Thread: Windows binary install and gssapi support
Hello,
Postgres supports a connection string parameter 'gsslib'. This is documented here:
When I install the psycopg2 binary distribution on windows, I see the error below.
C:\Users\grant>pip install psycopg2-binary
Collecting psycopg2-binary
Downloading psycopg2_binary-2.7.4-cp27-cp27m-win32.whl (859kB)
100% |################################| 860kB 882kB/s
Installing collected packages: psycopg2-binary
Successfully installed psycopg2-binary-2.7.4
You are using pip version 9.0.1, however version 10.0.0 is available.
You should consider upgrading via the 'python -m pip install --upgrade pip' command.
C:\Users\grant>python
Python 2.7.10 (default, May 23 2015, 09:40:32) [MSC v.1500 32 bit (Intel)] on win32
Type "help", "copyright", "credits" or "license" for more information.
>>> import psycopg2
>>> psycopg2.connect( 'postgresql://localhost/postgres?gsslib=gssapi' )
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
File "C:\Python27\lib\site-packages\psycopg2\__init__.py", line 129, in connect
dsn = _ext.make_dsn(dsn, **kwargs)
File "C:\Python27\lib\site-packages\psycopg2\extensions.py", line 155, in make_dsn
parse_dsn(dsn)
psycopg2.ProgrammingError: invalid dsn: invalid URI query parameter: "gsslib"
C:\Users\grant>python --version
Python 2.7.10
C:\Users\grant>ver
Microsoft Windows [Version 10.0.16299.371]
I am speculating here, but perhaps the libpq library that was used to build the package was not built using the --with-gssapi switch described here?
Thanks
Grant,
You are correct, the libpq library is not built with the gsslib library. Several years back I noticed the gsslib option when doing a review of the options for libpq and attempted to include the library with some minimal effort but without success. Since we build the psycopg2 windows binaries with the compiler version that was used to build the respective Python version, we also use that compiler version to build the dependent libraries as well. At the time, linking in the MIT Kerberos library was more involved then download, compile, and link. Since it has been a few years, it might be worth revisiting it again.
-jason
On Sat, Apr 14, 2018 at 6:35 PM, Grant McKenzie <grant.r.mckenzie@gmail.com> wrote:
Hello,Postgres supports a connection string parameter 'gsslib'. This is documented here:When I install the psycopg2 binary distribution on windows, I see the error below.C:\Users\grant>pip install psycopg2-binaryCollecting psycopg2-binaryDownloading psycopg2_binary-2.7.4-cp27-cp27m-win32.whl (859kB) 100% |################################| 860kB 882kB/s Installing collected packages: psycopg2-binarySuccessfully installed psycopg2-binary-2.7.4You are using pip version 9.0.1, however version 10.0.0 is available.You should consider upgrading via the 'python -m pip install --upgrade pip' command.C:\Users\grant>pythonPython 2.7.10 (default, May 23 2015, 09:40:32) [MSC v.1500 32 bit (Intel)] on win32Type "help", "copyright", "credits" or "license" for more information.>>> import psycopg2>>> psycopg2.connect( 'postgresql://localhost/postgres?gsslib=gssapi' ) Traceback (most recent call last):File "<stdin>", line 1, in <module>File "C:\Python27\lib\site-packages\psycopg2\__init__.py" , line 129, in connect dsn = _ext.make_dsn(dsn, **kwargs)File "C:\Python27\lib\site-packages\psycopg2\extensions. py", line 155, in make_dsn parse_dsn(dsn)psycopg2.ProgrammingError: invalid dsn: invalid URI query parameter: "gsslib"C:\Users\grant>python --versionPython 2.7.10C:\Users\grant>verMicrosoft Windows [Version 10.0.16299.371]I am speculating here, but perhaps the libpq library that was used to build the package was not built using the --with-gssapi switch described here?Thanks
Thanks Jason.
The build process for windows still seems quite involved:
https://www.postgresql.org/docs/10/static/install-windows-full.html
That said, the predominance of Kerberos authentication in enterprises these days would make support of this a welcome addition I'm sure.
On 4/14/2018 10:28 PM, Jason Erickson wrote:
Grant,You are correct, the libpq library is not built with the gsslib library. Several years back I noticed the gsslib option when doing a review of the options for libpq and attempted to include the library with some minimal effort but without success. Since we build the psycopg2 windows binaries with the compiler version that was used to build the respective Python version, we also use that compiler version to build the dependent libraries as well. At the time, linking in the MIT Kerberos library was more involved then download, compile, and link. Since it has been a few years, it might be worth revisiting it again.-jasonOn Sat, Apr 14, 2018 at 6:35 PM, Grant McKenzie <grant.r.mckenzie@gmail.com> wrote:Hello,Postgres supports a connection string parameter 'gsslib'. This is documented here:When I install the psycopg2 binary distribution on windows, I see the error below.C:\Users\grant>pip install psycopg2-binaryCollecting psycopg2-binaryDownloading psycopg2_binary-2.7.4-cp27-cp27m-win32.whl (859kB) 100% |################################| 860kB 882kB/s Installing collected packages: psycopg2-binarySuccessfully installed psycopg2-binary-2.7.4You are using pip version 9.0.1, however version 10.0.0 is available.You should consider upgrading via the 'python -m pip install --upgrade pip' command.C:\Users\grant>pythonPython 2.7.10 (default, May 23 2015, 09:40:32) [MSC v.1500 32 bit (Intel)] on win32Type "help", "copyright", "credits" or "license" for more information.>>> import psycopg2>>> psycopg2.connect( 'postgresql://localhost/postgres?gsslib=gssapi' ) Traceback (most recent call last):File "<stdin>", line 1, in <module>File "C:\Python27\lib\site-packages\psycopg2\__init__.py" , line 129, in connect dsn = _ext.make_dsn(dsn, **kwargs)File "C:\Python27\lib\site-packages\psycopg2\extensions. py", line 155, in make_dsn parse_dsn(dsn)psycopg2.ProgrammingError: invalid dsn: invalid URI query parameter: "gsslib"C:\Users\grant>python --versionPython 2.7.10C:\Users\grant>verMicrosoft Windows [Version 10.0.16299.371]I am speculating here, but perhaps the libpq library that was used to build the package was not built using the --with-gssapi switch described here?Thanks
Greetings, * Grant McKenzie (mckenzig@optonline.net) wrote: > That said, the predominance of Kerberos authentication in enterprises these > days would make support of this a welcome addition I'm sure. We always build with SSPI on Windows platforms. You don't really need (or want) GSSAPI on Windows systems because we've got SSPI there.. Is there some reason that people are trying to get GSSAPI on Windows instead of just using SSPI..? I'd expect that to be very rare these days.. Thanks! Stephen
Attachment
Hello Stephen,
in a heterogeneous environment with a server running on linux and a mix of clients running on windows and linux, would you not want to use GSSAPI?
Thanks.
On Tue, Apr 17, 2018 at 12:00 PM, Stephen Frost <sfrost@snowman.net> wrote:
Greetings,
* Grant McKenzie (mckenzig@optonline.net) wrote:
> That said, the predominance of Kerberos authentication in enterprises these
> days would make support of this a welcome addition I'm sure.
We always build with SSPI on Windows platforms.
You don't really need (or want) GSSAPI on Windows systems because we've
got SSPI there..
Is there some reason that people are trying to get GSSAPI on Windows
instead of just using SSPI..? I'd expect that to be very rare these
days..
Thanks!
Stephen
Greetings Grant, * Grant McKenzie (grant.r.mckenzie@gmail.com) wrote: > in a heterogeneous environment with a server running on linux and a mix of > clients running on windows and linux, would you not want to use GSSAPI? We generally prefer in-line responses instead of "top-posting" on the PG mailing lists. In that mixed environment, you would typically have either: One Realm run by the Active Directory system, with the Linux hosts configured to use GSSAPI and joined to the Active Directory environment and then using SSPI on the Windows clients. or Two realms, one run on the Active Directory system and one run on a Linux host using an MIT KDC or Heimdal, with a cross-realm trust between the two (at least one-way, for the Windows clients to be trusted by the Linux servers, or two-way, if you have the need to go the other direction also), and then the Windows systems running SSPI and the Linux systems using GSSAPI. What is perhaps not being understood here is that SSPI is Kerberos on Windows using the Active Directory system. There's no need to also have GSSAPI enabled on the Windows systems- that would just be adding in libraries and complications that aren't necessary in an Active Directory environment. If you're running Windows clients and *not* using Active Directory, then there might be a reason to use GSSAPI on Windows and Kerberos For Windows from MIT, but that's extremely rare these days... Thanks! Stephen