From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | Magnus Hagander <magnus(at)hagander(dot)net> |
Cc: | Peter Koczan <pjkoczan(at)gmail(dot)com>, pgsql-bugs(at)postgresql(dot)org |
Subject: | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |
Date: | 2009-05-27 22:16:35 |
Message-ID: | 19415.1243462595@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-bugs |
Magnus Hagander <magnus(at)hagander(dot)net> writes:
> Magnus Hagander wrote:
>> Tom Lane wrote:
>>> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>>>> Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
>>>> "return ret" not "return STATUS_OK".
>>> Doh.
>>
>> yeah. WIll apply patch.
> And, applied.
I have also patched the release notes to better explain the intentional
change that I initially thought Peter was complaining about:
diff -r1.6 release-8.4.sgml
2706,2707c2706,2707
< Make Kerberos connections use the same method to determine the
< username of the client as all other authentication methods (Magnus)
---
> Do not rely on Kerberos tickets to determine the default database
> username (Magnus)
2711c2711,2717
< Previously a special Kerberos-only API was used.
---
> Previously, a Kerberos-capable build of libpq would use the
> principal name from any available Kerberos ticket as default
> database username, even if the connection wasn't using Kerberos
> authentication. This was deemed inconsistent and confusing.
> The default username is now determined the same way with or
> without Kerberos. Note however that the database username must still
> match the ticket when Kerberos authentication is used.
What this still leaves us with is whether that change is a bad idea or
not. I still think it's OK, but maybe Peter can point to something
else.
regards, tom lane
From | Date | Subject | |
---|---|---|---|
Next Message | Craig Ringer | 2009-05-28 08:19:32 | Re: BUG #4825: Before installation the server not running |
Previous Message | Magnus Hagander | 2009-05-27 21:08:52 | Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal |