Re: SSPI authentication - patch

Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> Stephen Frost wrote:
>>> That's true, but if we used upper-case with something NEW (SSPI) while
>>> keeping it the same for the OLD (KRB5, and I'd vote GSSAPI) then we're
>>> not breaking backwards compatibility while also catering to the masses.
>>> I guess I don't see too many people using SSPI w/ an MIT KDC, and it
>>> wasn't possible previously anyway.
>>>
>>> What do you think?
>
>> Hmm. It makes the default a lot less clear, and opens up for confusion.
>> So I'm not so sure I like it :-)
>
> A non-backward-compatible behavior change is going to cause a lot of
> confusion too.

Yeah.

> If I have things straight (and I'm not sure I do) then we are treating
> sspi as a different type of auth method. It would be sane, or at least
> explainable, to have a different default name for the different auth
> method. I think a platform-dependent default would seriously suck,
> and changing the default behavior for existing configurations would
> break things. So Stephen's suggestion seemed plausible to me.

We use SSPI *both* as a protocol (windows talking to windows) and as an
API to go GSSAPI authentication (windows talking to unix, or windows
talking to windows with extra mit krb libraries).

Now, we can have two different defaults both for SSPI, but that's just
going to be too confusing I think. It's better to just keep the default
at "postgres" in that case, and tell people that if they use AD as their
KDC, they need to change it.

SSPI windows to windows will actually work without doing that, because
it will fallback to NTLM authentication if it's wrong. Windows to Unix
will not.

//Magnus