BUG #4126: KRB5/GSSAPI authenication fails for multipart kerberos principals

The following bug has been logged online:

Bug reference: 4126
Logged by: Peter Koczan
Email address: pjkoczan(at)gmail(dot)com
PostgreSQL version: 8.3.1
Operating system: Red Hat Enterprise Linux 5
Description: KRB5/GSSAPI authenication fails for multipart kerberos
principals
Details:

When trying to connect to an 8.3 server using a multipart Kerberos principal
(e.g. ator/wsbackup(dot)cs(dot)wisc(dot)edu(at)CS(dot)WISC(dot)EDU or koczan/mail(at)CS(dot)WISC(dot)EDU
instead of wsbackup(at)CS(dot)WISC(dot)EDU or koczan(at)CS(dot)WISC(dot)EDU), the connection
fails, claiming a name mismatch. This is a change from 8.2 and I found
nothing in the changelog or documentation to suggest this change or offer a
workaround.

This happens no matter what client libraries I'm using (I'll connect using
8.3 clients only to illustrate this point).

Here's what happens with a normal login principal:

[koczan(at)ator] ~ $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_zWQIbO
Default principal: koczan(at)CS(dot)WISC(dot)EDU
...

[koczan(at)ator] koczan $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 sushi
Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

WARNING: You are connected to a server with major version 8.2,
but your psql client is major version 8.3. Some backslash commands,
such as \d, might not work properly.

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

sushi=> select version();
version

----------------------------------------------------------------------------

PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4
(1 row)

sushi=> select current_user;
current_user
--------------
koczan
(1 row)

[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
Welcome to psql 8.3.1, the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

sushi=> select version();
version

----------------------------------------------------------------------------

PostgreSQL 8.3.1 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4
(1 row)

sushi=> select current_user;
current_user
--------------
koczan
(1 row)

And what happens with my "mail" instance:

[root(at)ator ~]# su - koczan
[koczan(at)ator] ~ $ klist
klist: No credentials cache found (ticket cache
FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc)
...

[koczan(at)ator] ~ $ kinit -f -k -t /var/adm/krb5/quickauth/kt/koczan.mail.kt
-l 1d koczan/mail(at)CS(dot)WISC(dot)EDU
[koczan(at)ator] ~ $ klist
Ticket cache: FILE:/var/adm/krb5/tmp/tkt/krb5cc_3258_xQK9wc
Default principal: koczan/mail(at)CS(dot)WISC(dot)EDU
...

Connecting to an 8.2 server works just fine...

[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 5432 sushi
Welcome to psql 8.3.1 (server 8.2.6), the PostgreSQL interactive terminal.

Type: \copyright for distribution terms
\h for help with SQL commands
\? for help with psql commands
\g or terminate with semicolon to execute query
\q to quit

WARNING: You are connected to a server with major version 8.2,
but your psql client is major version 8.3. Some backslash commands,
such as \d, might not work properly.

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

sushi=> select version();
version

----------------------------------------------------------------------------

PostgreSQL 8.2.6 on i686-pc-linux-gnu, compiled by GCC gcc.bin (GCC) 3.4.4
(1 row)

sushi=> select current_user;
current_user
--------------
koczan
(1 row)

However, connecting to an 8.3 server...

[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan",
database "sushi", SSL off

And this shows up in the syslog...
Apr 23 12:02:41 sensei postgres[23100]: [3-1] LOG: connection received:
host=ator.cs.wisc.edu port=49188
Apr 23 12:02:41 sensei postgres[23100]: [4-1] LOG: unexpected Kerberos user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:02:41 sensei postgres[23100]: [5-1] FATAL: Kerberos 5
authentication failed for user "koczan"
Apr 23 12:02:41 sensei postgres[23101]: [3-1] LOG: connection received:
host=ator.cs.wisc.edu port=49189
Apr 23 12:02:41 sensei postgres[23101]: [4-1] FATAL: no pg_hba.conf entry
for host "128.105.162.36", user "koczan", database "sushi", SSL off

The appropriate line in pg_hba.conf shows
hostssl all all 128.105.0.0/16 krb5

I'm connecting via native krb5, but this problem (or a variant of it) occurs
when using GSSAPI authentication...

[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: FATAL: no pg_hba.conf entry for host "128.105.162.36", user "koczan",
database "sushi", SSL off

Apr 23 12:08:02 sensei postgres[23257]: [4-1] LOG: connection received:
host=ator.cs.wisc.edu port=49409
Apr 23 12:08:02 sensei postgres[23257]: [5-1] FATAL: GSSAPI authentication
failed for user "koczan"
Apr 23 12:08:02 sensei postgres[23258]: [4-1] LOG: connection received:
host=ator.cs.wisc.edu port=49410
Apr 23 12:08:02 sensei postgres[23258]: [5-1] FATAL: no pg_hba.conf entry
for host "128.105.162.36", user "koczan", database "sushi", SSL off

Different things happen when I turn SSL off, but it's still failing to
connect...

Native krb5 / SSL off:

[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: FATAL: Kerberos 5 authentication failed for user "koczan"

Apr 23 12:12:10 sensei postgres[23327]: [6-1] LOG: connection received:
host=ator.cs.wisc.edu port=49525
Apr 23 12:12:11 sensei postgres[23327]: [7-1] LOG: unexpected Kerberos user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:12:11 sensei postgres[23327]: [8-1] FATAL: Kerberos 5
authentication failed for user "koczan"
Apr 23 12:12:11 sensei postgres[23328]: [6-1] LOG: connection received:
host=ator.cs.wisc.edu port=49526
Apr 23 12:12:11 sensei postgres[23328]: [7-1] LOG: unexpected Kerberos user
name received from client (received "koczan", expected "koczan/mail")
Apr 23 12:12:11 sensei postgres[23328]: [8-1] FATAL: Kerberos 5
authentication failed for user "koczan"

GSSAPI / SSL off:

[koczan(at)ator] ~ $ /s/postgresql-8.3/bin/psql -h sensei -p 49173 sushi
psql: duplicate GSS authentication request

Apr 23 12:10:21 sensei postgres[23287]: [5-1] LOG: connection received:
host=ator.cs.wisc.edu port=49462
Apr 23 12:10:22 sensei postgres[23287]: [6-1] FATAL: GSSAPI authentication
failed for user "koczan"
Apr 23 12:10:22 sensei postgres[23288]: [5-1] LOG: connection received:
host=ator.cs.wisc.edu port=49463
Apr 23 12:10:22 sensei postgres[23288]: [6-1] FATAL: GSSAPI authentication
failed for user "koczan"