Skip site navigation (1) Skip section navigation (2)

Re: GSSAPI Authentication Problem

From: John Slattery <johntslattery(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: pgsql-odbc(at)postgresql(dot)org
Subject: Re: GSSAPI Authentication Problem
Date: 2012-08-03 19:55:58
Message-ID: CA+hybRUoqKK_ZZ4HGsE1R1OjVbzw4UUVXO7-cW9JM1gjZ=oQLw@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-odbc
On Fri, Aug 3, 2012 at 11:54 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> John,
>
> * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> At your suggestion, I opened the ODBC data source administrator in
>> Windows XP and attempted to create a user DSN using all of the default
>> values and providing 'Database', 'Server', and 'User Name'. In this
>> case 'User Name' was the Active Directory user name. When I pressed
>> the 'Test' button, I received the same exception I noted in my initial
>> post. I repeated the test with logging turned on. Nothing seems to
>> have been recorded about the failed test. The log file is attached.
>
> No, you should be using the PG username of the user in PG that you want
> to connect as in the ODBC driver, not the AD username.
>
> Specifics would help here, I think.  For example-
>
> If the AD user is "joe(at)REALM(dot)COM", one PG user is "joe", and the user
> that you want to actually log into the database as is "smith", then you
> need this:
>
> pg_ident mapping joe(at)REALM(dot)COM (or just "joe" if you're having PG strip
> the realm) to "smith".
>
> Log into Windows as "joe(at)REALM(dot)COM".
>
> Use "smith" in the "User Name" field in the ODBC manager
>
>> Could it be that when the only means of authentication enabled in
>> pg_hba.conf is gss that having anything in 'User Name' is a problem?
>
> No.
>
> If you can provide actual specifics regarding the above, and excerpts
> from your pg_ident.conf, PostgreSQL logs, pg_hba.conf, and the
> client-side logs, I think that would go a long way to figuring this out.
>
>         Thanks,
>
>                 Stephen

Stephen,

First, I must apologize. I proofed that post several times but missed
that I indicated it was the AD name when in fact I had used the PG
name.

Following is the information you suggested reporting. The test is with
'User Name' = 'john'. I used a system DSN generated with the ODBC data
source administrator. Before I set 'User Name' = 'john', I
successfully tested the DSN with user csmprovver whose AD and PG names
are identical with 'User Name' = ''.

*users*

The AD user is jslatter(at)SOMEREALM(dot)ORG and the PG user is john.

*pg_hba.conf*

# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
host    all         all         10.29.136.81/32       md5
host    all         john        10.29.136.0/21        gss       map=gssapi
host    csmprovver  csmprovver  74.203.196.84/32      gss
host    all         all         10.29.136.0/21        gss

*pg_ident.conf*

# MAPNAME     SYSTEM-USERNAME    PG-USERNAME
gssapi        jslatter           john

*exception generated*

Run-time error '-2147217843 (80040e4d)':
Service negotiation failed;
The specified target is unknown or unreachable in
DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandsh

*pg_log*

012-08-03 14:09:42 CDT FATAL:  GSSAPI authentication failed for user "john"

*client logs*

mylog_1116.log and psqlodbc_1116.log are attached. An MSDTC log does
not seem to have been produced.

Thanks for your help.

John

Attachment: psqlodbc_1116.log
Description: application/octet-stream (2.3 KB)
Attachment: mylog_1116.log
Description: application/octet-stream (6.3 KB)

In response to

Responses

pgsql-odbc by date

Next:From: Stephen FrostDate: 2012-08-03 21:41:24
Subject: Re: GSSAPI Authentication Problem
Previous:From: Stephen FrostDate: 2012-08-03 16:54:28
Subject: Re: GSSAPI Authentication Problem

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group