| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Brian Crowell <brian(at)fluggo(dot)com> |
| Cc: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Date: | 2014-02-24 19:27:32 |
| Message-ID: | 20140224192732.GQ2921@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
* Brian Crowell (brian(at)fluggo(dot)com) wrote:
> On Mon, Feb 24, 2014 at 1:10 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
> > Why exactly doesn't Npgsql know what the Kerberos principal name is?
> > How did it obtain the ticket without knowing that?
>
> Windows obtained the ticket, not Npgsql. It's attached to my logon
> token without Npgsql's help. If I'm on the domain, I _might_ have
> access to that information through a call to LsaGetLogonSessionData or
> similar. If I'm not on the domain, I definitely don't.
>
> Npgsql is just asking Windows to do GSSAPI auth on its behalf, so it
> never really touches that info.
I seem to recall that, at one point, we actually we doing this
automatically in libpq- that is, grabbing the Kerberos princ and then
using it to auth. That was too constrained though, as we wanted to be
able to have users with names other than their princs, but perhaps we
should have just made it optional instead, perhaps using an environment
variable. Would that work for you and the general users? I'm on the
fence about making that the default again since it's possible we would
break things for existing users...
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Brian Crowell | 2014-02-24 19:27:51 | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Previous Message | Tom Lane | 2014-02-24 19:25:37 | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |