| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Magnus Hagander <magnus(at)hagander(dot)net> |
| Cc: | PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Open item: kerberos warning message |
| Date: | 2009-01-08 16:22:39 |
| Message-ID: | 20090108162239.GT26233@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Magnus, et al,
* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> Looking at the open item about the new error message shown when Kerberos
> is compiled in, and not used:
> assword:
> FATAL: password authentication failed for user "mha"
> psql: pg_krb5_init: krb5_cc_get_principal: No credentials cache found
> FATAL: password authentication failed for user "mha"
That is annoying, I can understand that.
> The reason this is happening is that we are initializing Kerberos even
> if we're not going to use it. The reason for doing *this*, is that if
> kerberos is compiled in, we use it to find out if we should try a
> different username than the one logged in to the local system - we look
> at the kerberos login.
This made sense before we had mappings support because the only user you
could possibly be in PG is the one you authenticated as.
> We don't do this for any other login, including kerberos over GSSAPI.
> AFAIK, we've heard no complaints.
Well, I havn't moved all my systems to GSSAPI yet.. :)
> Thoughts?
Now that we have support for mappings, I expect it will be more common
for a user to authenticate with princ 'A' and then connect using their
Unix id 'B' to a PG user 'B'. As such, I'm alright with dropping
support for this. Users can always use -U (or equiv) if necessary.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Bruce Momjian | 2009-01-08 16:24:46 | Re: Proposal: new border setting in psql |
| Previous Message | phpquebec | 2009-01-08 16:20:27 | PHP Quebec Conference 2009 Get Further with PHP |