Re: GSSAPI Authentication Problem

On Fri, Aug 3, 2012 at 8:51 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> John,
>
> The ODBC driver can be configured through the ODBC manager and you can
> provide the username that you want to log in as there. The ODBC
> driver (and the libpq underneath) should still be able to use your
> AD/GSSAPI credentials to authenticate.
>
> Thanks,
>
> Stephen
>
> * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> Hi,
>>
>> I would like to report what seems like a problem with the driver. It
>> doesn't seem possible to override the default user name for
>> authentication by GSSAPI. I'm using a map in pg_ident.conf since my
>> Active Directory user name isn't the same as my Postgresql user name.
>> pgAdmin III and psql allow for this, the former by setting Username in
>> the GUI to my Postgresql user name and the latter by specifying the -U
>> option. I tried setting UID in the connection string I am using to my
>> Postgresql user name but that caused the driver to return the
>> following exception:
>>
>> Run-time error '-2147217843 (800040e4d)':
>> Service negotiation failed;
>> The specified target is unknown or unreachable in
>> DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandSh
>>
>> The connection string that produces this exception is:
>>
>> DRIVER={PostgreSQL
>> ANSI};DATABASE=db;SERVER=postgresql.my-company.org
>> ;PORT=5432;UID=john;PWD=;SSLmode=disable;ReadOnly=0;Protocol=7.4-1;FakeOidIndex=0;ShowOidColumn=0;RowVersioning=0;ShowSystemTables=0;ConnSettings=;Fetch=100;Socket=4096;UnknownSizes=0;MaxVarcharSize=255;MaxLongVarcharSize=8190;Debug=0;CommLog=0;Optimizer=0;Ksqo=1;UseDeclareFetch=0;TextAsLongVarchar=1;UnknownsAsLongVarchar=0;BoolsAsChar=0;Parse=0;CancelAsFreeStmt=0;ExtraSysTablePrefixes=dd_;;LFConversion=1;UpdatableCursors=1;DisallowPremature=0;TrueIsMinus1=0;BI=0;ByteaAsLongVarBinary=0;UseServerSidePrepare=0;LowerCaseIdentifier=0;GssAuthUseGSS=0;XaOpt=1
>>
>> I'm using it in a Visual Basic 6 project.
>>
>> The version of the driver is 9.1.1.0. The database version is 8.4 from
>> Debian 6. Please find mylog_408.log attached.
>>
>> Thank you for taking a look at this.
>>
>> John
>
>
>>
>> --
>> Sent via pgsql-odbc mailing list (pgsql-odbc(at)postgresql(dot)org)
>> To make changes to your subscription:
>> http://www.postgresql.org/mailpref/pgsql-odbc
>

Stephen,

At your suggestion, I opened the ODBC data source administrator in
Windows XP and attempted to create a user DSN using all of the default
values and providing 'Database', 'Server', and 'User Name'. In this
case 'User Name' was the Active Directory user name. When I pressed
the 'Test' button, I received the same exception I noted in my initial
post. I repeated the test with logging turned on. Nothing seems to
have been recorded about the failed test. The log file is attached.

If I log into the same machine as a user without a mapping in
pg_ident.conf and leave 'User Name' empty, the test is successful. If
I include the user name, which in this case is the same for Active
Directory and Postgresql, I see the same exception.

Could it be that when the only means of authentication enabled in
pg_hba.conf is gss that having anything in 'User Name' is a problem?

John