| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Peter Eisentraut <peter_e(at)gmx(dot)net>, PG Hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Spurious Kerberos error messages |
| Date: | 2008-11-09 17:18:21 |
| Message-ID: | 49171B5D.70404@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Another option would be not to call the kerberos code there at all. All
>> other authentication methods that take the userid externally (gssapi,
>> sspi, ident) require the user to specify the name to connect as if it's
>> different from the one in the operating system. I think that's a very
>> uncommon scenario in any case - almost everybody will be using whatever
>> userid is used in the system, when using Kerberos.
>
> Hmm, that's an interesting alternative. I like it because it takes away
> some useless connection-startup overhead in the common case where you're
> using a Kerberos-enabled library but Kerberos isn't set up on the system.
> Another possible argument in favor is that it's bogus to ask Kerberos
> for the username unless the actual auth method is Kerberos --- which is
> something libpq can't know at that point.
Yeah, that's my thought as well.
> OTOH, that code was put in deliberately. It might be a good idea to
> troll the archives and see if we can find out the rationale for it.
AFAICS, it's been there since before our CVS history started... Not
exactly in the same form, but the call to pg_krb5_authname was in
fe_getauthname...
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Andrew Dunstan | 2008-11-09 17:30:39 | Re: Spurious Kerberos error messages |
| Previous Message | Tom Lane | 2008-11-09 17:03:15 | Re: Spurious Kerberos error messages |