Re: GSSAPI Authentication Problem - Mailing list pgsql-odbc
From | John Slattery |
---|---|
Subject | Re: GSSAPI Authentication Problem |
Date | |
Msg-id | CA+hybRXo7KQV25BM4znYVS9goEa+ezfJju7zWpsmfA85AEyKVw@mail.gmail.com Whole thread Raw |
In response to | Re: GSSAPI Authentication Problem (Stephen Frost <sfrost@snowman.net>) |
List | pgsql-odbc |
On Fri, Aug 3, 2012 at 4:41 PM, Stephen Frost <sfrost@snowman.net> wrote: > John, > > * John Slattery (johntslattery@gmail.com) wrote: >> Following is the information you suggested reporting. The test is with >> 'User Name' = 'john'. I used a system DSN generated with the ODBC data >> source administrator. Before I set 'User Name' = 'john', I >> successfully tested the DSN with user csmprovver whose AD and PG names >> are identical with 'User Name' = ''. > > After you have tried to connect, you might try running 'klist' on the > Windows system and reviewing the tickets to see if you acquired a ticket > for the postgres service. > > In general, this does look very similar to our setup (which works just > fine). I will say that we always use "include_realm=1" and then have > the mapping include the realm, eg: > > pg_hba.conf: > > host all all 0.0.0.0/0 gss include_realm=1 map=krbmap > > pg_ident.conf: > > krbmap /^[mM]12345@REALM\.ORG$ sfrost > > In the end, however, it sounds like that's some kind of GSSAPI issue > that's causing trouble (hence the gssapi auth complaint in the server > log). Is there any additional information around that error about what > the GSSAPI error is? Have you tried increasing the verbosity of the > server messages to see if more information is provided? > > Thanks, > > Stephen Stephen, 'klist tickets' on the Windows XP client does not show a ticket for the Postgresql service principal after failed attempts to authenticate. It does show a ticket after a successful gssapi authentication with psql. I added 'include_realm=1' to pg_hba.conf and included the realm in pg_ident.conf. Authentication by psqlODBC failed. Authentication with psql was successful. I increased the logging level on the server as far as it will go, I believe, and don't see anything that suggests the source of the authentication failure. The log entries from configuration reload to authentication failure follow: *pg_log with log_min_messages = debug5 and log_error_verbosity = verbose* 2012-08-06 08:41:01 CDT LOG: 08P01: incomplete startup packet 2012-08-06 08:41:01 CDT LOCATION: ProcessStartupPacket, postmaster.c:1525 2012-08-06 08:41:01 CDT LOG: 00000: received SIGHUP, reloading configuration files 2012-08-06 08:41:01 CDT LOCATION: SIGHUP_handler, postmaster.c:2051 2012-08-06 08:41:13 CDT DEBUG: 00000: forked new backend, pid=16722 socket=10 2012-08-06 08:41:13 CDT LOCATION: BackendStartup, postmaster.c:3108 2012-08-06 08:41:13 CDT FATAL: 28000: GSSAPI authentication failed for user "john" 2012-08-06 08:41:13 CDT LOCATION: auth_failed, auth.c:273 2012-08-06 08:41:13 CDT DEBUG: 00000: shmem_exit(1): 0 callbacks to make 2012-08-06 08:41:13 CDT LOCATION: shmem_exit, ipc.c:211 2012-08-06 08:41:13 CDT DEBUG: 00000: proc_exit(1): 1 callbacks to make 2012-08-06 08:41:13 CDT LOCATION: proc_exit_prepare, ipc.c:183 2012-08-06 08:41:13 CDT DEBUG: 00000: exit(1) 2012-08-06 08:41:13 CDT LOCATION: proc_exit, ipc.c:135 2012-08-06 08:41:13 CDT DEBUG: 00000: shmem_exit(-1): 0 callbacks to make 2012-08-06 08:41:13 CDT LOCATION: shmem_exit, ipc.c:211 Thank you for staying with me on this. John
pgsql-odbc by date: