Service principal, GSSAPI and JDBC connection issue

Hi,

I'm using PostgreSQL 9.1 and I have configured GSSAPI authentication for
my client application.

The client application has this principal:
service/uaa-authz-uat01@stanford.edu

and I have it mapped to the DB role/user uaa

pg_ident.conf
# MAPNAME     SYSTEM-USERNAME                 PG-USERNAME
krb5          service/uaa-authz-uat01            uaa

Connecting works fine with psql. I use k5start to get the appropriate
tickets and then connect

k5start -qUf /etc/oauth/keytab -- psql -h authz-uat01 -U uaa

However, when I try connecting with the JDBC driver I run into trouble.
I've configured my JAAS config

pgjdbc {
      com.sun.security.auth.module.Krb5LoginModule required
         principal="service/uaa-authz-uat01"
         useKeyTab=true
         keyTab="/etc/oauth/keytab"
         doNotPrompt=true
         useTicketCache=true
         storeKey=true
         debug=true
         renewTGT=true;
};

and my JDBC connection with these properties
database:
   driverClassName: org.postgresql.Driver
   url:
jdbc:postgresql://authz-uat01.stanford.edu/uaa?ssl=true&sslfactory=org.postgresql.ssl.NonValidatingFactory
   username: uaa


however when I go to connect I get the error
"No valid credentials provided (Mechanism level: Failed to find any
Kerberos tgt)" which is odd because in the JAAS debug output it seems to
be able to create a tgt based on the keytab just fine.

Reviewing the code in 'MakeGSS.java' I see the problem.

GSSName clientName = manager.createName(user, GSSName.NT_USER_NAME);

GSSCredential clientCreds = manager.createCredential(clientName, 8*3600,
desiredMechs, GSSCredential.INITIATE_ONLY);

The driver assumes that the client is a 'GSSName.NT_USER_NAME' which is
"Name type to indicate a named user on a local system.". It passes in
'uaa' (the username) to createName(), and then the next call to
createCredential() fails since the tgt is for 'service/uaa-authz-uat01'
and its looking for one that matches 'uaa'.

Setting the db username to 'service/uaa-authz-uat01' gets by the GSSAPI
issues, but then fails because I don't have (nor wish to have) a
postgres user with the same name.

Deleting those two lines, and changing the manager.createContext() call to

      GSSContext secContext = manager.createContext(serverName,
desiredMechs[0], null, GSSContext.DEFAULT_LIFETIME);

e.g. using a null for the 3rd argument

makes the driver work fine.

The javadoc for manager.createContext() says "Use null to act as the
default initiator principal.".

So...
does that mean the two lines related clientCreds/Name aren't needed at all?
If they are needed for some scenarios, how can the code be modified to
handle both use cases?


thanks,

Patrick