Re: BUG #9337: SSPI/GSSAPI with mismatched user names

* Brian Crowell (brian(at)fluggo(dot)com) wrote:
> On Mon, Feb 24, 2014 at 12:50 PM, Brian Crowell <brian(at)fluggo(dot)com> wrote:
> > 2014-02-24 11:30:40 CST LOG: provided user name (Brian) and
> > authenticated user name (BCrowell(at)REALM(dot)COM) do not match
> >
> > But the Kerberos ticket is perfectly valid, and matches a Postgres
> > user. In this case, the program attempting to log in is incapable of
> > determining the correct Postgres user name to send (see Npgsql bug for
> > the dirty details), so why not just accept the Kerberos principal
> > name?
>
> Or in other words, I'm trying to log in as the Postgres user
> "BCrowell(at)REALM(dot)COM" (which is in the Kerberos ticket), and not as
> "Brian" (which is in the startup packet, because Npgsql doesn't know
> what else to do).

To PG, you're trying to log in as PG user 'Brian' and there's no mapping
which allows the kerb princ "BCrowell(at)REALM(dot)COM" to log in as that user.
Also, is the PG user really "BCrowell(at)REALM(dot)COM", or is it actually
'bcrowell', in which case you need a mapping for that (unless you tell
PG to just strip the realm off, but I generally recommend against such
since you can end up with cross-realm issues if you ever define a trust
relationship to another realm with different users who might have the
same princs as your local users).

Thanks,

Stephen