication from Windows to PostgreSQL on Linux.
>
That's great!
We have made a lot of changes to those utility functions and now we have
methods which don't append that null char.
> However:
>
> * If I don't specify my username, Npgsql sends it in lowercase "bcrowell"
> * Npgsql isn't sending the realm, and I've got PostgreSQL configured
> to expect it
>
> Otherwise, it's working. As far as I know, the changes necessary are:
>
> * Use hostname in the SPN instead of IP address
> * Use "kerberos" package in AcquireCredentialsHandle call instead of
"negotiate"
> * Fix PGUtil.WriteBytes to not send the extra null (this method is
> only used by NpgsqlPasswordPacket, but this fix will most likely break
> other authentication methods)
> * As stated above, may need to specify username manually (UserName =
> "BCrowell(at)DOMAIN(dot)COM"); I want to fix this
>
> If I figure out the username issue, I'll submit a patch.
>
Excellent, Brian!
I'm looking forward your patch.
Npgsql source can be found at github.com/npgsql/Npgsql
If you need any help to understand Npgsql, please let me know.
Unfortunately as I'm not the original developer of the sspi code, I may not
be very helpful on this specific issue, but I can help you out regarding
other parts of Npgsql code.
> Also, in my case, it doesn't seem to matter for the SPN whether the
> service name is "postgres" or "POSTGRES." I've got PostgreSQL set to
> "postgres", and Npgsql is specifying "POSTGRES", but I also at some
> point configured two sets of SPNs on the domain for uppercase and
> lowercase, so I don't know if that's a mitigating factor.
>
It would be awesome if you could write a little guide about how to
configure PostgreSQL to work with sspi authentication from Windows.
I could add it to our Npgsql user manual...
Thank you all for having a look at those Npgsql authentication issues.
> —Brian
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Magnus Hagander | 2013-11-12 12:00:55 | Re: GSSAPI server side on Linux, SSPI client side on Windows |
| Previous Message | dinesh kumar | 2013-11-12 08:57:28 | Re: Theory question |