Re: GSSAPI server side on Linux, SSPI client side on Windows

From: "Francisco Figueiredo Jr(dot)" <francisco(at)npgsql(dot)org>
To: Brian Crowell <brian(at)fluggo(dot)com>
Cc: PgSql General <pgsql-general(at)postgresql(dot)org>, Christian Ullrich <chris(at)chrullrich(dot)net>
Subject: Re: GSSAPI server side on Linux, SSPI client side on Windows
Date: 2013-11-12 11:45:28
Message-ID: CACUQdMYVgq=xvCSDQ3vpKPCzHpVCoc5ZKTC_kJs6VbW_ua5n-A@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-general

Em 12/11/2013 03:37, "Brian Crowell" <brian(at)fluggo(dot)com> escreveu:
>
> On Mon, Nov 11, 2013 at 10:51 PM, Brian Crowell <brian(at)fluggo(dot)com> wrote:
> > I think I'm getting closer though. I have psql on Windows successfully
> > authenticating, so I can't be too far off.
>
> Got it.
>
> The NpgsqlPasswordPacket class has a bug: a utility function it calls
> appends a null character to the data, which completely screws up
> GSSAPI. Now that I fixed that, I've got successful integrated
> authentication from Windows to PostgreSQL on Linux.
>

That's great!

We have made a lot of changes to those utility functions and now we have
methods which don't append that null char.

> However:
>
> * If I don't specify my username, Npgsql sends it in lowercase "bcrowell"
> * Npgsql isn't sending the realm, and I've got PostgreSQL configured
> to expect it
>
> Otherwise, it's working. As far as I know, the changes necessary are:
>
> * Use hostname in the SPN instead of IP address
> * Use "kerberos" package in AcquireCredentialsHandle call instead of
"negotiate"
> * Fix PGUtil.WriteBytes to not send the extra null (this method is
> only used by NpgsqlPasswordPacket, but this fix will most likely break
> other authentication methods)
> * As stated above, may need to specify username manually (UserName =
> "BCrowell(at)DOMAIN(dot)COM"); I want to fix this
>
> If I figure out the username issue, I'll submit a patch.
>

Excellent, Brian!

I'm looking forward your patch.
Npgsql source can be found at github.com/npgsql/Npgsql

If you need any help to understand Npgsql, please let me know.
Unfortunately as I'm not the original developer of the sspi code, I may not
be very helpful on this specific issue, but I can help you out regarding
other parts of Npgsql code.

> Also, in my case, it doesn't seem to matter for the SPN whether the
> service name is "postgres" or "POSTGRES." I've got PostgreSQL set to
> "postgres", and Npgsql is specifying "POSTGRES", but I also at some
> point configured two sets of SPNs on the domain for uppercase and
> lowercase, so I don't know if that's a mitigating factor.
>

It would be awesome if you could write a little guide about how to
configure PostgreSQL to work with sspi authentication from Windows.
I could add it to our Npgsql user manual...

Thank you all for having a look at those Npgsql authentication issues.

> —Brian
>
>
> --
> Sent via pgsql-general mailing list (pgsql-general(at)postgresql(dot)org)
> To make changes to your subscription:
> http://www.postgresql.org/mailpref/pgsql-general

In response to

Responses

Browse pgsql-general by date

  From Date Subject
Next Message Magnus Hagander 2013-11-12 12:00:55 Re: GSSAPI server side on Linux, SSPI client side on Windows
Previous Message dinesh kumar 2013-11-12 08:57:28 Re: Theory question