Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

Magnus Hagander <magnus(at)hagander(dot)net> writes:
> Magnus Hagander wrote:
>> Tom Lane wrote:
>>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>>> Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
>>>> "return ret" not "return STATUS_OK".
>>> Doh.
>>
>> yeah. WIll apply patch.

> And, applied.

I have also patched the release notes to better explain the intentional
change that I initially thought Peter was complaining about:

diff -r1.6 release-8.4.sgml
2706,2707c2706,2707
< Make Kerberos connections use the same method to determine the
< username of the client as all other authentication methods (Magnus)
---
> Do not rely on Kerberos tickets to determine the default database
> username (Magnus)
2711c2711,2717
< Previously a special Kerberos-only API was used.
---
> Previously, a Kerberos-capable build of libpq would use the
> principal name from any available Kerberos ticket as default
> database username, even if the connection wasn't using Kerberos
> authentication. This was deemed inconsistent and confusing.
> The default username is now determined the same way with or
> without Kerberos. Note however that the database username must still
> match the ticket when Kerberos authentication is used.

What this still leaves us with is whether that change is a bad idea or
not. I still think it's OK, but maybe Peter can point to something
else.

regards, tom lane