Re: SSPI authentication - patch - Mailing list pgsql-patches

From Stephen Frost
Subject Re: SSPI authentication - patch
Date
Msg-id 20070720130028.GT4887@tamriel.snowman.net
Whole thread Raw
In response to Re: SSPI authentication - patch  (Magnus Hagander <magnus@hagander.net>)
Responses Re: SSPI authentication - patch
List pgsql-patches
* Magnus Hagander (magnus@hagander.net) wrote:
> On Thu, Jul 19, 2007 at 06:22:57PM -0400, Stephen Frost wrote:
> > My thinking would be to have the autoconf to disable it, but enable it
> > by default.  I don't feel particularly strongly about it though.
>
> Do you see a use-case where someone would disable it? I'll be happy to add
> the switch if you do, it's not hard to do, but adding a switch just for the
> sake of adding a switch is not something I lik e:-)

Eh, I could contrive one but, as I said, I don't feel particularly
strongly about it.  How about we go w/o it for now and see if anyone
asks for it.

> > I understand that SSPI is case-insensitive, or folds to uppercase, or
> > whatever, but this is *not* used only by the SSPI code.  Please correct
> > me if I'm wrong, but this will break existing krb-auth using client
> > applications/setups that went with the previous default, no?  I realize
> > it's on Windows, but there are people out there with that
> > configuration (yes, like me... :)...
>
> Ok, first to clearify the facts:
> * SSPI is case-insensitive, case-preserving
> * The problem is not from SSPI. It's Active Directory. If you use AD as the
> KDC, you must use uppercase SPNs - regardless of SSPI. For example, it's
> needed for anybody wanting to use the old krb5 auth in 8.x together with
> Active Directory - like I do :-)

Ah, thanks for clearing up where the problem arises from.

> The change is there to because the majority of windows installs will
> be using Active Directory, at least that's what I would expect. Certainly
> not all, but most. It's a way of lowering the bar for the majority, at the
> expense of the minority ;-)

It's also at the expense of backwards compatibility. :/  People who are
currently using the krb5 auth mechanism with AD are used to having to
flip that or set the environment variable while people who have been
using it with an MIT KDC may get suprised by it.

> That said, I actually intended to submit that as a separate patch for
> separate discussion. If people are against it, I'll be happy to drop that
> part.

My main concern is that it's a backward-incompatible change.  I realize
that it's likely going in the direction of the majority on Windows but
it seems to make like it's not something we should just 'do'.  That
said, I don't see it as a problem for me since I've got a reasonably
small user-base (10s, not 100s or 1000s) of Windows users and setting
the environment variable shouldn't be an issue.

> Again, it's not related to the library used, it's related to the KDC. And
> we can't detect that, at least not early enough.

That's true, but if we used upper-case with something NEW (SSPI) while
keeping it the same for the OLD (KRB5, and I'd vote GSSAPI) then we're
not breaking backwards compatibility while also catering to the masses.
I guess I don't see too many people using SSPI w/ an MIT KDC, and it
wasn't possible previously anyway.

What do you think?

    Thanks!

        Stephen

Attachment

pgsql-patches by date:

Previous
From: Peter Eisentraut
Date:
Subject: Re: configure.in / xml / quoting trouble
Next
From: Tom Lane
Date:
Subject: Re: configure.in / xml / quoting trouble