Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used

From: Christian Ullrich <chris(at)chrullrich(dot)net>
To: pgsql-bugs(at)postgresql(dot)org
Cc: pgsql-hackers(at)postgresql(dot)org
Subject: Re: [HACKERS] BUG #13854: SSPI authentication failure: wrong realm name used
Date: 2016-03-20 15:45:08
Message-ID: 56EEC584.1080702@chrullrich.net
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers

* Christian Ullrich wrote:

> * From: Magnus Hagander [mailto:magnus(at)hagander(dot)net]

>> I don't like the name "real_realm" as a parameter name. I'm wondering if
>> it might be better to reverse the meaning, and call it sspi_netbios_realm
>> (and then change the default to on, to be backwards compatible).
>
> What about "compat_realm" instead? "sspi_netbios_realm" is a bit long.
> Also, the domain short name is not really a realm name, and this would
> feel like implying that it is.

I changed it to "compat_realm".

>> Code uses a mix of malloc() and palloc() (through sprintf). Is there a
>> reason for that?
>
> I wasn't sure which to prefer, so I looked around in auth.c, and other than
> RADIUS, everything seems to use malloc() (although the sample size is not
> too great). Should I use palloc() instead?

The single instance of malloc() has been replaced with palloc().

> Another thing: This business of getting a SID, turning it into a user
> name/domain pair, then using that to get the UPN (which probably involves
> converting it to the SID again somewhere in between) does not look very good
> to me. I'll have to see if it works, but what do you think about briefly
> impersonating the client, just long enough to get the SAM and UPN names?

I did not pursue this further; it involves quite a bit more code
including several more functions from secur32.dll. These might be a
problem on MinGW according to the comment in auth.c regarding
QuerySecurityContextToken() (if that is still accurate, because my
mingw\lib\libsecur32.a apparently has the export).

Updated patch attached.

--
Christian

Attachment Content-Type Size
sspirealm.patch text/plain 7.9 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Tomas Vondra 2016-03-20 16:00:08 Re: PATCH: index-only scans with partial indexes
Previous Message Michael Paquier 2016-03-20 14:47:41 Re: Postgres_fdw join pushdown - getting server crash in left outer join of three table

Browse pgsql-bugs by date

  From Date Subject
Next Message vendforce 2016-03-20 15:55:41 BUG #14037: Move history file
Previous Message Jeff Janes 2016-03-20 01:06:26 Re: BUG #14032: trigram index is not used for '=' operator