Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

I don't know if it's much use now, but here you go.

On Wed, May 27, 2009 at 3:15 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> We are certainly *supposed* to do that. And we have been doing that. So
> if that's not done, it's been broken in 8.4 (most likely by me).
>
> Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq,
> but from your messages it looks like you have gssapi?

gssapi

> Can you show us your pg_hba.conf file, and all lines with krb in them
> from postgresql.conf?

pg_hba.conf

# this part disables remote "postgres" superuser connections
hostssl all postgres 127.0.0.1/32 gss
hostssl all postgres 128.105.207.19/32 gss
hostssl all postgres 128.105.0.0/16 reject
hostssl all postgres 198.133.224.0/24 reject

# this part enables non-superuser connections
hostssl all nobody 128.105.0.0/16 trust
hostssl all nobody 198.133.224.0/24 trust
hostssl all all 128.105.0.0/16 gss
hostssl all all 198.133.224.0/24 gss

postgresql.conf
# Kerberos and GSSAPI
krb_server_keyfile = '/etc/v5srvtab.postgres'
#krb_srvname = 'postgres' # (Kerberos only)
#krb_caseins_users = off

> Also, can you try it with the server set to log at DEBUG4, and let us
> know what output you get?

Connecting like this...
[koczan(at)ator] koczan $ /s/postgresql-8.4-beta/bin/psql -h mitchell -p
49173 -U strivia postgres

Produced this in the syslog.
May 27 15:37:29 mitchell postgres[30574]: [624-1] DEBUG: forked new
backend, pid=30609 socket=8
May 27 15:37:29 mitchell postgres[30609]: [624-1] LOG: connection
received: host=ator.cs.wisc.edu port=44228
May 27 15:37:29 mitchell postgres[30609]: [625-1] DEBUG: SSL
connection from "(anonymous)"
May 27 15:37:29 mitchell postgres[30609]: [626-1] DEBUG: Processing
received GSS token of length 477
May 27 15:37:29 mitchell postgres[30609]: [627-1] DEBUG: sending GSS
response token of length 114
May 27 15:37:29 mitchell postgres[30609]: [628-1] DEBUG: sending GSS
token of length 114
May 27 15:37:29 mitchell postgres[30609]: [629-1] LOG: provided
username (koczan) and authenticated username (strivia) don't match
May 27 15:37:29 mitchell postgres[30609]: [630-1] LOG: connection
authorized: user=strivia database=postgres
May 27 15:37:29 mitchell postgres[30609]: [631-1] DEBUG: postgres
child[30609]: starting with (
May 27 15:37:29 mitchell postgres[30609]: [632-1] DEBUG: postgres
May 27 15:37:29 mitchell postgres[30609]: [633-1] DEBUG: -v196608
May 27 15:37:29 mitchell postgres[30609]: [634-1] DEBUG: -y
May 27 15:37:29 mitchell postgres[30609]: [635-1] DEBUG: postgres
May 27 15:37:29 mitchell postgres[30609]: [636-1] DEBUG: )
May 27 15:37:29 mitchell postgres[30609]: [637-1] DEBUG: InitPostgres
May 27 15:37:29 mitchell postgres[30609]: [638-1] DEBUG: my backend id is 1
May 27 15:37:29 mitchell postgres[30609]: [639-1] DEBUG: StartTransaction
May 27 15:37:29 mitchell postgres[30609]: [640-1] DEBUG: name:
unnamed; blockState: DEFAULT; state: INPROGR, xid/subid/cid:
0/1/0, nestlvl: 1, children:
May 27 15:37:29 mitchell postgres[30609]: [641-1] DEBUG: CommitTransaction
May 27 15:37:29 mitchell postgres[30609]: [642-1] DEBUG: name:
unnamed; blockState: STARTED; state: INPROGR, xid/subid/cid:
0/1/0, nestlvl: 1, children:
....
May 27 15:37:55 mitchell postgres[30574]: [625-1] DEBUG: reaping dead processes
May 27 15:37:55 mitchell postgres[30574]: [626-1] DEBUG: server
process (PID 30612) exited with exit code 0
May 27 15:38:24 mitchell postgres[30609]: [643-1] DEBUG: shmem_exit(0)
May 27 15:38:24 mitchell postgres[30609]: [644-1] DEBUG: proc_exit(0)
May 27 15:38:24 mitchell postgres[30609]: [645-1] LOG: disconnection:
session time: 0:00:54.389 user=strivia database=postgres
host=ator.cs.wisc.edu port=44228
May 27 15:38:24 mitchell postgres[30609]: [646-1] DEBUG: SSL: write
alert (0x0100)
May 27 15:38:24 mitchell postgres[30609]: [647-1] DEBUG: exit(0)
May 27 15:38:24 mitchell postgres[30609]: [648-1] DEBUG: shmem_exit(-1)
May 27 15:38:24 mitchell postgres[30609]: [649-1] DEBUG: proc_exit(-1)

Peter