Re: GSSAPI Authentication Problem

On Fri, Aug 3, 2012 at 11:54 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> John,
>
> * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> At your suggestion, I opened the ODBC data source administrator in
>> Windows XP and attempted to create a user DSN using all of the default
>> values and providing 'Database', 'Server', and 'User Name'. In this
>> case 'User Name' was the Active Directory user name. When I pressed
>> the 'Test' button, I received the same exception I noted in my initial
>> post. I repeated the test with logging turned on. Nothing seems to
>> have been recorded about the failed test. The log file is attached.
>
> No, you should be using the PG username of the user in PG that you want
> to connect as in the ODBC driver, not the AD username.
>
> Specifics would help here, I think. For example-
>
> If the AD user is "joe(at)REALM(dot)COM", one PG user is "joe", and the user
> that you want to actually log into the database as is "smith", then you
> need this:
>
> pg_ident mapping joe(at)REALM(dot)COM (or just "joe" if you're having PG strip
> the realm) to "smith".
>
> Log into Windows as "joe(at)REALM(dot)COM".
>
> Use "smith" in the "User Name" field in the ODBC manager
>
>> Could it be that when the only means of authentication enabled in
>> pg_hba.conf is gss that having anything in 'User Name' is a problem?
>
> No.
>
> If you can provide actual specifics regarding the above, and excerpts
> from your pg_ident.conf, PostgreSQL logs, pg_hba.conf, and the
> client-side logs, I think that would go a long way to figuring this out.
>
> Thanks,
>
> Stephen

Stephen,

First, I must apologize. I proofed that post several times but missed
that I indicated it was the AD name when in fact I had used the PG
name.

Following is the information you suggested reporting. The test is with
'User Name' = 'john'. I used a system DSN generated with the ODBC data
source administrator. Before I set 'User Name' = 'john', I
successfully tested the DSN with user csmprovver whose AD and PG names
are identical with 'User Name' = ''.

*users*

The AD user is jslatter(at)SOMEREALM(dot)ORG and the PG user is john.

*pg_hba.conf*

# TYPE DATABASE USER CIDR-ADDRESS METHOD
host all all 10.29.136.81/32 md5
host all john 10.29.136.0/21 gss map=gssapi
host csmprovver csmprovver 74.203.196.84/32 gss
host all all 10.29.136.0/21 gss

*pg_ident.conf*

# MAPNAME SYSTEM-USERNAME PG-USERNAME
gssapi jslatter john

*exception generated*

Run-time error '-2147217843 (80040e4d)':
Service negotiation failed;
The specified target is unknown or unreachable in
DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandsh

*pg_log*

012-08-03 14:09:42 CDT FATAL: GSSAPI authentication failed for user "john"

*client logs*

mylog_1116.log and psqlodbc_1116.log are attached. An MSDTC log does
not seem to have been produced.

Thanks for your help.

John