Skip site navigation (1) Skip section navigation (2)

Re: GSSAPI Authentication Problem

From: John Slattery <johntslattery(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: pgsql-odbc(at)postgresql(dot)org
Subject: Re: GSSAPI Authentication Problem
Date: 2012-08-03 19:55:58
Message-ID: (view raw or whole thread)
Lists: pgsql-odbc
On Fri, Aug 3, 2012 at 11:54 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> John,
> * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> At your suggestion, I opened the ODBC data source administrator in
>> Windows XP and attempted to create a user DSN using all of the default
>> values and providing 'Database', 'Server', and 'User Name'. In this
>> case 'User Name' was the Active Directory user name. When I pressed
>> the 'Test' button, I received the same exception I noted in my initial
>> post. I repeated the test with logging turned on. Nothing seems to
>> have been recorded about the failed test. The log file is attached.
> No, you should be using the PG username of the user in PG that you want
> to connect as in the ODBC driver, not the AD username.
> Specifics would help here, I think.  For example-
> If the AD user is "joe(at)REALM(dot)COM", one PG user is "joe", and the user
> that you want to actually log into the database as is "smith", then you
> need this:
> pg_ident mapping joe(at)REALM(dot)COM (or just "joe" if you're having PG strip
> the realm) to "smith".
> Log into Windows as "joe(at)REALM(dot)COM".
> Use "smith" in the "User Name" field in the ODBC manager
>> Could it be that when the only means of authentication enabled in
>> pg_hba.conf is gss that having anything in 'User Name' is a problem?
> No.
> If you can provide actual specifics regarding the above, and excerpts
> from your pg_ident.conf, PostgreSQL logs, pg_hba.conf, and the
> client-side logs, I think that would go a long way to figuring this out.
>         Thanks,
>                 Stephen


First, I must apologize. I proofed that post several times but missed
that I indicated it was the AD name when in fact I had used the PG

Following is the information you suggested reporting. The test is with
'User Name' = 'john'. I used a system DSN generated with the ODBC data
source administrator. Before I set 'User Name' = 'john', I
successfully tested the DSN with user csmprovver whose AD and PG names
are identical with 'User Name' = ''.


The AD user is jslatter(at)SOMEREALM(dot)ORG and the PG user is john.


host    all         all       md5
host    all         john        gss       map=gssapi
host    csmprovver  csmprovver      gss
host    all         all        gss


gssapi        jslatter           john

*exception generated*

Run-time error '-2147217843 (80040e4d)':
Service negotiation failed;
The specified target is unknown or unreachable in


012-08-03 14:09:42 CDT FATAL:  GSSAPI authentication failed for user "john"

*client logs*

mylog_1116.log and psqlodbc_1116.log are attached. An MSDTC log does
not seem to have been produced.

Thanks for your help.


Attachment: mylog_1116.log
Description: application/octet-stream (6.3 KB)
Attachment: psqlodbc_1116.log
Description: application/octet-stream (2.3 KB)

In response to


pgsql-odbc by date

Next:From: Stephen FrostDate: 2012-08-03 21:41:24
Subject: Re: GSSAPI Authentication Problem
Previous:From: Stephen FrostDate: 2012-08-03 16:54:28
Subject: Re: GSSAPI Authentication Problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2015 The PostgreSQL Global Development Group