Re: BUG #4824: KRB5/GSSAPI authentication fails when user != principal

Tom Lane wrote:
> Peter Koczan <pjkoczan(at)gmail(dot)com> writes:
>> This is trust authentication with one rather inconsequential bit of
>> verification, that's a fundamental breakage. One of the major points
>> of Kerberos is that, for anything that talks Kerberos, you are the
>> principal in that ticket. I understand the desire to change some of
>> that old code, but why is that principal being ignored?
>
> Well, the reason for that change was that the libpq code was absorbing
> userid from any available Kerberos ticket, even if the server
> subsequently issued a non-Kerberos authentication challenge. I still
> think that was wrong. What your complaint seems to suggest is that
> the server-side Kerberos auth code should be insisting that the supplied
> principal's first component match the requested database userid.
> I kinda thought we *had* been doing that, but can't claim to have read
> that code closely. Magnus?

We are certainly *supposed* to do that. And we have been doing that. So
if that's not done, it's been broken in 8.4 (most likely by me).

Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq,
but from your messages it looks like you have gssapi?

Can you show us your pg_hba.conf file, and all lines with krb in them
from postgresql.conf?

Also, can you try it with the server set to log at DEBUG4, and let us
know what output you get?

--
Magnus Hagander
Self: http://www.hagander.net/
Work: http://www.redpill-linpro.com/