GSSAPI Authentication Doesn't Seem to Work in 0.5.1

37 views
Skip to first unread message

John Slattery

unread,
Aug 16, 2012, 9:25:23 AM8/16/12
to rails-sqlse...@googlegroups.com
Hi,

To allow authentication by GSSAPI, I found that I needed to rem line 58 in client.rb:

raise ArgumentError, 'missing :username option' if opts[:username].to_s.empty?

Am I missing something? Is there something else I should be doing to make GSS work with tiny_tds?

John

Ken Collins

unread,
Aug 16, 2012, 11:17:13 AM8/16/12
to rails-sqlse...@googlegroups.com

Hey John,

Based on the following information, I had assumed that those using integrated security would do so using a DOMAIN/username via the :username connection option. Since this means that Windows users need not worry about setting up a freetds.conf file and doing the other method as described.

http://cubist.cs.washington.edu/doc/FreeTDS/userguide/c2086.htm#INTEGRATEDSECURITY
http://cubist.cs.washington.edu/doc/FreeTDS/userguide/x1358.htm

I have not tested this stuff at all and would look for some advice. I would not be opposed to removing the argument error in client.rb if someone tells me that using a freetds.conf as described is a viable solution. BTW, when I build static gems for Windows, it uses the C:/Sites directory for the default conf file.

https://github.com/rails-sqlserver/tiny_tds/blob/master/tasks/ports.rake#L41

Tho if you Google around, you will see that FreeTDS looks in a few other standard places for that as well as being configured by ENV var.

Hope that helps,
Ken

John Slattery

unread,
Aug 17, 2012, 3:31:15 PM8/17/12
to rails-sqlse...@googlegroups.com
Hi Ken,

It took a while for this to sink in. We're both talking about using Windows Integrated Authentication. I believe you're describing accomplishing it using NTLM and I'm doing it with Kerberos. Without a user name or password specified and without any configuration, FreeTDS finds my Kerberos ticket granting ticket and authorization is arranged for the SQL Server. tiny_tds does, too, as long as you can find a way to not submit a user name and trigger NTLM or SQL Server login in FreeTDS.

Have I understood this correctly--instead of requiring configuration in freetds.conf, username is required so that the presence of a back slash can determine if NTLM authentication is to be used instead of an SQL Server login?

John

Ken Collins

unread,
Aug 17, 2012, 6:22:56 PM8/17/12
to rails-sqlse...@googlegroups.com

Hey John,

Yea, Kerberos would be yet another method of authentication I have not tested but should work. If removing the argument error is the only thing that is keeping you from using this, then I will gladly remove it from TinyTDS. That said, I would also have to remove this reverse merge from the adapter too?


 - Ken


--
You received this message because you are subscribed to the Google Groups "Rails SQLServer Adapter" group.
To view this discussion on the web visit https://groups.google.com/d/msg/rails-sqlserver-adapter/-/Ca7LFciejj4J.
To post to this group, send email to rails-sqlse...@googlegroups.com.
To unsubscribe from this group, send email to rails-sqlserver-a...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/rails-sqlserver-adapter?hl=en.

John Slattery

unread,
Aug 20, 2012, 10:20:25 AM8/20/12
to rails-sqlse...@googlegroups.com
Ken,

I'm pretty new to all of this, but it would seem that at least username and password would need to be left out of the reverse merge.

John
To unsubscribe from this group, send email to rails-sqlserver-adapter+unsub...@googlegroups.com.

Ken Collins

unread,
Aug 20, 2012, 12:40:01 PM8/20/12
to rails-sqlse...@googlegroups.com

Can you confirm all of this and also open an issue on the adapter's github page?

 - Ken


To post to this group, send email to rails-sqlse...@googlegroups.com.
To unsubscribe from this group, send email to rails-sqlserver-a...@googlegroups.com.

John Slattery

unread,
Aug 20, 2012, 3:05:49 PM8/20/12
to rails-sqlse...@googlegroups.com
Ken, I was able to confirm that the adapter, as is, fails authenticating user 'sa'. I then removed :username from the reverse merge hash and was successful authenticating and retrieving records. :password didn't make any difference, present or not. Do these tests seem reasonable as confirmation or do you have something else in mind? John

Ken Collins

unread,
Aug 20, 2012, 3:12:16 PM8/20/12
to rails-sqlse...@googlegroups.com

That's fine. Just open up a ticket with a summary on the github issues page. That way I have a reminder to work against it and communicate with others.

 - Ken



To post to this group, send email to rails-sqlse...@googlegroups.com.
To unsubscribe from this group, send email to rails-sqlserver-a...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages