SSPI have option to specify a different SPN

[marto1]

I'm submitting a ...

• bug report
• feature request

Describe the issue
I'm trying to setup an SSPI jdbc connection on a windows machine. The server is configured with Kerberos and is confirmed to work with psql, odbc, python requests kerberos library etc.

I think after quite a bit of debugging I arrived at this line https://github.com/pgjdbc/pgjdbc/blob/master/pgjdbc/src/main/java/org/postgresql/sspi/SSPIClient.java#L106 . This is where the Service Principle Name gets created and it always comes in the form:

2019-05-21 14:36:02,916 [80475540]   WARN - ution.rmi.RemoteProcessSupport - FINEST: SSPI target name: <service class>/<domain>:<port> 

The SPN for that server is <service class>/<domain>@<active directory domain> so the connection fails.

Is there a way to force this special name as the SPN instead of the default name ?

Driver Version?
42.2.5

Java Version?
java version "1.8.0_191"
Java(TM) SE Runtime Environment (build 1.8.0_191-b12)
Java HotSpot(TM) Client VM (build 25.191-b12, mixed mode)

OS Version?
Windows 10 Enterprise

PostgreSQL Version?
10.5

To Reproduce
Setup a PostgresSQL server with a Kerberos SPN different than /: and try to connect to it with pgjdbc.

Expected behaviour
Connect via SSPI to a Postgres server even with a special SPN name(preferably through a variable passed to pgjdbc).

Logs
bugreport.txt

[davecramer]

Would a jvm property work for you as in -DSPN_NAME .. ? If so, can you provide a PR ?

[marto1]

Absolutely! I don't have a PR right now, but am considering making it very soon if there really aren't any workarounds.

[davecramer]

Honestly I haven't looked at it in detail but that seems like the simplest solution to me.

[michael-o]

@marto1 Why is that necessary?

@davecramer This sounds like a very bad idea. This will affect the entire VM and defunct servlet containers connecting to different databases/hosts. This should be at most on a per-connection basis.

[marto1]

Good point. It should be per connection, but this particular use case is for one target only so it does work even with hard coding the SPN (and in fact that's what I ended up doing). As for why it's necessary I suggest reading the issue description again - it's a setup that requires SPN names in that format. The format will not be changed to fit the one assumed in the current client so I needed a way to make that work somehow.

[michael-o]

I didn't understand your request in the first place and now I do. This is a bug in the driver implementation, a severe one. The SSPI code does not correspond to the GSS-API code and will break portability. Especially it does not comply with the docs.

It should be only one with both impls: primary/instance@REALM, but the SSPI client is adding the port also. It must be fixed. @davecramer, can you take care of that bug? Please pass 0 here. The C code seems fine for both SSPI and GSS-API: https://github.com/postgres/postgres/blob/b4675a8ae2d0aaafeb136c46c92bb56eaf018d32/src/interfaces/libpq/fe-auth.c#L392-L398

The port is a Microsoft addition because they lack keytabs in Windows. They are valid use cases where you are running multiple, distinct instances on one host under different accounts and need them separately authenticated. I guess this would also work with MIT Kerberos or JGSS (haven't tried).

I must admit that, at least the Java code, looks very chaotic for Kerberos/SPNEGO authentication and inconsistent with the C code.

Luckily, we aren't yet using PGSQL in production, but we plan to migrate to midterm (years) from Oracle. I will highly likely need to revisit that code in the future because I am not pleased with it.

[devanshsoni9]

Hi,

I am facing the same issue while trying to use SSPI with pgjdbc.
If the target server is localhost, it works fine and the SSPI auth works. But, if the target server is a hostname with a port, the port gets added to the SPN in the makeSPN method and I see a KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN error in wireshark.
The stack trace looks like this

1008	org.postgresql.util.PSQLException: Could not initialize SSPI security context
1009	at org.postgresql.sspi.SSPIClient.startSSPI(SSPIClient.java:163) ~[postgresql-42.2.5.jar:42.2.5]
1010	at org.postgresql.core.v3.ConnectionFactoryImpl.doAuthentication(ConnectionFactoryImpl.java:638) ~[postgresql-42.2.5.jar:42.2.5]
1011	at org.postgresql.core.v3.ConnectionFactoryImpl.tryConnect(ConnectionFactoryImpl.java:141) ~[postgresql-42.2.5.jar:42.2.5]
1012	at org.postgresql.core.v3.ConnectionFactoryImpl.openConnectionImpl(ConnectionFactoryImpl.java:192) ~[postgresql-42.2.5.jar:42.2.5]
1013	at org.postgresql.core.ConnectionFactory.openConnection(ConnectionFactory.java:49) ~[postgresql-42.2.5.jar:42.2.5]
1014	at org.postgresql.jdbc.PgConnection.<init>(PgConnection.java:195) ~[postgresql-42.2.5.jar:42.2.5]
1015	at org.postgresql.Driver.makeConnection(Driver.java:454) ~[postgresql-42.2.5.jar:42.2.5]
1016	at org.postgresql.Driver.connect(Driver.java:256) ~[postgresql-42.2.5.jar:42.2.5]

1038 | Caused by: com.sun.jna.platform.win32.Win32Exception: The specified target is unknown or unreachable
1039 | at waffle.windows.auth.impl.WindowsSecurityContextImpl.initialize(WindowsSecurityContextImpl.java:132) ~[waffle-jna-1.9.1.jar:1.9.1]
1040 | at org.postgresql.sspi.SSPIClient.startSSPI(SSPIClient.java:161) ~[postgresql-42.2.5.jar:42.2.5]
1041 | ... 28 more

[davecramer]

@devanshsoni9 have a look at #1651 let me know if that fixes it

[michael-o]

@devanshsoni9 This is what I have described back in October.

[devanshsoni9]

thanks @michael-o for finding the root cause and @davecramer for quick turnaround in implementing it. The fix #1651 seems to have fixed my issue with the SPN. Any idea when is the next public release for the driver ?

[davecramer]

@devanshsoni9 soonish as there are some other bugs that need to be fixed