New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSPI have option to specify a different SPN #1482
Comments
Would a jvm property work for you as in -DSPN_NAME .. ? If so, can you provide a PR ? |
Absolutely! I don't have a PR right now, but am considering making it very soon if there really aren't any workarounds. |
Honestly I haven't looked at it in detail but that seems like the simplest solution to me. |
@marto1 Why is that necessary? @davecramer This sounds like a very bad idea. This will affect the entire VM and defunct servlet containers connecting to different databases/hosts. This should be at most on a per-connection basis. |
Good point. It should be per connection, but this particular use case is for one target only so it does work even with hard coding the SPN (and in fact that's what I ended up doing). As for why it's necessary I suggest reading the issue description again - it's a setup that requires SPN names in that format. The format will not be changed to fit the one assumed in the current client so I needed a way to make that work somehow. |
I didn't understand your request in the first place and now I do. This is a bug in the driver implementation, a severe one. The SSPI code does not correspond to the GSS-API code and will break portability. Especially it does not comply with the docs. It should be only one with both impls: The port is a Microsoft addition because they lack keytabs in Windows. They are valid use cases where you are running multiple, distinct instances on one host under different accounts and need them separately authenticated. I guess this would also work with MIT Kerberos or JGSS (haven't tried). I must admit that, at least the Java code, looks very chaotic for Kerberos/SPNEGO authentication and inconsistent with the C code. Luckily, we aren't yet using PGSQL in production, but we plan to migrate to midterm (years) from Oracle. I will highly likely need to revisit that code in the future because I am not pleased with it. |
Hi, I am facing the same issue while trying to use SSPI with pgjdbc.
|
@devanshsoni9 have a look at #1651 let me know if that fixes it |
@devanshsoni9 This is what I have described back in October. |
thanks @michael-o for finding the root cause and @davecramer for quick turnaround in implementing it. The fix #1651 seems to have fixed my issue with the SPN. Any idea when is the next public release for the driver ? |
@devanshsoni9 soonish as there are some other bugs that need to be fixed |
I'm submitting a ...
Describe the issue
I'm trying to setup an SSPI jdbc connection on a windows machine. The server is configured with Kerberos and is confirmed to work with psql, odbc, python requests kerberos library etc.
I think after quite a bit of debugging I arrived at this line https://github.com/pgjdbc/pgjdbc/blob/master/pgjdbc/src/main/java/org/postgresql/sspi/SSPIClient.java#L106 . This is where the Service Principle Name gets created and it always comes in the form:
The SPN for that server is
<service class>/<domain>@<active directory domain>
so the connection fails.Is there a way to force this special name as the SPN instead of the default name ?
Driver Version?
42.2.5
Java Version?
java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) Client VM (build 25.191-b12, mixed mode)
OS Version?
Windows 10 Enterprise
PostgreSQL Version?
10.5
To Reproduce
Setup a PostgresSQL server with a Kerberos SPN different than /: and try to connect to it with pgjdbc.
Expected behaviour
Connect via SSPI to a Postgres server even with a special SPN name(preferably through a variable passed to pgjdbc).
Logs
bugreport.txt
The text was updated successfully, but these errors were encountered: