Re: GSSAPI server side on Linux, SSPI client side on Windows - Mailing list pgsql-general

From Christian Ullrich
Subject Re: GSSAPI server side on Linux, SSPI client side on Windows
Date
Msg-id f20021e31ed44a329be8688b629e974a@AMSPR06MB134.eurprd06.prod.outlook.com
Whole thread Raw
In response to Re: GSSAPI server side on Linux, SSPI client side on Windows  (Brian Crowell <brian@fluggo.com>)
Responses Re: GSSAPI server side on Linux, SSPI client side on Windows
List pgsql-general
* From: Brian Crowell

> On Mon, Nov 11, 2013 at 11:56 PM, Christian Ullrich
> <chris@chrullrich.net> wrote:
> >> On Mon, Nov 11, 2013 at 10:51 PM, Brian Crowell <brian@fluggo.com>
> wrote:
> >> * If I don't specify my username, Npgsql sends it in lowercase
> "bcrowell"
> >
> > Hmm. That is related one problem I've been having with SSPI auth from
> > libpq/ODBC. The database treats the claimed user name case-sensitively
> > when looking up the user info in pg_authid, and if the user logged on to
> > Windows with a name differing in case from what the database thinks it is,
> > authentication fails. Npgsql sending it always in lower case is precisely
> > what I landed on as a workaround (basically overriding libpq's automatic
> > user name detection in the ODBC connection string by appending a UID
> > option).
>
> The message I get in the log is "provided user name
> (bcrowell@REALM.COM) and authenticated username (BCrowell@REALM.COM)
> do not match," so it looks like I have to teach Npgsql to match
> whatever Windows is sending in GSSAPI. That, or teach Postgres how to
> lowercase the name on arrival.
>
> What did you do to get around this?

ODBC supports several connection string types. The simplest is the name of a system or user DSN alone. Another is
somethingalong the lines of "DSN=xyz;Option1=foo;Option2=bar", supplementing (or overriding) options from the DSN with
localvalues. 

I used that to supply an explicit "UID" option giving the result of converting the current user name to another format
usingIADsNameTranslate. That works because it pulls the information from the directory rather than just munging the
resultof GetUserName(). 

Pseudocode:

n = GetUserNameEx(NameSamCompatible)            // "logon screen" case
NameTranslate.Set(ADS_NAME_TYPE_NT4, n)
n = NameTranslate.Get(ADS_NAME_TYPE_DOMAIN_SIMPLE)    // "official" case
n = n.CutAtTheAtSign()
db.Connect("DSN=foo;UID=" + n)

To get a usable realm name, ADS_NAME_TYPE_USER_PRINCIPAL_NAME is probably more correct.

This works if the role name in pg_authid matches the user name in the directory, case-wise. It cannot be shortened to
GetUserNameEx(NameUserPrincipal)because that also returns "logon screen" case. 

--
Christian



pgsql-general by date:

Previous
From: Brian Crowell
Date:
Subject: Re: GSSAPI server side on Linux, SSPI client side on Windows
Next
From: dinesh kumar
Date:
Subject: Re: select Xpath is returning values with {}