| From: | Christian Ullrich <chris(at)chrullrich(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | <pgsql-hackers(at)postgreSQL(dot)org> |
| Subject: | Re: Initial release notes created for 9.6 |
| Date: | 2016-05-06 20:52:03 |
| Message-ID: | ffef829e-fe73-63da-9771-1d3bac335221@chrullrich.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
* Tom Lane wrote:
> Christian Ullrich <chris(at)chrullrich(dot)net> writes:
>> I suggest writing "use the Kerberos realm name for authentication
>> instead of the NetBIOS name" either in place of the existing description
>> or together with it.
>
> OK, how about this:
>
> <para>
> Add new SSPI authentication parameters <varname>compat_realm</>
> and <varname>upn_username</>, to control whether NetBIOS or Kerberos
> realm names and user names are used during SSPI authentication
> (Christian Ullrich)
> </para>
Perfect, except for the implied idea of a "NetBIOS realm name", see
below. I can live with that in release notes, though.
> BTW, I went to read the descriptions of those parameters again, and this
> one seems a bit confusing:
>
> <varlistentry>
> <term><literal>compat_realm</literal></term>
> <listitem>
> <para>
> If set to 1, the domain's SAM-compatible name (also known as the
> NetBIOS name) is used for the <literal>include_realm</literal>
> option. This is the default. If set to 0, the true realm name from
> the Kerberos user principal name is used.
> </para>
> <para>
> Do not enable this option unless your server runs under a domain
> account (this includes virtual service accounts on a domain member
> system) and all clients authenticating through SSPI are also using
> domain accounts, or authentication will fail.
> </para>
> </listitem>
> </varlistentry>
>
> To my mind, an option that's set to 1 is "enabled". Should the second
> para read "Do not disable ..."? Or maybe we should reverse the sense
> of the flag, so that the default state can be 0 == disabled?
Well spotted, thanks. It should be "disable" instead.
This is left from when the sense of the option _was_ the other way
around (it was called "real_realm" then). I reversed and renamed it
after Magnus reviewed the patch and was -- correctly -- opposed to the name.
If the default state should be off, we're back to inventing a useful new
name. Magnus suggested "sspi_netbios_realm", which could be shortened to
just "netbios_realm", but I don't like to have both "NetBIOS" and
"realm" in the name because nobody else calls a domain's NetBIOS name a
"realm". (For the release notes, on the other hand, there is no need to
split this hair quite so thin.)
Unless you _really_ want the default (that is, backwards compatible)
behavior with the option off, I would rather keep it the way it is.
--
Christian
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Joshua D. Drake | 2016-05-06 20:54:09 | Re: Reviewing freeze map code |
| Previous Message | Andres Freund | 2016-05-06 20:50:12 | Re: Reviewing freeze map code |