Thread: GSSAPI Authentication for pgadmin4 macOS client

GSSAPI Authentication for pgadmin4 macOS client

From
Sean McDaniel
Date:
pgsql-general,

I'm turning to the the pgsql-general mailing list because I haven't found a solution elsewhere on the internet. Thanks to all who can help.

I'm using pgadmin4 on a macOS system and I'm having trouble connecting to a server of interest. The "Connect to Server" dialog box has a warning: "GSSAPI authentication not supported". I cannot proceed beyond that point.

It seems to be a GSSAPI issue. I have postgres installed via homebrew and it supports GSSAPI.  I can connect directly to the server using psql (and pgcli) from the command line without issue.

I have tried to get pgadmin4 to use these binaries by putting /usr/local/bin under Preferences > Paths > Binary Paths for "PostgreSQL Binary Path" but that doesn't fix the issue, even after a pgadmin4 restart.

Has anyone else had this issue or can offer advice?

Thanks,

Sean

Re: GSSAPI Authentication for pgadmin4 macOS client

From
Tom Lane
Date:
Sean McDaniel <sean.m.mcdaniel@gmail.com> writes:
> I'm using pgadmin4 on a macOS system and I'm having trouble connecting to a
> server of interest. The "Connect to Server" dialog box has a warning:
> "GSSAPI authentication not supported". I cannot proceed beyond that point.

> It seems to be a GSSAPI issue. I have postgres installed via homebrew and
> it supports GSSAPI.  I can connect directly to the server using psql (and
> pgcli) from the command line without issue.

A quick look through our source code finds that error string only in
libpq; it indicates that libpq was built without GSSAPI support.

Since you say that you can connect with psql, it sounds like there is
more than one copy of libpq.dylib on your machine and not all of them
support GSSAPI.  You could use "otool -L" on psql to verify which
libpq it's linked to.  Perhaps the same thing will work on pgadmin,
but I'm unsure which file to check for that.  Anyway the bottom line
here is almost certainly that pgadmin isn't using your homebrew
build of libpq, but some other one.

> I have tried to get pgadmin4 to use these binaries by putting
> /usr/local/bin under Preferences > Paths > Binary Paths for "PostgreSQL
> Binary Path" but that doesn't fix the issue, even after a pgadmin4 restart.

AFAIK that's only likely to help when pgadmin invokes pg_dump or
some other tool, not for its own connections to the server.

            regards, tom lane



Re: GSSAPI Authentication for pgadmin4 macOS client

From
Neil
Date:

On Oct 27, 2020, at 12:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:

Sean McDaniel <sean.m.mcdaniel@gmail.com> writes:
I'm using pgadmin4 on a macOS system and I'm having trouble connecting to a
server of interest. The "Connect to Server" dialog box has a warning:
"GSSAPI authentication not supported". I cannot proceed beyond that point.

It seems to be a GSSAPI issue. I have postgres installed via homebrew and
it supports GSSAPI.  I can connect directly to the server using psql (and
pgcli) from the command line without issue.

A quick look through our source code finds that error string only in
libpq; it indicates that libpq was built without GSSAPI support.


On my Mac pgadmin4 seems to use its own libpq.

You can find it at: /Applications/pgAdmin\ 4.app/Contents/Frameworks/libpq.5.dylib 

Since you say that you can connect with psql, it sounds like there is
more than one copy of libpq.dylib on your machine and not all of them
support GSSAPI.  You could use "otool -L" on psql to verify which
libpq it's linked to.  Perhaps the same thing will work on pgadmin,
but I'm unsure which file to check for that.  Anyway the bottom line
here is almost certainly that pgadmin isn't using your homebrew
build of libpq, but some other one.

I have tried to get pgadmin4 to use these binaries by putting
/usr/local/bin under Preferences > Paths > Binary Paths for "PostgreSQL
Binary Path" but that doesn't fix the issue, even after a pgadmin4 restart.

AFAIK that's only likely to help when pgadmin invokes pg_dump or
some other tool, not for its own connections to the server.

regards, tom lane



Re: GSSAPI Authentication for pgadmin4 macOS client

From
Tom Lane
Date:
Neil <neil@fairwindsoft.com> writes:
> On Oct 27, 2020, at 12:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> A quick look through our source code finds that error string only in
>> libpq; it indicates that libpq was built without GSSAPI support.

> On my Mac pgadmin4 seems to use its own libpq.
> You can find it at: /Applications/pgAdmin\ 4.app/Contents/Frameworks/libpq.5.dylib

Ah, so Sean could try replacing that with a symlink to his libpq
from homebrew.

            regards, tom lane



Re: GSSAPI Authentication for pgadmin4 macOS client

From
Sean McDaniel
Date:
Thanks Tom and Neil.

What you've said makes sense. The pgadmin4 pibpq doesn't support GSSAPI.

I followed your suggestions and symlinked libpq.5.dylib under /Applications/pgAdmin 4.app/Contents/Frameworks to the homebrew library /usr/lib/libpq.5.6.dylib, but unfortunately pgadmin4 now fails on launch with the error "The pgadmin4 server could not be contacted." Do the other libraries 'libcrypto.1.1.dylib' and 'libssl.1.1.dylib' need symlinked as well? They don't appear to have exact library matches under /usr/lib.

Also, might a future macOS version of pgadmin4 support GSSAPI?

Thank you,

Sean

On Tue, Oct 27, 2020 at 1:39 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Neil <neil@fairwindsoft.com> writes:
> On Oct 27, 2020, at 12:23 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> A quick look through our source code finds that error string only in
>> libpq; it indicates that libpq was built without GSSAPI support.

> On my Mac pgadmin4 seems to use its own libpq.
> You can find it at: /Applications/pgAdmin\ 4.app/Contents/Frameworks/libpq.5.dylib

Ah, so Sean could try replacing that with a symlink to his libpq
from homebrew.

                        regards, tom lane

Re: GSSAPI Authentication for pgadmin4 macOS client

From
Tom Lane
Date:
Sean McDaniel <sean.m.mcdaniel@gmail.com> writes:
> I followed your suggestions and symlinked libpq.5.dylib under
> /Applications/pgAdmin 4.app/Contents/Frameworks to the homebrew library
> /usr/lib/libpq.5.6.dylib, but unfortunately pgadmin4 now fails on launch
> with the error "The pgadmin4 server could not be contacted." Do the other
> libraries 'libcrypto.1.1.dylib' and 'libssl.1.1.dylib' need symlinked as
> well? They don't appear to have exact library matches under /usr/lib.

Yeah, probably.  Try "otool -L" on the symlink and see if it manages
to resolve all the dependencies.

Another point here is that libpq.5.6.dylib is quite a few major versions
back, so it's possible that pgadmin needs a newer version of that library.
Hard to tell what's going on unless you can find some lower-level error
report.

> Also, might a future macOS version of pgadmin4 support GSSAPI?

You'd have to pester the pgadmin folk about that.

            regards, tom lane



Re: GSSAPI Authentication for pgadmin4 macOS client

From
Sean McDaniel
Date:
Tom,

I wasn't able to get pgadmin4 working with the symlinks, but I'm not very knowledgeable about libraries.

But that's not a problem. I appreciate everyone diagnosing the issue. I'll reach out the pgsql-admin forum to see if there's a simple workaround or if a GSSAPI-enabled pgadmin4 client is in the pipeline. If not, I have other GUI or CLI programs I can use.

Regards,

Sean

On Tue, Oct 27, 2020 at 3:45 PM Tom Lane <tgl@sss.pgh.pa.us> wrote:
Sean McDaniel <sean.m.mcdaniel@gmail.com> writes:
> I followed your suggestions and symlinked libpq.5.dylib under
> /Applications/pgAdmin 4.app/Contents/Frameworks to the homebrew library
> /usr/lib/libpq.5.6.dylib, but unfortunately pgadmin4 now fails on launch
> with the error "The pgadmin4 server could not be contacted." Do the other
> libraries 'libcrypto.1.1.dylib' and 'libssl.1.1.dylib' need symlinked as
> well? They don't appear to have exact library matches under /usr/lib.

Yeah, probably.  Try "otool -L" on the symlink and see if it manages
to resolve all the dependencies.

Another point here is that libpq.5.6.dylib is quite a few major versions
back, so it's possible that pgadmin needs a newer version of that library.
Hard to tell what's going on unless you can find some lower-level error
report.

> Also, might a future macOS version of pgadmin4 support GSSAPI?

You'd have to pester the pgadmin folk about that.

                        regards, tom lane