| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Christian Ullrich <chris(at)chrullrich(dot)net> |
| Cc: | PostgreSQL-development <pgsql-hackers(at)postgresql(dot)org>, pgsql-bugs <pgsql-bugs(at)postgresql(dot)org> |
| Subject: | Re: BUG #13854: SSPI authentication failure: wrong realm name used |
| Date: | 2016-03-11 11:01:43 |
| Message-ID: | CABUevEyrSAGhr4HQYdFjNwEETwQ0mnS_8PUptaYCijdv-ZsDiw@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs pgsql-hackers |
On Fri, Jan 15, 2016 at 9:46 PM, Christian Ullrich <chris(at)chrullrich(dot)net>
wrote:
> * Christian Ullrich wrote:
>
> * Christian Ullrich wrote:
>>
>> * Christian Ullrich wrote:
>>>
>>> > According to the release notes, the default for the "include_realm"
>>> > option in SSPI authentication was changed from off to on in 9.5 for
>>>
>> > > improved security. However, the authenticated user name, with the
>> > > option enabled, includes the NetBIOS domain name, *not* the Kerberos
>>
>>> > realm name:
>>>
>>
>> Below is a patch to correct this behavior. I suspect it has some
>>> serious compatibility issues, so I would appreciate feedback.
>>>
>>
>> Updated patch, sorry. The first one worked by accident only.
>>
>
> Another update. This time even the documentation builds.
>
> One thing I'm fairly sure I need advice on is error handling and/or error
> codes. Right now I use ERROR_INVALID_ROLE_SPECIFICATION just about
> everywhere (because the surrounding SSPI code does as well), and that is
> probably not the best choice in some places.
I took a quick look at this one, and have some initial thoughts.
I don't like the name "real_realm" as a parameter name. I'm wondering if it
might be better to reverse the meaning, and call it sspi_netbios_realm (and
then change the default to on, to be backwards compatible).
How does the real_realm thing work if you connect with a local account?
Hostname, or kerberos principal for the host?
Code uses a mix of malloc() and palloc() (through sprintf). Is there a
reason for that?
Looking at the docs:
+ Note that <application>libpq</> uses the SAM-compatible name if no
+ explicit user name is specified. If you use
+ <application>libpq</> (e.g. through the ODBC driver), you should
+ leave this option disabled.
What's the actual usecase where it makes sense to change it? Seems that's
the more reasonable thing to document, with a reference to active directory
specifically (or is there also such a compatible name for local accounts?)
--
Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christian Ullrich | 2016-03-11 11:49:35 | Re: BUG #13854: SSPI authentication failure: wrong realm name used |
| Previous Message | Dmitriy Sarafannikov | 2016-03-11 08:16:51 | Re[2]: [BUGS] Too many files in pg_replslot folder |
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Christian Ullrich | 2016-03-11 11:49:35 | Re: BUG #13854: SSPI authentication failure: wrong realm name used |
| Previous Message | Magnus Hagander | 2016-03-11 10:45:25 | Re: auto_explain sample rate |