Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal - Mailing list pgsql-bugs

From Tom Lane
Subject Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Date
Msg-id 19415.1243462595@sss.pgh.pa.us
Whole thread Raw
In response to Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal  (Magnus Hagander <magnus@hagander.net>)
Responses Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
List pgsql-bugs
Magnus Hagander <magnus@hagander.net> writes:
> Magnus Hagander wrote:
>> Tom Lane wrote:
>>> Magnus Hagander <magnus@hagander.net> writes:
>>>> Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
>>>> "return ret" not "return STATUS_OK".
>>> Doh.
>>
>> yeah. WIll apply patch.

> And, applied.

I have also patched the release notes to better explain the intentional
change that I initially thought Peter was complaining about:

diff -r1.6 release-8.4.sgml
2706,2707c2706,2707
<         Make Kerberos connections use the same method to determine the
<         username of the client as all other authentication methods (Magnus)
---
>         Do not rely on Kerberos tickets to determine the default database
>         username (Magnus)
2711c2711,2717
<         Previously a special Kerberos-only API was used.
---
>         Previously, a Kerberos-capable build of libpq would use the
>         principal name from any available Kerberos ticket as default
>         database username, even if the connection wasn't using Kerberos
>         authentication.  This was deemed inconsistent and confusing.
>         The default username is now determined the same way with or
>         without Kerberos.  Note however that the database username must still
>         match the ticket when Kerberos authentication is used.

What this still leaves us with is whether that change is a bad idea or
not.  I still think it's OK, but maybe Peter can point to something
else.

            regards, tom lane

pgsql-bugs by date:

Previous
From: Magnus Hagander
Date:
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Next
From: Craig Ringer
Date:
Subject: Re: BUG #4825: Before installation the server not running