| From: | Brian Crowell <brian(at)fluggo(dot)com> |
|---|---|
| To: | "pgsql-general(at)postgresql(dot)org >> PG-General Mailing List" <pgsql-general(at)postgresql(dot)org> |
| Subject: | GSSAPI/SSPI and mismatched user names |
| Date: | 2014-02-24 18:34:04 |
| Message-ID: | CAAQkdDrPN+2OUCxxZRBxg7Od_KZCHb-dKRJxkNPO3i5P5k-ZZg@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
I'm going to file this as a bug as well, but I guess I'm hoping to catch
some developers here for discussion.
I'm working with the Npgsql group on getting integrated security to "just
work" in the same way SQL Server's does. I wrote a workaround for one
issue, only to find out that I need more workarounds, and I finally
realized that this a problem with the way Postgres handles GSSAPI/SSPI
logins. You can read my full description here:
https://github.com/npgsql/Npgsql/issues/162#issuecomment-35916650
The short version is that Postgres requires two user names when using
GSSAPI/SSPI: one from the startup packet, and one from the Kerberos ticket,
and if these don't match exactly, the login fails. It's generally
impossible to determine the correct user name to send in the startup packet.
I think Postgres should either not require or ignore the user name in the
startup packet for these two login types. What do you think?
--Brian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-02-24 18:55:19 | Re: GSSAPI/SSPI and mismatched user names |
| Previous Message | Francisco Olarte | 2014-02-24 18:33:25 | Re: Why does PostgreSQL ftruncate before unlink? |