Re: Postgresql gss user map doesn't work

On Wed, Jul 1, 2015 at 7:36 PM, xujian <jamesxu(at)outlook(dot)com> wrote:

> Since we need to add user name in the command, which is not we want, I
> removed the map in the pg_ident.conf file, and created role
> xxx(at)COMPANY(dot)COM in postgresql
>
> the pg_hba.conf looks like:
> host all all all gss include_realm=1
>
> in pg_ident.conf, I removed all items
>
> in postgresql, I create role
> create role "xxx(at)COMPANY(dot)COM" login
>
> I thought it would work, because my credential is xxx(at)COMPANY(dot)COM, and
> there was user xxx(at)COMPANY(dot)COM in postgresql, it should map the my
> credential to user xxx(at)COMPANY(dot)COM(dot)
>
> however, when I login with kerberos, I got error below on server side
> LOG: provided user name (xxx) and authenticated user name (
> xxx(at)COMPANY(dot)COM) do not match
> FATAL: GSSAPI authentication failed for user "xxx"
>
> Do anyone know why it doesn't work? thanks
>
>

The PostgreSQL clients (psql in this case) will default to what you are
logged into on the local machine with (the result of getpwuid()). This
returns "xxx", so that's what PostgreSQL logs in with. It does not
explicitly ask the gss system what credentials are there until a much later
stage.

To do what you want, you need to create "xxx" in the database, and have a
pg_ident mapping xxx(at)COMPANY(dot)COM to xxx (using a regexp map probably).

--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/