Re: GSSAPI Authentication Problem - Mailing list pgsql-odbc

On Fri, Aug 3, 2012 at 11:54 AM, Stephen Frost <sfrost@snowman.net> wrote:
> John,
>
> * John Slattery (johntslattery@gmail.com) wrote:
>> At your suggestion, I opened the ODBC data source administrator in
>> Windows XP and attempted to create a user DSN using all of the default
>> values and providing 'Database', 'Server', and 'User Name'. In this
>> case 'User Name' was the Active Directory user name. When I pressed
>> the 'Test' button, I received the same exception I noted in my initial
>> post. I repeated the test with logging turned on. Nothing seems to
>> have been recorded about the failed test. The log file is attached.
>
> No, you should be using the PG username of the user in PG that you want
> to connect as in the ODBC driver, not the AD username.
>
> Specifics would help here, I think.  For example-
>
> If the AD user is "joe@REALM.COM", one PG user is "joe", and the user
> that you want to actually log into the database as is "smith", then you
> need this:
>
> pg_ident mapping joe@REALM.COM (or just "joe" if you're having PG strip
> the realm) to "smith".
>
> Log into Windows as "joe@REALM.COM".
>
> Use "smith" in the "User Name" field in the ODBC manager
>
>> Could it be that when the only means of authentication enabled in
>> pg_hba.conf is gss that having anything in 'User Name' is a problem?
>
> No.
>
> If you can provide actual specifics regarding the above, and excerpts
> from your pg_ident.conf, PostgreSQL logs, pg_hba.conf, and the
> client-side logs, I think that would go a long way to figuring this out.
>
>         Thanks,
>
>                 Stephen

Stephen,

First, I must apologize. I proofed that post several times but missed
that I indicated it was the AD name when in fact I had used the PG
name.

Following is the information you suggested reporting. The test is with
'User Name' = 'john'. I used a system DSN generated with the ODBC data
source administrator. Before I set 'User Name' = 'john', I
successfully tested the DSN with user csmprovver whose AD and PG names
are identical with 'User Name' = ''.

*users*

The AD user is jslatter@SOMEREALM.ORG and the PG user is john.

*pg_hba.conf*

# TYPE  DATABASE    USER        CIDR-ADDRESS          METHOD
host    all         all         10.29.136.81/32       md5
host    all         john        10.29.136.0/21        gss       map=gssapi
host    csmprovver  csmprovver  74.203.196.84/32      gss
host    all         all         10.29.136.0/21        gss

*pg_ident.conf*

# MAPNAME     SYSTEM-USERNAME    PG-USERNAME
gssapi        jslatter           john

*exception generated*

Run-time error '-2147217843 (80040e4d)':
Service negotiation failed;
The specified target is unknown or unreachable in
DoKerberosEtcProcessAuthentication:PerformKerberosEtcClientHandsh

*pg_log*

012-08-03 14:09:42 CDT FATAL:  GSSAPI authentication failed for user "john"

*client logs*

mylog_1116.log and psqlodbc_1116.log are attached. An MSDTC log does
not seem to have been produced.

Thanks for your help.

John