Re: BUG #9337: SSPI/GSSAPI with mismatched user names

On Mon, Feb 24, 2014 at 1:01 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> To PG, you're trying to log in as PG user 'Brian' and there's no mapping
> which allows the kerb princ "BCrowell(at)REALM(dot)COM" to log in as that user.

Yes, that's the problem. There will not be a mapping.

> Also, is the PG user really "BCrowell(at)REALM(dot)COM", or is it actually
> 'bcrowell', in which case you need a mapping for that (unless you tell
> PG to just strip the realm off, but I generally recommend against such
> since you can end up with cross-realm issues if you ever define a trust
> relationship to another realm with different users who might have the
> same princs as your local users).

The PG user is "BCrowell(at)REALM(dot)COM". include_realm is on because we
have a forest, and I don't want any crossed wires between domains.

Really, this is all what I want to happen, and everything about it
works. The only problem is that PG wants a user name that, in a few
cases, I just don't have.

I'm starting to see that this appears very differently to Postgres
people. I'm coming here from SQL Server, where in our company we've
now got it set up that each user's SQL Server login _is_ their domain
login. Not just named the same--SQL Server understands the domain, and
each user is coming in as their Windows identity.

However, to Postgres, Kerberos is not about identities at all, it's
just a fancy password mechanism. Really you just want to know a
Postgres user, and it's never been a problem for users to specify
that. I guess what I'm asking is if Kerberos can be used to specify my
Postgres username as well.

--Brian