Re: GSSAPI server side on Linux, SSPI client side on Windows
| От | Christian Ullrich |
|---|---|
| Тема | Re: GSSAPI server side on Linux, SSPI client side on Windows |
| Дата | |
| Msg-id | 52794120.1000005@chrullrich.net обсуждение исходный текст |
| Ответ на | Re: GSSAPI server side on Linux, SSPI client side on Windows ("Francisco Figueiredo Jr." <francisco@npgsql.org>) |
| Список | pgsql-general |
* Francisco Figueiredo Jr. wrote: > On Tue, Nov 5, 2013 at 2:35 PM, Christian Ullrich <chris@chrullrich.net > <mailto:chris@chrullrich.net>> wrote: > > * Stephen Frost wrote: > > * Brian Crowell (brian@fluggo.com <mailto:brian@fluggo.com>) wrote: > > However, the eventual goal was to connect to this same > server from a > .NET app running on Windows, and here I've run into a snag. > The Npgsql > library does not support GSSAPI—it only supports SSPI, which is > nearly-but-not-enough-like the same thing to count in this > situation, > > > Uhhh, why not? > > > Because the server on Linux sends AUTH_REQ_GSS, which Npgsql does > not recognize. > > I tried to fix it using the reverse of they one-line fix that worked > in both JDBC and libpq. There, the problem was that they only > supported GSSAPI and had no clue about SSPI (except libpq on > Windows). The fix was to basically declare GSSAPI and SSPI to be the > same. It didn't work. > > In Npgsql's case, the problem is the other way around -- it only > knows SSPI. While making GSSAPI the same as SSPI should work in > principle, there must be some difference somewhere. > > > > Did you make your changes in the NpgsqlState.cs file? Yes. > Also, while checking this part of the code, it seems Npgsql isn't > handling the AuthenticationGSS message. It is only handling > AuthenticationGSSContinue messages. > > I think you could try adding the AuthenticationGSS case to Npgsql > and see if it can authenticate correctly. You could add a second > switch case below the case > AuthenticationRequestType.AuthenticationSSPI and see if Npgsql can > also handle the GSS authentication correctly. That is exactly what I did. I remember from my work on libpq that there is a slight difference in how it handles the two authentication types, but there it is just a flag for whether to treat the user name case-sensitively or not. Here, I control the case of the user part of the UPN, the claimed user name in the startup packet, and the role name in the database, and I know they are all identical. Therefore it should not matter for now whether Npgsql has similar logic already. To make GSSAPI support production-ready, I may have to add it, of course. -- Christian
В списке pgsql-general по дате отправления: