Re: GSSAPI server side on Linux, SSPI client side on Windows

* Stephen Frost wrote:

> * Christian Ullrich (chris@chrullrich.net) wrote:

>> I tried to fix it using the reverse of they one-line fix that worked
>> in both JDBC and libpq. There, the problem was that they only
>> supported GSSAPI and had no clue about SSPI (except libpq on
>> Windows). The fix was to basically declare GSSAPI and SSPI to be the
>> same. It didn't work.
>
> If Npgsql does the same as libpq-on-Windows, it should all work just
> fine..

Hence my suspicion that it doesn't. I did not have the time to compare
every function call yet.

>> In Npgsql's case, the problem is the other way around -- it only
>> knows SSPI. While making GSSAPI the same as SSPI should work in
>> principle, there must be some difference somewhere.
>
> Well, what happened after you hacked Npgsql?  It's possible there's a

Nov  1 10:21:44 infra1 postgres[24864]: [7-1] FATAL:  GSSAPI
authentication failed for user "chris"
Nov  1 10:25:27 infra1 postgres[25030]: [7-1] FATAL:  accepting GSS
security context failed
Nov  1 10:25:27 infra1 postgres[25030]: [7-2] DETAIL:  An unsupported
mechanism was requested: Unknown error
Nov  1 10:26:28 infra1 postgres[25079]: [7-1] FATAL:  accepting GSS
security context failed
Nov  1 10:26:28 infra1 postgres[25079]: [7-2] DETAIL:  An unsupported
mechanism was requested: Unknown error
Nov  1 10:30:41 infra1 postgres[25193]: [7-1] FATAL:  canceling
authentication due to timeout
Nov  1 10:31:50 infra1 postgres[25277]: [7-1] FATAL:  accepting GSS
security context failed
Nov  1 10:31:50 infra1 postgres[25277]: [7-2] DETAIL:  An unsupported
mechanism was requested: Unknown error
Nov  1 10:39:31 infra1 postgres[25587]: [7-1] FATAL:  accepting GSS
security context failed
Nov  1 10:39:31 infra1 postgres[25587]: [7-2] DETAIL:  Unspecified GSS
failure.  Minor code may provide more information:
Nov  1 10:44:32 infra1 postgres[25778]: [7-1] FATAL:  accepting GSS
security context failed
Nov  1 10:44:32 infra1 postgres[25778]: [7-2] DETAIL:  Unspecified GSS
failure.  Minor code may provide more information:
Nov  1 10:44:56 infra1 postgres[25789]: [7-1] FATAL:  accepting GSS
security context failed
Nov  1 10:44:56 infra1 postgres[25789]: [7-2] DETAIL:  Unspecified GSS
failure.  Minor code may provide more information:

At some point during that I changed the principal that Npgsql gets its
service ticket for from POSTGRES/<IP address> to POSTGRES/<host name>.
There is a comment in the source that it does not work with the host
name, with no more details, and I chose not to believe that. The result
did nothing to prove me right, though. I think it was where the errors
change from "accepting context failed" to "unspecified error", but I may
be wrong.

The GSSAPI error messages are of the usual helpful kind, even including
the colon that is followed by no detail.

I will spend more time on it once I have managed to keep my job this week.

--
Christian