Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

On Thu, May 28, 2009 at 2:07 PM, Peter Koczan <pjkoczan@gmail.com> wrote:
> On Thu, May 28, 2009 at 1:30 PM, Tom Lane <tgl@sss.pgh.pa.us> wrote:
>> Peter Koczan <pjkoczan@gmail.com> writes:
>>> It was rather convenient to know that whatever Kerberos principal was
>>> used was going to be the database user.
>>
>> Isn't that still true? =A0(Modulo the auth.c bug fix of course.) =A0The =
only
>> issue here is where the default guess for a not-explicitly-specified
>> username comes from, not whether you'll be allowed to connect or not.
>
> That's what I meant. It was convenient to have the default guess be
> the Kerberos principal for krb5/gss connections. This is still the
> case in the vast majority of connections, so it's probably not worth
> bending over backwards to satisfy these edge cases.

And by "this is still the case", I mean that the principal name and
the username line up and exhibit the same overt behavior. Not that the
principal forces the username.

I need a break. :-)

Peter