Skip site navigation (1) Skip section navigation (2)

Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

From: Peter Koczan <pjkoczan(at)gmail(dot)com>
To: Magnus Hagander <magnus(at)hagander(dot)net>
Cc: Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us>, pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Date: 2009-05-27 20:40:40
Message-ID: 4544e0330905271340h592749f9qb8e64c467c774fc3@mail.gmail.com (view raw or flat)
Thread:
Lists: pgsql-bugs
I don't know if it's much use now, but here you go.

On Wed, May 27, 2009 at 3:15 PM, Magnus Hagander <magnus(at)hagander(dot)net> wrote:
> We are certainly *supposed* to do that. And we have been doing that. So
> if that's not done, it's been broken in 8.4 (most likely by me).
>
> Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq,
> but from your messages it looks like you have gssapi?

gssapi

> Can you show us your pg_hba.conf file, and all lines with krb in them
> from postgresql.conf?

pg_hba.conf

# this part disables remote "postgres" superuser connections
hostssl all         postgres    127.0.0.1/32       gss
hostssl all         postgres    128.105.207.19/32  gss
hostssl all         postgres    128.105.0.0/16     reject
hostssl all         postgres    198.133.224.0/24   reject

# this part enables non-superuser connections
hostssl all         nobody      128.105.0.0/16     trust
hostssl all         nobody      198.133.224.0/24   trust
hostssl all         all         128.105.0.0/16     gss
hostssl all         all         198.133.224.0/24   gss


postgresql.conf
# Kerberos and GSSAPI
krb_server_keyfile = '/etc/v5srvtab.postgres'
#krb_srvname = 'postgres'               # (Kerberos only)
#krb_caseins_users = off

> Also, can you try it with the server set to log at DEBUG4, and let us
> know what output you get?

Connecting like this...
[koczan(at)ator] koczan $ /s/postgresql-8.4-beta/bin/psql -h mitchell -p
49173 -U strivia postgres

Produced this in the syslog.
May 27 15:37:29 mitchell postgres[30574]: [624-1] DEBUG:  forked new
backend, pid=30609 socket=8
May 27 15:37:29 mitchell postgres[30609]: [624-1] LOG:  connection
received: host=ator.cs.wisc.edu port=44228
May 27 15:37:29 mitchell postgres[30609]: [625-1] DEBUG:  SSL
connection from "(anonymous)"
May 27 15:37:29 mitchell postgres[30609]: [626-1] DEBUG:  Processing
received GSS token of length 477
May 27 15:37:29 mitchell postgres[30609]: [627-1] DEBUG:  sending GSS
response token of length 114
May 27 15:37:29 mitchell postgres[30609]: [628-1] DEBUG:  sending GSS
token of length 114
May 27 15:37:29 mitchell postgres[30609]: [629-1] LOG:  provided
username (koczan) and authenticated username (strivia) don't match
May 27 15:37:29 mitchell postgres[30609]: [630-1] LOG:  connection
authorized: user=strivia database=postgres
May 27 15:37:29 mitchell postgres[30609]: [631-1] DEBUG:  postgres
child[30609]: starting with (
May 27 15:37:29 mitchell postgres[30609]: [632-1] DEBUG:        postgres
May 27 15:37:29 mitchell postgres[30609]: [633-1] DEBUG:        -v196608
May 27 15:37:29 mitchell postgres[30609]: [634-1] DEBUG:        -y
May 27 15:37:29 mitchell postgres[30609]: [635-1] DEBUG:        postgres
May 27 15:37:29 mitchell postgres[30609]: [636-1] DEBUG:  )
May 27 15:37:29 mitchell postgres[30609]: [637-1] DEBUG:  InitPostgres
May 27 15:37:29 mitchell postgres[30609]: [638-1] DEBUG:  my backend id is 1
May 27 15:37:29 mitchell postgres[30609]: [639-1] DEBUG:  StartTransaction
May 27 15:37:29 mitchell postgres[30609]: [640-1] DEBUG:  name:
unnamed; blockState:       DEFAULT; state: INPROGR, xid/subid/cid:
0/1/0, nestlvl: 1, children:
May 27 15:37:29 mitchell postgres[30609]: [641-1] DEBUG:  CommitTransaction
May 27 15:37:29 mitchell postgres[30609]: [642-1] DEBUG:  name:
unnamed; blockState:       STARTED; state: INPROGR, xid/subid/cid:
0/1/0, nestlvl: 1, children:
....
May 27 15:37:55 mitchell postgres[30574]: [625-1] DEBUG:  reaping dead processes
May 27 15:37:55 mitchell postgres[30574]: [626-1] DEBUG:  server
process (PID 30612) exited with exit code 0
May 27 15:38:24 mitchell postgres[30609]: [643-1] DEBUG:  shmem_exit(0)
May 27 15:38:24 mitchell postgres[30609]: [644-1] DEBUG:  proc_exit(0)
May 27 15:38:24 mitchell postgres[30609]: [645-1] LOG:  disconnection:
session time: 0:00:54.389 user=strivia database=postgres
host=ator.cs.wisc.edu port=44228
May 27 15:38:24 mitchell postgres[30609]: [646-1] DEBUG:  SSL: write
alert (0x0100)
May 27 15:38:24 mitchell postgres[30609]: [647-1] DEBUG:  exit(0)
May 27 15:38:24 mitchell postgres[30609]: [648-1] DEBUG:  shmem_exit(-1)
May 27 15:38:24 mitchell postgres[30609]: [649-1] DEBUG:  proc_exit(-1)

Peter

In response to

Responses

pgsql-bugs by date

Next:From: Magnus HaganderDate: 2009-05-27 20:46:23
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal
Previous:From: Magnus HaganderDate: 2009-05-27 20:21:16
Subject: Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

Privacy Policy | About PostgreSQL
Copyright © 1996-2014 The PostgreSQL Global Development Group