Skip site navigation (1) Skip section navigation (2)

Re: GSSAPI Authentication Problem

From: John Slattery <johntslattery(at)gmail(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: pgsql-odbc(at)postgresql(dot)org
Subject: Re: GSSAPI Authentication Problem
Date: 2012-08-06 14:33:16
Message-ID: (view raw, whole thread or download thread mbox)
Lists: pgsql-odbc
On Fri, Aug 3, 2012 at 4:41 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> John,
> * John Slattery (johntslattery(at)gmail(dot)com) wrote:
>> Following is the information you suggested reporting. The test is with
>> 'User Name' = 'john'. I used a system DSN generated with the ODBC data
>> source administrator. Before I set 'User Name' = 'john', I
>> successfully tested the DSN with user csmprovver whose AD and PG names
>> are identical with 'User Name' = ''.
> After you have tried to connect, you might try running 'klist' on the
> Windows system and reviewing the tickets to see if you acquired a ticket
> for the postgres service.
> In general, this does look very similar to our setup (which works just
> fine).  I will say that we always use "include_realm=1" and then have
> the mapping include the realm, eg:
> pg_hba.conf:
> host    all         all             gss include_realm=1 map=krbmap
> pg_ident.conf:
> krbmap        /^[mM]12345(at)REALM\(dot)ORG$     sfrost
> In the end, however, it sounds like that's some kind of GSSAPI issue
> that's causing trouble (hence the gssapi auth complaint in the server
> log).  Is there any additional information around that error about what
> the GSSAPI error is?  Have you tried increasing the verbosity of the
> server messages to see if more information is provided?
>         Thanks,
>                 Stephen


'klist tickets' on the Windows XP client does not show a ticket for
the Postgresql service principal after failed attempts to
authenticate. It does show a ticket after a successful gssapi
authentication with psql.

I added 'include_realm=1' to pg_hba.conf and included the realm in
pg_ident.conf. Authentication by psqlODBC failed. Authentication with
psql was successful.

I increased the logging level on the server as far as it will go, I
believe, and don't see anything that suggests the source of the
authentication failure. The log entries from configuration reload to
authentication failure follow:

*pg_log with log_min_messages = debug5 and log_error_verbosity = verbose*

2012-08-06 08:41:01 CDT LOG:  08P01: incomplete startup packet
2012-08-06 08:41:01 CDT LOCATION:  ProcessStartupPacket, postmaster.c:1525
2012-08-06 08:41:01 CDT LOG:  00000: received SIGHUP, reloading
configuration files
2012-08-06 08:41:01 CDT LOCATION:  SIGHUP_handler, postmaster.c:2051
2012-08-06 08:41:13 CDT DEBUG:  00000: forked new backend, pid=16722 socket=10
2012-08-06 08:41:13 CDT LOCATION:  BackendStartup, postmaster.c:3108
2012-08-06 08:41:13 CDT FATAL:  28000: GSSAPI authentication failed
for user "john"
2012-08-06 08:41:13 CDT LOCATION:  auth_failed, auth.c:273
2012-08-06 08:41:13 CDT DEBUG:  00000: shmem_exit(1): 0 callbacks to make
2012-08-06 08:41:13 CDT LOCATION:  shmem_exit, ipc.c:211
2012-08-06 08:41:13 CDT DEBUG:  00000: proc_exit(1): 1 callbacks to make
2012-08-06 08:41:13 CDT LOCATION:  proc_exit_prepare, ipc.c:183
2012-08-06 08:41:13 CDT DEBUG:  00000: exit(1)
2012-08-06 08:41:13 CDT LOCATION:  proc_exit, ipc.c:135
2012-08-06 08:41:13 CDT DEBUG:  00000: shmem_exit(-1): 0 callbacks to make
2012-08-06 08:41:13 CDT LOCATION:  shmem_exit, ipc.c:211

Thank you for staying with me on this.


In response to

pgsql-odbc by date

Next:From: John SlatteryDate: 2012-08-06 14:59:38
Subject: Re: GSSAPI Authentication Problem
Previous:From: Hiroshi SaitoDate: 2012-08-05 06:57:49
Subject: Re: Problem with ODBC-Driver on a Windows 7/x 64

Privacy Policy | About PostgreSQL
Copyright © 1996-2017 The PostgreSQL Global Development Group