Re: BUG #9337: SSPI/GSSAPI with mismatched user names

From: Brian Crowell <brian(at)fluggo(dot)com>
To: Stephen Frost <sfrost(at)snowman(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org>
Subject: Re: BUG #9337: SSPI/GSSAPI with mismatched user names
Date: 2014-02-24 20:03:01
Message-ID: CAAQkdDp9yvHtJuSih=E6HzZTk9LR-j2WQ3ohPSsV5U0vzT1_MA@mail.gmail.com
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs

On Mon, Feb 24, 2014 at 1:47 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>> The PG user is "BCrowell(at)REALM(dot)COM". include_realm is on because we
>> have a forest, and I don't want any crossed wires between domains.
>
> Ah, makes sense. Again, you could have different usernames in PG if you
> wanted to keep things simpler, by using pg_ident.conf, but if useing the
> full princ works for you then that's certainly fine too.

We'd be mapping several dozen users. I'd rather keep things simple :P

> It really should be possible for you to get it. I'm in flight at the
> moment and so the interwebs are a bit lagged or I'd go figure out what
> the right GSSAPI calls are, though I can understand if you'd rather just
> be able to ask libpq to handle that or maybe pass back what the princ
> is, so you don't have to deal with the Kerberos calls directly.

If it is possible, I'd be happy to find out. Note that I'm trying to
solve the LOGON32_LOGON_NEW_CREDENTIALS case, which ADO.NET handles
just fine. This discussion does not give me much hope:

https://groups.google.com/forum/#!topic/microsoft.public.platformsdk.security/5L7ugO0Fc90

> I'm familiar with SQL Server and how it works there and in a lot of ways
> it's very similar to what happens in PG, and it has similar options for
> doing mapping too, as I recall, and if you want to be able to have such
> a mapping then you have to have both the log-me-in-as username and the
> Kerberos princ.

I'm not sure what you mean. Our connection strings look like this:

server=productiondb.realm.com;Integrated
Security=SSPI;database=OURDB;Connect Timeout=500;Application Name=w00t

Most of our users do not even have SQL Server logins. They get in by
group permissions. They're mapped to application data by their SID.

> This is overstating it, imv. The exact same issue happens if, for
> example, you want to ssh to a server- you have to provide the Unix
> username that you want to log into the system as, along with the
> Kerberos ticket. Those can then be different too, by using a .k5login
> file. If you'd like to complain about something in this regard, it
> would be that we don't have any way to link PG users in directly with
> LDAP in the way that AD does, where the group membership is doing
> through LDAP. That would certainly be accurate but would be quite a bit
> of work to allow ad we don't get many requests for such capability.

Sorry, I didn't mean for it to sound like a complaint.

But yes, I am looking for the Postgres account to be "tied" to the
Kerberos account. It doesn't have to be through LDAP; the supplied
Kerberos user name is enough. I realize I will still have to set up a
mapping for each user, but that's small potatoes.

--Brian

In response to

Browse pgsql-bugs by date

  From Date Subject
Next Message Brian Crowell 2014-02-24 20:09:50 Re: BUG #9337: SSPI/GSSAPI with mismatched user names
Previous Message Tom Lane 2014-02-24 19:58:21 Re: BUG #9337: SSPI/GSSAPI with mismatched user names