| From: | Peter Koczan <pjkoczan(at)gmail(dot)com> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Magnus Hagander <magnus(at)hagander(dot)net>, pgsql-bugs(at)postgresql(dot)org |
| Subject: | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |
| Date: | 2009-05-28 19:09:42 |
| Message-ID: | 4544e0330905281209p4f336605l80e2d57737e49e86@mail.gmail.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-bugs |
On Thu, May 28, 2009 at 2:07 PM, Peter Koczan <pjkoczan(at)gmail(dot)com> wrote:
> On Thu, May 28, 2009 at 1:30 PM, Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> wrote:
>> Peter Koczan <pjkoczan(at)gmail(dot)com> writes:
>>> It was rather convenient to know that whatever Kerberos principal was
>>> used was going to be the database user.
>>
>> Isn't that still true? (Modulo the auth.c bug fix of course.) The only
>> issue here is where the default guess for a not-explicitly-specified
>> username comes from, not whether you'll be allowed to connect or not.
>
> That's what I meant. It was convenient to have the default guess be
> the Kerberos principal for krb5/gss connections. This is still the
> case in the vast majority of connections, so it's probably not worth
> bending over backwards to satisfy these edge cases.
And by "this is still the case", I mean that the principal name and
the username line up and exhibit the same overt behavior. Not that the
principal forces the username.
I need a break. :-)
Peter
| From | Date | Subject | |
|---|---|---|---|
| Next Message | alex | 2009-05-28 19:32:52 | BUG #4828: Fault a foreign key |
| Previous Message | Peter Koczan | 2009-05-28 19:07:17 | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |