Thread: 8.3 problems with sspi authentication

8.3 problems with sspi authentication

From
"Matthias Mohr"
Date:
Hi everybody,

this is my first post here, so I don't know if this has already be discussed here.

I tried to use the new sspi authentication in PostgreSQL 8.3 to directly use a Windows user for PostgreSQL
authentication.
So for a test I changed the default "127.0.01/32" line in pg_hba.conf from "md5" to "sspi" and tried to restart the
service.

The restart of the service failed and I found the following lines (multiple times) in my logs:

---------------------------------------------------------------------------------------------------------------------------------------
2008-02-21 21:17:21 CET LOG:  loaded library "$libdir/plugins/plugin_debugger.dll"
2008-02-21 21:17:21 CET FATAL:  SSPI authentication failed for user "postgres"

---------------------------------------------------------------------------------------------------------------------------------------

Then I tried to additionally add the sspi line to the pg_hba.conf.
Now the services immediately fails to start and the only additional line in the log is:

---------------------------------------------------------------------------------------------------------------------------------------
2008-02-21 21:19:17 CET LOG:  loaded library "$libdir/plugins/plugin_debugger.dll"

---------------------------------------------------------------------------------------------------------------------------------------
No failure, only one of the above line.

Am I doing something wrong or is this a (known) bug?

I'm using Windows XP Professional with SP2 and a lot of additional Microsoft fixes.
I installed PostgreSQL with the Windows installer.
My computer is not part of any Domain or Active Directory...

Any suggestions (or helpful hints how I can find out, what's going wrong)?

with regards,
Matthias

Re: 8.3 problems with sspi authentication

From
Christian Ullrich
Date:
* Matthias Mohr wrote:

> I tried to use the new sspi authentication in PostgreSQL 8.3 to directly
> use a Windows user for PostgreSQL authentication. So for a test I changed
[...]
> I'm using Windows XP Professional with SP2 and a lot of additional

Do you have "Simple File Sharing" enabled? If so, the client user is always
authenticated as Guest. The Guest user is usually disabled, which makes
authentication fail.

For details see <http://www.ngssoftware.com/papers/database-on-xp.pdf>.

--
  Christian Ullrich  .  Expect a letter from a friend who will ask
                     .  a favor of you.
    Registrierter    .
 Linux-User #125183  .

Re: 8.3 problems with sspi authentication

From
"Matthias Mohr"
Date:
Hi Christian,

thanks for your answer
>> I tried to use the new sspi authentication in PostgreSQL 8.3 to directly
>> use a Windows user for PostgreSQL authentication. So for a test I changed
> [...]
>> I'm using Windows XP Professional with SP2 and a lot of additional
>
> Do you have "Simple File Sharing" enabled? If so, the client user is always
> authenticated as Guest. The Guest user is usually disabled, which makes
> authentication fail.
No, "Simple File Sharing" is not enabled.

And even the PostgreSQL service itself is unable to start when I enable SSPI...

BTW, I use a German language version of Windows XP Pro if that matters.

with regards,
Matthias

Re: 8.3 problems with sspi authentication

From
"Matthias Mohr"
Date:
It seems that nobody else has problems with the sspi authentication :-(
Is somebody even using the sspi authentication for Windows?
Did it work without problems?
What environments do you use (domain, active directory, local windows user, ...)?

There must be some reason why it doesn't work here!
But I need more informations on where I can have a look at to find a solution for my problem.

with regards,
Matthias

----- Original Message -----
From: "Matthias Mohr" <Matthias@mohrenclan.de>
To: <pgsql-bugs@postgresql.org>; "Christian Ullrich" <chris@chrullrich.net>
Sent: Sunday, February 24, 2008 10:12 AM
Subject: Re: [BUGS] 8.3 problems with sspi authentication


> Hi Christian,
>
> thanks for your answer
>>> I tried to use the new sspi authentication in PostgreSQL 8.3 to directly
>>> use a Windows user for PostgreSQL authentication. So for a test I changed
>> [...]
>>> I'm using Windows XP Professional with SP2 and a lot of additional
>>
>> Do you have "Simple File Sharing" enabled? If so, the client user is always
>> authenticated as Guest. The Guest user is usually disabled, which makes
>> authentication fail.
> No, "Simple File Sharing" is not enabled.
>
> And even the PostgreSQL service itself is unable to start when I enable SSPI...
>
> BTW, I use a German language version of Windows XP Pro if that matters.
>
> with regards,
> Matthias
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
>       subscribe-nomail command to majordomo@postgresql.org so that your
>       message can get through to the mailing list cleanly

Re: 8.3 problems with sspi authentication

From
Magnus Hagander
Date:
I am using it, and it works very well for me. I've only been using it on
domain attached machines though - but often using it to access the server
only locally.

Do you have any non-microsoft software installed on the machine that could
be interefering somehow. Like AV or other "security" products?

The error you're getting is something like "function not supported", which
shouldn't happen...

Eh, unless, you do have sspi in your pg_hba.conf, right, not gssapi?

//Magnus

On Wed, Feb 27, 2008 at 10:08:15AM +0100, Matthias Mohr wrote:
> It seems that nobody else has problems with the sspi authentication :-(
> Is somebody even using the sspi authentication for Windows?
> Did it work without problems?
> What environments do you use (domain, active directory, local windows user,
> ...)?
>
> There must be some reason why it doesn't work here!
> But I need more informations on where I can have a look at to find a
> solution for my problem.
>
> with regards,
> Matthias
>
> ----- Original Message -----
> From: "Matthias Mohr" <Matthias@mohrenclan.de>
> To: <pgsql-bugs@postgresql.org>; "Christian Ullrich" <chris@chrullrich.net>
> Sent: Sunday, February 24, 2008 10:12 AM
> Subject: Re: [BUGS] 8.3 problems with sspi authentication
>
>
> >Hi Christian,
> >
> >thanks for your answer
> >>>I tried to use the new sspi authentication in PostgreSQL 8.3 to directly
> >>>use a Windows user for PostgreSQL authentication. So for a test I changed
> >>[...]
> >>>I'm using Windows XP Professional with SP2 and a lot of additional
> >>
> >>Do you have "Simple File Sharing" enabled? If so, the client user is
> >>always
> >>authenticated as Guest. The Guest user is usually disabled, which makes
> >>authentication fail.
> >No, "Simple File Sharing" is not enabled.
> >
> >And even the PostgreSQL service itself is unable to start when I enable
> >SSPI...
> >
> >BTW, I use a German language version of Windows XP Pro if that matters.
> >
> >with regards,
> >Matthias
> >
> >
> >---------------------------(end of broadcast)---------------------------
> >TIP 1: if posting/reading through Usenet, please send an appropriate
> >      subscribe-nomail command to majordomo@postgresql.org so that your
> >      message can get through to the mailing list cleanly
>
> ---------------------------(end of broadcast)---------------------------
> TIP 6: explain analyze is your friend

Re: 8.3 problems with sspi authentication

From
"Matthias Mohr"
Date:
Hello Magnus,

> I am using it, and it works very well for me. I've only been using it on
> domain attached machines though - but often using it to access the server
> only locally.
My problem is, that the _server_ itself did not start after changing the authentication
to sspi


> Do you have any non-microsoft software installed on the machine that could
> be interefering somehow. Like AV or other "security" products?
Of course I have a lot of "non-microsoft software" installed on the machine :-)
But I don't know how this could interfer?
Avira's Antivir is installed,
there's no firewall software activated,
cygwin with enabled ssh server is installed,
vmware workstation is installed,
what else could interfer?

> The error you're getting is something like "function not supported", which
> shouldn't happen...
What I miss is a more detailed log file which could tell me what exactly goes
wrong (and where)...


> Eh, unless, you do have sspi in your pg_hba.conf, right, not gssapi?
Yes I have "sspi" in my pg_hba.conf!

regards,
Matthias

Re: 8.3 problems with sspi authentication

From
Magnus Hagander
Date:
Matthias Mohr wrote:
> Hello Magnus,

Hi!

Sorry for not getting back to you sooner on this. I managed to misplace
the mail :-(


> > I am using it, and it works very well for me. I've only been using
> > it on domain attached machines though - but often using it to
> > access the server only locally.
> My problem is, that the _server_ itself did not start after changing
> the authentication to sspi

Ooh. That's interesting. Didn't realize that. Does it crash right away,
or does it only reject it once you try to connect?


> > Do you have any non-microsoft software installed on the machine
> > that could be interefering somehow. Like AV or other "security"
> > products?
> Of course I have a lot of "non-microsoft software" installed on the
> machine :-) But I don't know how this could interfer?
> Avira's Antivir is installed,

I would try to remove that one. Antivirus is a very common cause of
network-related issues.


> there's no firewall software activated,
> cygwin with enabled ssh server is installed,

Is cygwin present in the system PATH? If so, please try removing it
fromthe PATH, rebooting, and see if that helps. Cygwin is also a
well-known troublemaker.


> vmware workstation is installed,
> what else could interfer?

That one should be fine.


> > The error you're getting is something like "function not
> > supported", which shouldn't happen...
> What I miss is a more detailed log file which could tell me what
> exactly goes wrong (and where)...

What version Windows was this again, exactly? It's not a home or
small-business or such edition by any chance?


> > Eh, unless, you do have sspi in your pg_hba.conf, right, not gssapi?
> Yes I have "sspi" in my pg_hba.conf!

Ok, good :-)

//Magnus