Re: BUG #9337: SSPI/GSSAPI with mismatched user names
| От | Stephen Frost |
|---|---|
| Тема | Re: BUG #9337: SSPI/GSSAPI with mismatched user names |
| Дата | |
| Msg-id | 20140224190159.GO2921@tamriel.snowman.net обсуждение исходный текст |
| Ответ на | Re: BUG #9337: SSPI/GSSAPI with mismatched user names (Brian Crowell <brian@fluggo.com>) |
| Ответы |
Re: BUG #9337: SSPI/GSSAPI with mismatched user names
|
| Список | pgsql-bugs |
* Brian Crowell (brian@fluggo.com) wrote:
> On Mon, Feb 24, 2014 at 12:50 PM, Brian Crowell <brian@fluggo.com> wrote:
> > 2014-02-24 11:30:40 CST LOG: provided user name (Brian) and
> > authenticated user name (BCrowell@REALM.COM) do not match
> >
> > But the Kerberos ticket is perfectly valid, and matches a Postgres
> > user. In this case, the program attempting to log in is incapable of
> > determining the correct Postgres user name to send (see Npgsql bug for
> > the dirty details), so why not just accept the Kerberos principal
> > name?
>=20
> Or in other words, I'm trying to log in as the Postgres user
> "BCrowell@REALM.COM" (which is in the Kerberos ticket), and not as
> "Brian" (which is in the startup packet, because Npgsql doesn't know
> what else to do).
To PG, you're trying to log in as PG user 'Brian' and there's no mapping
which allows the kerb princ "BCrowell@REALM.COM" to log in as that user.
Also, is the PG user really "BCrowell@REALM.COM", or is it actually
'bcrowell', in which case you need a mapping for that (unless you tell
PG to just strip the realm off, but I generally recommend against such
since you can end up with cross-realm issues if you ever define a trust
relationship to another realm with different users who might have the
same princs as your local users).
Thanks,
Stephen
В списке pgsql-bugs по дате отправления: