Participants
Dimitry Markman
Dimitry Markman
Tom Lane
Tom Lane
Stephen Frost
Stephen Frost
Attachments

No attachments in this thread

Thread Outline
#1Dimitry MarkmanDimitry Markman
May 19, 2023
#2Tom LaneTom Laneto Dimitry Markman (#1)
May 19, 2023
#3Dimitry MarkmanDimitry Markmanto Tom Lane (#2)
May 19, 2023
#4Stephen FrostStephen Frostto Dimitry Markman (#3)
May 19, 2023
#5Dimitry MarkmanDimitry Markmanto Stephen Frost (#4)
May 19, 2023

How to ensure that SSPI support (Windows) enabled?

Started by Dimitry Markmanover 2 years ago5 messages
#1Dimitry Markman
Dimitry Markman
dmarkman@mathworks.com

Hi
I’m looking at config_default.pl file and I can see the line

gss => undef, # --with-gssapi=<path>

I was advised to use SSPI API that is built-in (windows) instead of MIT Kerberos

So what should I set and where to ensure that result PostgreSQL build will support SSPI?

Thanks in advance

Dimitry Markman

#2Tom Lane
Tom Lane
tgl@sss.pgh.pa.us
In reply to: Dimitry Markman (#1)
Re: How to ensure that SSPI support (Windows) enabled?

Dimitry Markman <dmarkman@mathworks.com> writes:

I’m looking at config_default.pl file and I can see the line
gss => undef, # --with-gssapi=<path>
I was advised to use SSPI API that is built-in (windows) instead of MIT Kerberos
So what should I set and where to ensure that result PostgreSQL build will support SSPI?

SSPI != GSS. SSPI support is always built in Windows builds, see
win32_port.h:

#define ENABLE_SSPI 1

(Perhaps not the best place for such a thing, but somebody put it there.)

regards, tom lane

#3Dimitry Markman
Dimitry Markman
dmarkman@mathworks.com
In reply to: Tom Lane (#2)
Re: How to ensure that SSPI support (Windows) enabled?

Hi Tom,
thanks a lot for your super fast answer 😊. I really appreciate that

I was asking our 3p library people how to add windows support to gss and they said that on windows we should use SSPI
I’m not really familiar with either gssapi or SSPI

I see that macOS has builtin support for gssapi, so all I need is to use –with-gssapi
On linux I use MIT Kerberos that we build in our 3p environment (only linux)
When I ask to build MIT Kerberos on windows that’s when I was advised simply to use SSPI

Thanks again

dm

From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Friday, May 19, 2023 at 11:26 AM
To: Dimitry Markman <dmarkman@mathworks.com>
Cc: pgsql-hackers@lists.postgresql.org <pgsql-hackers@lists.postgresql.org>
Subject: Re: How to ensure that SSPI support (Windows) enabled?
Dimitry Markman <dmarkman@mathworks.com> writes:

I’m looking at config_default.pl file and I can see the line
gss => undef, # --with-gssapi=<path>
I was advised to use SSPI API that is built-in (windows) instead of MIT Kerberos
So what should I set and where to ensure that result PostgreSQL build will support SSPI?

SSPI != GSS. SSPI support is always built in Windows builds, see
win32_port.h:

#define ENABLE_SSPI 1

(Perhaps not the best place for such a thing, but somebody put it there.)

regards, tom lane

#4Stephen Frost
Stephen Frost
sfrost@snowman.net
In reply to: Dimitry Markman (#3)
Re: How to ensure that SSPI support (Windows) enabled?

Greetings,

Please don't top-post.

* Dimitry Markman (dmarkman@mathworks.com) wrote:

I was asking our 3p library people how to add windows support to gss and they said that on windows we should use SSPI

They're correct.

I’m not really familiar with either gssapi or SSPI

Kerberos support is provided through SSPI on Windows. On Linux and Unix
systems in general, it's provided through GSSAPI. On the wire, the two
are (mostly) compatible.

I see that macOS has builtin support for gssapi, so all I need is to use –with-gssapi

On most Unix-based systems (and certainly for MacOS), you should be
installing MIT Kerberos and using that for your GSSAPI library. The
GSSAPI library included with MacOS has not been properly maintained by
Apple and is woefully out of date and using it will absolutely cause you
undue headaches.

On linux I use MIT Kerberos that we build in our 3p environment (only linux)

Yes, MIT Kerberos on Linux makes sense.

When I ask to build MIT Kerberos on windows that’s when I was advised simply to use SSPI

That's correct, you should be using SSPI on Windows is the vast majority
of cases.

Thanks,

Stephen

#5Dimitry Markman
Dimitry Markman
dmarkman@mathworks.com
In reply to: Stephen Frost (#4)
Re: How to ensure that SSPI support (Windows) enabled?

Thanks Stephen, very useful information
dm

On 5/19/23, 12:02 PM, "Stephen Frost" <sfrost@snowman.net> wrote:
Greetings,

Please don't top-post.

* Dimitry Markman (dmarkman@mathworks.com<mailto:dmarkman@mathworks.com>) wrote:

I was asking our 3p library people how to add windows support to gss and they said that on windows we should use SSPI

They're correct.

I’m not really familiar with either gssapi or SSPI

Kerberos support is provided through SSPI on Windows. On Linux and Unix
systems in general, it's provided through GSSAPI. On the wire, the two
are (mostly) compatible.

I see that macOS has builtin support for gssapi, so all I need is to use –with-gssapi

On most Unix-based systems (and certainly for MacOS), you should be
installing MIT Kerberos and using that for your GSSAPI library. The
GSSAPI library included with MacOS has not been properly maintained by
Apple and is woefully out of date and using it will absolutely cause you
undue headaches.

On linux I use MIT Kerberos that we build in our 3p environment (only linux)

Yes, MIT Kerberos on Linux makes sense.

When I ask to build MIT Kerberos on windows that’s when I was advised simply to use SSPI

That's correct, you should be using SSPI on Windows is the vast majority
of cases.

Thanks,

Stephen

← Back to Topics