Обсуждение: How to ensure that SSPI support (Windows) enabled?
Hi
I’m looking at config_default.pl file and I can see the line
gss => undef, # --with-gssapi=<path>
I was advised to use SSPI API that is built-in (windows) instead of MIT Kerberos
So what should I set and where to ensure that result PostgreSQL build will support SSPI?
Thanks in advance
Dimitry Markman
Dimitry Markman <dmarkman@mathworks.com> writes:
> Im looking at config_default.pl file and I can see the line
> gss => undef, # --with-gssapi=<path>
> I was advised to use SSPI API that is built-in (windows) instead of MIT Kerberos
> So what should I set and where to ensure that result PostgreSQL build will support SSPI?
SSPI != GSS. SSPI support is always built in Windows builds, see
win32_port.h:
#define ENABLE_SSPI 1
(Perhaps not the best place for such a thing, but somebody put it there.)
regards, tom lane
Hi Tom,
thanks a lot for your super fast answer 😊. I really appreciate that
I was asking our 3p library people how to add windows support to gss and they said that on windows we should use SSPI
I’m not really familiar with either gssapi or SSPI
I see that macOS has builtin support for gssapi, so all I need is to use –with-gssapi
On linux I use MIT Kerberos that we build in our 3p environment (only linux)
When I ask to build MIT Kerberos on windows that’s when I was advised simply to use SSPI
Thanks again
dm
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Friday, May 19, 2023 at 11:26 AM
To: Dimitry Markman <dmarkman@mathworks.com>
Cc: pgsql-hackers@lists.postgresql.org <pgsql-hackers@lists.postgresql.org>
Subject: Re: How to ensure that SSPI support (Windows) enabled?
Dimitry Markman <dmarkman@mathworks.com> writes:
> I’m looking at config_default.pl file and I can see the line
> gss => undef, # --with-gssapi=<path>
> I was advised to use SSPI API that is built-in (windows) instead of MIT Kerberos
> So what should I set and where to ensure that result PostgreSQL build will support SSPI?
SSPI != GSS. SSPI support is always built in Windows builds, see
win32_port.h:
#define ENABLE_SSPI 1
(Perhaps not the best place for such a thing, but somebody put it there.)
regards, tom lane
Greetings, Please don't top-post. * Dimitry Markman (dmarkman@mathworks.com) wrote: > I was asking our 3p library people how to add windows support to gss and they said that on windows we should use SSPI They're correct. > I’m not really familiar with either gssapi or SSPI Kerberos support is provided through SSPI on Windows. On Linux and Unix systems in general, it's provided through GSSAPI. On the wire, the two are (mostly) compatible. > I see that macOS has builtin support for gssapi, so all I need is to use –with-gssapi On most Unix-based systems (and certainly for MacOS), you should be installing MIT Kerberos and using that for your GSSAPI library. The GSSAPI library included with MacOS has not been properly maintained by Apple and is woefully out of date and using it will absolutely cause you undue headaches. > On linux I use MIT Kerberos that we build in our 3p environment (only linux) Yes, MIT Kerberos on Linux makes sense. > When I ask to build MIT Kerberos on windows that’s when I was advised simply to use SSPI That's correct, you should be using SSPI on Windows is the vast majority of cases. Thanks, Stephen
Вложения
Thanks Stephen, very useful information
dm
On 5/19/23, 12:02 PM, "Stephen Frost" <sfrost@snowman.net> wrote:
Greetings,
Please don't top-post.
* Dimitry Markman (dmarkman@mathworks.com) wrote:
> I was asking our 3p library people how to add windows support to gss and they said that on windows we should use SSPI
They're correct.
> I’m not really familiar with either gssapi or SSPI
Kerberos support is provided through SSPI on Windows. On Linux and Unix
systems in general, it's provided through GSSAPI. On the wire, the two
are (mostly) compatible.
> I see that macOS has builtin support for gssapi, so all I need is to use –with-gssapi
On most Unix-based systems (and certainly for MacOS), you should be
installing MIT Kerberos and using that for your GSSAPI library. The
GSSAPI library included with MacOS has not been properly maintained by
Apple and is woefully out of date and using it will absolutely cause you
undue headaches.
> On linux I use MIT Kerberos that we build in our 3p environment (only linux)
Yes, MIT Kerberos on Linux makes sense.
> When I ask to build MIT Kerberos on windows that’s when I was advised simply to use SSPI
That's correct, you should be using SSPI on Windows is the vast majority
of cases.
Thanks,
Stephen