Re: GSSAPI Authentication Problem

On Wed, Aug 8, 2012 at 8:22 AM, Hiroshi Inoue <inoue(at)tpf(dot)co(dot)jp> wrote:
> (2012/08/08 5:03), John Slattery wrote:
>>
>> On Tue, Aug 7, 2012 at 1:42 PM, Hiroshi Inoue <inoue(at)tpf(dot)co(dot)jp> wrote:
>>>
>>> (2012/08/07 23:13), John Slattery wrote:
>>>>
>>>>
>>>> On Tue, Aug 7, 2012 at 5:51 AM, Hiroshi Inoue <inoue(at)tpf(dot)co(dot)jp> wrote:
>>>>>
>>>>>
>>>>> (2012/08/07 1:02), John Slattery wrote:
>>>>>>
>>>>>>
>>>>>> On Sat, Aug 4, 2012 at 3:50 AM, Hiroshi Inoue <inoue(at)tpf(dot)co(dot)jp> wrote:
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Hi John,
>>>>>>>
>>>>>>> (2012/08/03 21:31), John Slattery wrote:
>>>>>>>>
>>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I would like to report what seems like a problem with the driver. It
>>>>>>>> doesn't seem possible to override the default user name for
>>>>>>>> authentication by GSSAPI. I'm using a map in pg_ident.conf since my
>>>>>>>> Active Directory user name isn't the same as my Postgresql user
>>>>>>>> name.
>>>>>>>> pgAdmin III and psql allow for this, the former by setting Username
>>>>>>>> in
>>>>>>>> the GUI to my Postgresql user name and the latter by specifying the
>>>>>>>> -U
>>>>>>>> option. I tried setting UID in the connection string I am using to
>>>>>>>> my
>>>>>>>> Postgresql user name but that caused the driver to return the
>>>>>>>> following exception:
>>>>>>>>
>>>>>>>> Run-time error '-2147217843 <tel:2147217843> (800040e4d)':
>>>>>>>>
>>>>>>>> Service negotiation failed;
>>>>>>>> The specified target is unknown or unreachable in
>>>>>>>> DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandSh
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> How do you login to your Kerberos system?
>>>>>>>
>>>>>>> regards,
>>>>>>> Hiroshi Inoue
>>>>>>>
>>>>>> Hiroshi,
>>>>>>
>>>>>> I'm not sure I understand your question, but I'll take a shot at
>>>>>> answering it. The client is Windows XP, so I would say I'm using the
>>>>>> standard/default Windows GINA for Winlogon.
>>>>>
>>>>>
>>>>>
>>>>> OK I'd like to confirm SSPI is used.
>>>>> Could you try to set SSLMODE to 'allow' with the user name John?
>>>>>
>>>>> regards,
>>>>> Hiroshi Inoue
>>>>>
>>>>
>>>> Hiroshi,
>>>>
>>>> I set 'User Name' = 'john' and changed 'SSL Mode' from 'disable' to
>>>> 'allow'.
>>>>
>>>> It worked.
>>>>
>>>> And I'm baffled. Is there a reason it shouldn't work with 'SSL Mode' =
>>>> 'disable'? Would you explain?
>>>
>>>
>>>
>>> Though psqlodbc supports SSPI authentication by itself, it doesn't
>>> look at PGKRBSRVNAME environment variable as you pointed out.
>>> Could you please try the drivers on testing for 9.1.0101 at
>>> http://www.ne.jp/asahi/inocchichichi/entrance/psqlodbc/
>>> ?
>>>
>>> Though psqlodbc communicates with servers by itself, it uses libpq
>>> connections in some cases.
>>> Setting sslmode to other than 'disable' forces psqlodbc to use libpq
>>> connections.
>>> Setting user name to '' also forces psqlodbc to use libpq connections.
>>>
>>> regards,
>>> Hiroshi Inoue
>>
>>
>> A connection test with the 9.1.0101 testing 32bit drivers is
>> successful when 'User Name' = 'john' and 'SSL Mode' = 'allow'. When
>> 'User Name' = 'john' and 'SSL Mode' = 'disable', the connection test
>> responds with: Warning: GSS authentication not supported.
>>
>> Is there anything else I should try?
>
>
> OK I updated the drivers.
> PLease retry the drivers on testing for 9.1.0101 at
> http://www.ne.jp/asahi/inocchichichi/entrance/psqlodbc/
> .
>
> regards,
> Hiroshi Inoue

Connection tests with the ANSI and Unicode 8/8/2012 9.1.0101 testing
32bit drivers were successful on both

'User Name' = 'john' and 'SSL Mode' = 'allow'

and

'User Name' = 'john' and 'SSL Mode' = 'disable'

I also ran the same cases in my test application successfully.

I think you have it!

Thanks.

John