Re: BUG #9337: SSPI/GSSAPI with mismatched user names

On Mon, Feb 24, 2014 at 1:47 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> The PG user is "BCrowell(at)REALM(dot)COM". include_realm is on because we
>> have a forest, and I don't want any crossed wires between domains.
>
> Ah, makes sense. Again, you could have different usernames in PG if you
> wanted to keep things simpler, by using pg_ident.conf, but if useing the
> full princ works for you then that's certainly fine too.

We'd be mapping several dozen users. I'd rather keep things simple :P

> It really should be possible for you to get it. I'm in flight at the
> moment and so the interwebs are a bit lagged or I'd go figure out what
> the right GSSAPI calls are, though I can understand if you'd rather just
> be able to ask libpq to handle that or maybe pass back what the princ
> is, so you don't have to deal with the Kerberos calls directly.

If it is possible, I'd be happy to find out. Note that I'm trying to
solve the LOGON32_LOGON_NEW_CREDENTIALS case, which ADO.NET handles
just fine. This discussion does not give me much hope:

https://groups.google.com/forum/#!topic/microsoft.public.platformsdk.security/5L7ugO0Fc90

> I'm familiar with SQL Server and how it works there and in a lot of ways
> it's very similar to what happens in PG, and it has similar options for
> doing mapping too, as I recall, and if you want to be able to have such
> a mapping then you have to have both the log-me-in-as username and the
> Kerberos princ.

I'm not sure what you mean. Our connection strings look like this:

server=productiondb.realm.com;Integrated
Security=SSPI;database=OURDB;Connect Timeout=500;Application Name=w00t

Most of our users do not even have SQL Server logins. They get in by
group permissions. They're mapped to application data by their SID.

> This is overstating it, imv. The exact same issue happens if, for
> example, you want to ssh to a server- you have to provide the Unix
> username that you want to log into the system as, along with the
> Kerberos ticket. Those can then be different too, by using a .k5login
> file. If you'd like to complain about something in this regard, it
> would be that we don't have any way to link PG users in directly with
> LDAP in the way that AD does, where the group membership is doing
> through LDAP. That would certainly be accurate but would be quite a bit
> of work to allow ad we don't get many requests for such capability.

Sorry, I didn't mean for it to sound like a complaint.

But yes, I am looking for the Postgres account to be "tied" to the
Kerberos account. It doesn't have to be through LDAP; the supplied
Kerberos user name is enough. I realize I will still have to set up a
mapping for each user, but that's small potatoes.

--Brian