| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Stephen Frost <sfrost(at)snowman(dot)net> |
| Cc: | Brian Crowell <brian(at)fluggo(dot)com>, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Date: | 2014-02-24 18:58:51 |
| Message-ID: | CABUevExYCCR98qDEa9bpUE72fkp8SsYqFNPQuS20qDz4sng0Jw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Mon, Feb 24, 2014 at 7:56 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> * Brian Crowell (brian(at)fluggo(dot)com) wrote:
> > Right now, I'm seeing log entries like this:
> >
> > 2014-02-24 11:30:40 CST LOG: provided user name (Brian) and
> > authenticated user name (BCrowell(at)REALM(dot)COM) do not match
> >
> > But the Kerberos ticket is perfectly valid, and matches a Postgres
> > user. In this case, the program attempting to log in is incapable of
> > determining the correct Postgres user name to send (see Npgsql bug for
> > the dirty details), so why not just accept the Kerberos principal
> > name?
>
> This is what the mapping logic in pg_ident was written to address...
>
There is also a parameter called include_realm, specifically for Kerberos,
which will remove the @REALM.COM part. But I believe it does that by
default.
Specifically see
http://www.postgresql.org/docs/9.3/static/auth-methods.html#GSSAPI-AUTH,
which deals with both those.
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2014-02-24 19:01:59 | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Previous Message | Stephen Frost | 2014-02-24 18:56:53 | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |