Re: GSSAPI/SSPI and mismatched user names

On Mon, Feb 24, 2014 at 12:55 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Brian Crowell (brian(at)fluggo(dot)com) wrote:
>> https://github.com/npgsql/Npgsql/issues/162#issuecomment-35916650
>
> Reading through this- can't you use GSSAPI to get the Kerberos princ
> found the ticket which is constructed? I'm pretty sure the MIT
> libraries support that, at least...

I expected I might be able to do that on Linux, but right now I'm
trying to work out the Windows non-domain case.

> Just as with .k5login, they do *not* have to match, but if they don't
> then there needs to be a mapping provided from the Kerberos princ to the
> PG username. Check out pg_ident and note that it even supports
> regexp's, so you may be able to construct a mapping such that the princ
> is mixed case and the login works- provided you send the lowercase'd
> username as the PG user to log in as.

Unfortunately, in this case I don't even have a wrong-cased username
to start with. I have the user name of the logged-in non-domain user,
which is not the user name of the domain credentials I'm sending
across the network.

>> I think Postgres should either not require or ignore the user name in the
>> startup packet for these two login types. What do you think?
>
> We need the username to figure out which auth method we're using...

Oh dear.

--Brian