Re: GSSAPI Authentication Problem

On Fri, Aug 3, 2012 at 4:45 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> John,
>
> As these are two different users... Did you have to set any of the PG
> environment variables for libpq? If so, are you sure that you set
> them for both users..?
>
> The main one being PGKRBSRVNAME which you might have set to 'postgres'
> (the default is 'POSTGRES' on Windows systems..).
>
> Thanks,
>
> Stephen
>
> * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> On Fri, Aug 3, 2012 at 11:54 AM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> > John,
>> >
>> > * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> >> At your suggestion, I opened the ODBC data source administrator in
>> >> Windows XP and attempted to create a user DSN using all of the default
>> >> values and providing 'Database', 'Server', and 'User Name'. In this
>> >> case 'User Name' was the Active Directory user name. When I pressed
>> >> the 'Test' button, I received the same exception I noted in my initial
>> >> post. I repeated the test with logging turned on. Nothing seems to
>> >> have been recorded about the failed test. The log file is attached.
>> >
>> > No, you should be using the PG username of the user in PG that you want
>> > to connect as in the ODBC driver, not the AD username.
>> >
>> > Specifics would help here, I think. For example-
>> >
>> > If the AD user is "joe(at)REALM(dot)COM", one PG user is "joe", and the user
>> > that you want to actually log into the database as is "smith", then you
>> > need this:
>> >
>> > pg_ident mapping joe(at)REALM(dot)COM (or just "joe" if you're having PG strip
>> > the realm) to "smith".
>> >
>> > Log into Windows as "joe(at)REALM(dot)COM".
>> >
>> > Use "smith" in the "User Name" field in the ODBC manager
>> >
>> >> Could it be that when the only means of authentication enabled in
>> >> pg_hba.conf is gss that having anything in 'User Name' is a problem?
>> >
>> > No.
>> >
>> > If you can provide actual specifics regarding the above, and excerpts
>> > from your pg_ident.conf, PostgreSQL logs, pg_hba.conf, and the
>> > client-side logs, I think that would go a long way to figuring this out.
>> >
>> > Thanks,
>> >
>> > Stephen
>>
>> Stephen,
>>
>> First, I must apologize. I proofed that post several times but missed
>> that I indicated it was the AD name when in fact I had used the PG
>> name.
>>
>> Following is the information you suggested reporting. The test is with
>> 'User Name' = 'john'. I used a system DSN generated with the ODBC data
>> source administrator. Before I set 'User Name' = 'john', I
>> successfully tested the DSN with user csmprovver whose AD and PG names
>> are identical with 'User Name' = ''.
>>
>> *users*
>>
>> The AD user is jslatter(at)SOMEREALM(dot)ORG and the PG user is john.
>>
>> *pg_hba.conf*
>>
>> # TYPE DATABASE USER CIDR-ADDRESS METHOD
>> host all all 10.29.136.81/32 md5
>> host all john 10.29.136.0/21 gss map=gssapi
>> host csmprovver csmprovver 74.203.196.84/32 gss
>> host all all 10.29.136.0/21 gss
>>
>> *pg_ident.conf*
>>
>> # MAPNAME SYSTEM-USERNAME PG-USERNAME
>> gssapi jslatter john
>>
>> *exception generated*
>>
>> Run-time error '-2147217843 (80040e4d)':
>> Service negotiation failed;
>> The specified target is unknown or unreachable in
>> DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandsh
>>
>> *pg_log*
>>
>> 012-08-03 14:09:42 CDT FATAL: GSSAPI authentication failed for user "john"
>>
>> *client logs*
>>
>> mylog_1116.log and psqlodbc_1116.log are attached. An MSDTC log does
>> not seem to have been produced.
>>
>> Thanks for your help.
>>
>> John
>
>
>

Stephen,

I have PGKRBSRVNAME=POSTGRESQL for both users. The name of the service
principal for PostgreSQL on the server is POSTGRESQL. I also have
PGGSSAPI=gssapi for both users. I'm not really sure the latter is
necessary, but haven't had the opportunity to investigate it yet.

John