Tom Lane <tgl@sss.pgh.pa.us> writes:
> Orion Henry <orion@trustcommerce.com> writes:
> > It appears to be faulting on a kerberos call which is odd because I
> > don't use kerberos for anything.
>
> I was a bit surprised to realize that if you compile Kerberos support at
> all, libpq will try to get a user name from Kerberos in preference to
> using getpwuid(). This strikes me as odd and surprising behavior.
> There's certainly no security reason for it, since we are only getting
> a default user name that can be trivially overridden.
Harumph. I reported this about a year ago:
http://archives.postgresql.org/pgsql-general/2002-12/msg00740.php
I'm not sure it can be fixed by just not setting the default username though.
In fact I think there's something a little backwards about deciding on a
default username in advance and then trying various authentication methods.
In my case I have a kerberos principal gsstark@ATHENA.MIT.EDU and a local
username of "stark".
It seems like it should try to do the kerberos authentication as username
"gsstark" (or even "gsstark@ATHENA.MIT.EDU" since the realm is significant).
And if that fails, then it should try to log in as "stark" using unix userid
authentication.
The only fear I have with that direction is that it makes things a bit
unpredictable. I could see it being weird having scripts randomly fail because
they logged in as the wrong user if the tickets happened to have expired or
the network goes down.
--
greg
