Re: GSSAPI server side on Linux, SSPI client side on Windows

On Mon, Nov 11, 2013 at 10:51 PM, Brian Crowell <brian@fluggo.com> wrote:
> I think I'm getting closer though. I have psql on Windows successfully
> authenticating, so I can't be too far off.

Got it.

The NpgsqlPasswordPacket class has a bug: a utility function it calls
appends a null character to the data, which completely screws up
GSSAPI. Now that I fixed that, I've got successful integrated
authentication from Windows to PostgreSQL on Linux.

However:

* If I don't specify my username, Npgsql sends it in lowercase "bcrowell"
* Npgsql isn't sending the realm, and I've got PostgreSQL configured
to expect it

Otherwise, it's working. As far as I know, the changes necessary are:

* Use hostname in the SPN instead of IP address
* Use "kerberos" package in AcquireCredentialsHandle call instead of "negotiate"
* Fix PGUtil.WriteBytes to not send the extra null (this method is
only used by NpgsqlPasswordPacket, but this fix will most likely break
other authentication methods)
* As stated above, may need to specify username manually (UserName =
"BCrowell@DOMAIN.COM"); I want to fix this

If I figure out the username issue, I'll submit a patch.

Also, in my case, it doesn't seem to matter for the SPN whether the
service name is "postgres" or "POSTGRES." I've got PostgreSQL set to
"postgres", and Npgsql is specifying "POSTGRES", but I also at some
point configured two sets of SPNs on the domain for uppercase and
lowercase, so I don't know if that's a mitigating factor.

—Brian