Re: GSSAPI/SSPI and mismatched user names

* Brian Crowell (brian(at)fluggo(dot)com) wrote:
> On Mon, Feb 24, 2014 at 12:55 PM, Stephen Frost <sfrost(at)snowman(dot)net> wrote:
> > * Brian Crowell (brian(at)fluggo(dot)com) wrote:
> >> https://github.com/npgsql/Npgsql/issues/162#issuecomment-35916650
> >
> > Reading through this- can't you use GSSAPI to get the Kerberos princ
> > found the ticket which is constructed? I'm pretty sure the MIT
> > libraries support that, at least...
>
> I expected I might be able to do that on Linux, but right now I'm
> trying to work out the Windows non-domain case.

I'm afraid you're going to need to try harder to find out how to get the
Windows GSSAPI/SSPI code to give you the princ. I was actually pretty
sure that GSSAPI defined a way, but I don't know the Windows side of it
or if they decided to not bother implementing parts of GSSAPI.

> Unfortunately, in this case I don't even have a wrong-cased username
> to start with. I have the user name of the logged-in non-domain user,
> which is not the user name of the domain credentials I'm sending
> across the network.

You're going to need to figure out how to tell PG what PG user you want
to log in as in the initial packet.

> > We need the username to figure out which auth method we're using...
>
> Oh dear.

Exactly- this is not something we can solve with a little bit of
tweaking...

Thanks,

Stephen