Re: GSSAPI Authentication Problem
От | John Slattery |
---|---|
Тема | Re: GSSAPI Authentication Problem |
Дата | |
Msg-id | CA+hybRVCSZ0g3PEPXHAzyhJW9d6Z9sAPF+uFQFqdfqqk6ngQDw@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: GSSAPI Authentication Problem (Stephen Frost <sfrost@snowman.net>) |
Список | pgsql-odbc |
On Fri, Aug 3, 2012 at 4:45 PM, Stephen Frost <sfrost@snowman.net> wrote: > John, > > As these are two different users... Did you have to set any of the PG > environment variables for libpq? If so, are you sure that you set > them for both users..? > > The main one being PGKRBSRVNAME which you might have set to 'postgres' > (the default is 'POSTGRES' on Windows systems..). > > Thanks, > > Stephen > > * John Slattery (johntslattery@gmail.com) wrote: >> On Fri, Aug 3, 2012 at 11:54 AM, Stephen Frost <sfrost@snowman.net> wrote: >> > John, >> > >> > * John Slattery (johntslattery@gmail.com) wrote: >> >> At your suggestion, I opened the ODBC data source administrator in >> >> Windows XP and attempted to create a user DSN using all of the default >> >> values and providing 'Database', 'Server', and 'User Name'. In this >> >> case 'User Name' was the Active Directory user name. When I pressed >> >> the 'Test' button, I received the same exception I noted in my initial >> >> post. I repeated the test with logging turned on. Nothing seems to >> >> have been recorded about the failed test. The log file is attached. >> > >> > No, you should be using the PG username of the user in PG that you want >> > to connect as in the ODBC driver, not the AD username. >> > >> > Specifics would help here, I think. For example- >> > >> > If the AD user is "joe@REALM.COM", one PG user is "joe", and the user >> > that you want to actually log into the database as is "smith", then you >> > need this: >> > >> > pg_ident mapping joe@REALM.COM (or just "joe" if you're having PG strip >> > the realm) to "smith". >> > >> > Log into Windows as "joe@REALM.COM". >> > >> > Use "smith" in the "User Name" field in the ODBC manager >> > >> >> Could it be that when the only means of authentication enabled in >> >> pg_hba.conf is gss that having anything in 'User Name' is a problem? >> > >> > No. >> > >> > If you can provide actual specifics regarding the above, and excerpts >> > from your pg_ident.conf, PostgreSQL logs, pg_hba.conf, and the >> > client-side logs, I think that would go a long way to figuring this out. >> > >> > Thanks, >> > >> > Stephen >> >> Stephen, >> >> First, I must apologize. I proofed that post several times but missed >> that I indicated it was the AD name when in fact I had used the PG >> name. >> >> Following is the information you suggested reporting. The test is with >> 'User Name' = 'john'. I used a system DSN generated with the ODBC data >> source administrator. Before I set 'User Name' = 'john', I >> successfully tested the DSN with user csmprovver whose AD and PG names >> are identical with 'User Name' = ''. >> >> *users* >> >> The AD user is jslatter@SOMEREALM.ORG and the PG user is john. >> >> *pg_hba.conf* >> >> # TYPE DATABASE USER CIDR-ADDRESS METHOD >> host all all 10.29.136.81/32 md5 >> host all john 10.29.136.0/21 gss map=gssapi >> host csmprovver csmprovver 74.203.196.84/32 gss >> host all all 10.29.136.0/21 gss >> >> *pg_ident.conf* >> >> # MAPNAME SYSTEM-USERNAME PG-USERNAME >> gssapi jslatter john >> >> *exception generated* >> >> Run-time error '-2147217843 (80040e4d)': >> Service negotiation failed; >> The specified target is unknown or unreachable in >> DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandsh >> >> *pg_log* >> >> 012-08-03 14:09:42 CDT FATAL: GSSAPI authentication failed for user "john" >> >> *client logs* >> >> mylog_1116.log and psqlodbc_1116.log are attached. An MSDTC log does >> not seem to have been produced. >> >> Thanks for your help. >> >> John > > > Stephen, I have PGKRBSRVNAME=POSTGRESQL for both users. The name of the service principal for PostgreSQL on the server is POSTGRESQL. I also have PGGSSAPI=gssapi for both users. I'm not really sure the latter is necessary, but haven't had the opportunity to investigate it yet. John
В списке pgsql-odbc по дате отправления: