Re: BUG #9337: SSPI/GSSAPI with mismatched user names

From: Stephen Frost <sfrost(at)snowman(dot)net>
To: Brian Crowell <brian(at)fluggo(dot)com>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #9337: SSPI/GSSAPI with mismatched user names
Date: 2014-02-24 19:47:10
Message-ID: 20140224194710.GR2921@tamriel.snowman.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

* Brian Crowell (brian(at)fluggo(dot)com) wrote:
> > Also, is the PG user really "BCrowell(at)REALM(dot)COM", or is it actually
> > 'bcrowell', in which case you need a mapping for that (unless you tell
> > PG to just strip the realm off, but I generally recommend against such
> > since you can end up with cross-realm issues if you ever define a trust
> > relationship to another realm with different users who might have the
> > same princs as your local users).
>
> The PG user is "BCrowell(at)REALM(dot)COM". include_realm is on because we
> have a forest, and I don't want any crossed wires between domains.

Ah, makes sense. Again, you could have different usernames in PG if you
wanted to keep things simpler, by using pg_ident.conf, but if useing the
full princ works for you then that's certainly fine too.

> Really, this is all what I want to happen, and everything about it
> works. The only problem is that PG wants a user name that, in a few
> cases, I just don't have.

It really should be possible for you to get it. I'm in flight at the
moment and so the interwebs are a bit lagged or I'd go figure out what
the right GSSAPI calls are, though I can understand if you'd rather just
be able to ask libpq to handle that or maybe pass back what the princ
is, so you don't have to deal with the Kerberos calls directly.

> I'm starting to see that this appears very differently to Postgres
> people. I'm coming here from SQL Server, where in our company we've
> now got it set up that each user's SQL Server login _is_ their domain
> login. Not just named the same--SQL Server understands the domain, and
> each user is coming in as their Windows identity.

I'm familiar with SQL Server and how it works there and in a lot of ways
it's very similar to what happens in PG, and it has similar options for
doing mapping too, as I recall, and if you want to be able to have such
a mapping then you have to have both the log-me-in-as username and the
Kerberos princ.

> However, to Postgres, Kerberos is not about identities at all, it's
> just a fancy password mechanism. Really you just want to know a
> Postgres user, and it's never been a problem for users to specify
> that. I guess what I'm asking is if Kerberos can be used to specify my
> Postgres username as well.

This is overstating it, imv. The exact same issue happens if, for
example, you want to ssh to a server- you have to provide the Unix
username that you want to log into the system as, along with the
Kerberos ticket. Those can then be different too, by using a .k5login
file. If you'd like to complain about something in this regard, it
would be that we don't have any way to link PG users in directly with
LDAP in the way that AD does, where the group membership is doing
through LDAP. That would certainly be accurate but would be quite a bit
of work to allow ad we don't get many requests for such capability.

Thanks,

Stephen

In response to

Responses

Browse pgsql-bugs by date

  From Date Subject
Next Message Tom Lane 2014-02-24 19:58:21 Re: BUG #9337: SSPI/GSSAPI with mismatched user names
Previous Message Brian Crowell 2014-02-24 19:42:15 Re: BUG #9337: SSPI/GSSAPI with mismatched user names