Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

Magnus Hagander wrote:
> Tom Lane wrote:
>> Peter Koczan <pjkoczan@gmail.com> writes:
>>> This is trust authentication with one rather inconsequential bit of
>>> verification, that's a fundamental breakage. One of the major points
>>> of Kerberos is that, for anything that talks Kerberos, you are the
>>> principal in that ticket. I understand the desire to change some of
>>> that old code, but why is that principal being ignored?
>> Well, the reason for that change was that the libpq code was absorbing
>> userid from any available Kerberos ticket, even if the server
>> subsequently issued a non-Kerberos authentication challenge.  I still
>> think that was wrong.  What your complaint seems to suggest is that
>> the server-side Kerberos auth code should be insisting that the supplied
>> principal's first component match the requested database userid.
>> I kinda thought we *had* been doing that, but can't claim to have read
>> that code closely.  Magnus?
>
> We are certainly *supposed* to do that. And we have been doing that. So
> if that's not done, it's been broken in 8.4 (most likely by me).
>
> Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq,
> but from your messages it looks like you have gssapi?
>
> Can you show us your pg_hba.conf file, and all lines with krb in them
> from postgresql.conf?
>
> Also, can you try it with the server set to log at DEBUG4, and let us
> know what output you get?

Crap, I think I found the problem.

Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
"return ret" not "return STATUS_OK".

Wow, that's a bad bug :-O

//Magnus