Re: GSSAPI Authentication Problem

John,

As these are two different users... Did you have to set any of the PG
environment variables for libpq? If so, are you sure that you set
them for both users..?

The main one being PGKRBSRVNAME which you might have set to 'postgres'
(the default is 'POSTGRES' on Windows systems..).

Thanks,

Stephen

* John Slattery (johntslattery(at)gmail(dot)com) wrote:
> On Fri, Aug 3, 2012 at 11:54 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > John,
> >
> > * John Slattery (johntslattery(at)gmail(dot)com) wrote:
> >> At your suggestion, I opened the ODBC data source administrator in
> >> Windows XP and attempted to create a user DSN using all of the default
> >> values and providing 'Database', 'Server', and 'User Name'. In this
> >> case 'User Name' was the Active Directory user name. When I pressed
> >> the 'Test' button, I received the same exception I noted in my initial
> >> post. I repeated the test with logging turned on. Nothing seems to
> >> have been recorded about the failed test. The log file is attached.
> >
> > No, you should be using the PG username of the user in PG that you want
> > to connect as in the ODBC driver, not the AD username.
> >
> > Specifics would help here, I think. For example-
> >
> > If the AD user is "joe(at)REALM(dot)COM", one PG user is "joe", and the user
> > that you want to actually log into the database as is "smith", then you
> > need this:
> >
> > pg_ident mapping joe(at)REALM(dot)COM (or just "joe" if you're having PG strip
> > the realm) to "smith".
> >
> > Log into Windows as "joe(at)REALM(dot)COM".
> >
> > Use "smith" in the "User Name" field in the ODBC manager
> >
> >> Could it be that when the only means of authentication enabled in
> >> pg_hba.conf is gss that having anything in 'User Name' is a problem?
> >
> > No.
> >
> > If you can provide actual specifics regarding the above, and excerpts
> > from your pg_ident.conf, PostgreSQL logs, pg_hba.conf, and the
> > client-side logs, I think that would go a long way to figuring this out.
> >
> > Thanks,
> >
> > Stephen
>
> Stephen,
>
> First, I must apologize. I proofed that post several times but missed
> that I indicated it was the AD name when in fact I had used the PG
> name.
>
> Following is the information you suggested reporting. The test is with
> 'User Name' = 'john'. I used a system DSN generated with the ODBC data
> source administrator. Before I set 'User Name' = 'john', I
> successfully tested the DSN with user csmprovver whose AD and PG names
> are identical with 'User Name' = ''.
>
> *users*
>
> The AD user is jslatter(at)SOMEREALM(dot)ORG and the PG user is john.
>
> *pg_hba.conf*
>
> # TYPE DATABASE USER CIDR-ADDRESS METHOD
> host all all 10.29.136.81/32 md5
> host all john 10.29.136.0/21 gss map=gssapi
> host csmprovver csmprovver 74.203.196.84/32 gss
> host all all 10.29.136.0/21 gss
>
> *pg_ident.conf*
>
> # MAPNAME SYSTEM-USERNAME PG-USERNAME
> gssapi jslatter john
>
> *exception generated*
>
> Run-time error '-2147217843 (80040e4d)':
> Service negotiation failed;
> The specified target is unknown or unreachable in
> DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandsh
>
> *pg_log*
>
> 012-08-03 14:09:42 CDT FATAL: GSSAPI authentication failed for user "john"
>
> *client logs*
>
> mylog_1116.log and psqlodbc_1116.log are attached. An MSDTC log does
> not seem to have been produced.
>
> Thanks for your help.
>
> John