Re: SSPI authentication - patch - Mailing list pgsql-patches
| From | Magnus Hagander |
|---|---|
| Subject | Re: SSPI authentication - patch |
| Date | |
| Msg-id | 20070720072114.GA22622@svr2.hagander.net Whole thread Raw |
| In response to | Re: SSPI authentication - patch (Stephen Frost <sfrost@snowman.net>) |
| Responses |
Re: SSPI authentication - patch
|
| List | pgsql-patches |
On Thu, Jul 19, 2007 at 06:22:57PM -0400, Stephen Frost wrote: > * Magnus Hagander (magnus@hagander.net) wrote: > > Here's an updated version of this patch. This version has full SSPI support > > in the server as well, so I can do both kerberos and NTLM between two > > windows machines using the negotiate method. > > Great! Also, I've tested that it works under Windows using > PGGSSLIB=gssapi with the MIT GSS libraries. I did have to set the > PGKRBSRVNAME to 'postgres'. It worked excellently. :) Thanks! > > Since SSPI and GSSAPI can now both be used, my plan is not to have an > > autoconf to disable SSPI, but to just enable it unconditionally on win32. > > Or does this seem like a bad idea? > > My thinking would be to have the autoconf to disable it, but enable it > by default. I don't feel particularly strongly about it though. Do you see a use-case where someone would disable it? I'll be happy to add the switch if you do, it's not hard to do, but adding a switch just for the sake of adding a switch is not something I lik e:-) > > > Comments welcome. > > It looks good in general to me (though I'm not super-familiar with > SSPI). My one big concern is this: > > > /* Define to the name of the default PostgreSQL service principal in Kerberos. > > (--with-krb-srvnam=NAME) */ > > ! #define PG_KRB_SRVNAM "postgres" > > > > /* A string containing the version number, platform, and C compiler */ > > #define PG_VERSION_STR "Uninitialized version string (win32)" > > --- 582,588 ---- > > > > /* Define to the name of the default PostgreSQL service principal in Kerberos. > > (--with-krb-srvnam=NAME) */ > > ! #define PG_KRB_SRVNAM "POSTGRES" > > I understand that SSPI is case-insensitive, or folds to uppercase, or > whatever, but this is *not* used only by the SSPI code. Please correct > me if I'm wrong, but this will break existing krb-auth using client > applications/setups that went with the previous default, no? I realize > it's on Windows, but there are people out there with that > configuration (yes, like me... :)... Ok, first to clearify the facts: * SSPI is case-insensitive, case-preserving * The problem is not from SSPI. It's Active Directory. If you use AD as the KDC, you must use uppercase SPNs - regardless of SSPI. For example, it's needed for anybody wanting to use the old krb5 auth in 8.x together with Active Directory - like I do :-) The change is there to because the majority of windows installs will be using Active Directory, at least that's what I would expect. Certainly not all, but most. It's a way of lowering the bar for the majority, at the expense of the minority ;-) That said, I actually intended to submit that as a separate patch for separate discussion. If people are against it, I'll be happy to drop that part. > I don't particularly like it but, honestly, it seems like it might be > better to set it based on what's being used (GSSAPI/SSPI/KRB5)? This > would be for the client-side, as I guess we've decided it's okay to just > pick whatever keytab the users provide that's in our server-side > keytab. Again, it's not related to the library used, it's related to the KDC. And we can't detect that, at least not early enough. //Magnus
pgsql-patches by date: