Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used
| От | Magnus Hagander |
|---|---|
| Тема | Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used |
| Дата | |
| Msg-id | CABUevEyrSAGhr4HQYdFjNwEETwQ0mnS_8PUptaYCijdv-ZsDiw@mail.gmail.com обсуждение исходный текст |
| Ответ на | BUG #13854: SSPI authentication failure: wrong realm name used (chris@chrullrich.net) |
| Ответы |
Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm
name used
|
| Список | pgsql-bugs |
On Fri, Jan 15, 2016 at 9:46 PM, Christian Ullrich <chris@chrullrich.net> wrote:
Looking at the docs:
+ Note that <application>libpq</> uses the SAM-compatible name if no
+ explicit user name is specified. If you use
+ <application>libpq</> (e.g. through the ODBC driver), you should
+ leave this option disabled.
What's the actual usecase where it makes sense to change it? Seems that's the more reasonable thing to document, with a reference to active directory specifically (or is there also such a compatible name for local accounts?)
* Christian Ullrich wrote:* Christian Ullrich wrote:* Christian Ullrich wrote:> > improved security. However, the authenticated user name, with the
> According to the release notes, the default for the "include_realm"
> option in SSPI authentication was changed from off to on in 9.5 for
> > option enabled, includes the NetBIOS domain name, *not* the Kerberos> realm name:Below is a patch to correct this behavior. I suspect it has some
serious compatibility issues, so I would appreciate feedback.
Updated patch, sorry. The first one worked by accident only.
Another update. This time even the documentation builds.
One thing I'm fairly sure I need advice on is error handling and/or error codes. Right now I use ERROR_INVALID_ROLE_SPECIFICATION just about everywhere (because the surrounding SSPI code does as well), and that is probably not the best choice in some places.
I took a quick look at this one, and have some initial thoughts.
I don't like the name "real_realm" as a parameter name. I'm wondering if it might be better to reverse the meaning, and call it sspi_netbios_realm (and then change the default to on, to be backwards compatible).
How does the real_realm thing work if you connect with a local account? Hostname, or kerberos principal for the host?
Code uses a mix of malloc() and palloc() (through sprintf). Is there a reason for that?
Looking at the docs:
+ Note that <application>libpq</> uses the SAM-compatible name if no
+ explicit user name is specified. If you use
+ <application>libpq</> (e.g. through the ODBC driver), you should
+ leave this option disabled.
What's the actual usecase where it makes sense to change it? Seems that's the more reasonable thing to document, with a reference to active directory specifically (or is there also such a compatible name for local accounts?)
В списке pgsql-bugs по дате отправления: