Re: BUG #13854: SSPI authentication failure: wrong realm name used

From: Christian Ullrich <chris(at)chrullrich(dot)net>
To: pgsql-hackers(at)postgresql(dot)org
Cc: pgsql-bugs(at)postgresql(dot)org
Subject: Re: BUG #13854: SSPI authentication failure: wrong realm name used
Date: 2016-01-15 20:46:53
Message-ID: n7blsf$g5n$1@ger.gmane.org
Views: Raw Message | Whole Thread | Download mbox | Resend email
Thread:
Lists: pgsql-bugs pgsql-hackers

* Christian Ullrich wrote:

> * Christian Ullrich wrote:
>
>> * Christian Ullrich wrote:
>>
>> > According to the release notes, the default for the "include_realm"
>> > option in SSPI authentication was changed from off to on in 9.5 for
> > > improved security. However, the authenticated user name, with the
> > > option enabled, includes the NetBIOS domain name, *not* the Kerberos
>> > realm name:
>
>> Below is a patch to correct this behavior. I suspect it has some
>> serious compatibility issues, so I would appreciate feedback.
>
> Updated patch, sorry. The first one worked by accident only.

Another update. This time even the documentation builds.

One thing I'm fairly sure I need advice on is error handling and/or
error codes. Right now I use ERROR_INVALID_ROLE_SPECIFICATION just about
everywhere (because the surrounding SSPI code does as well), and that is
probably not the best choice in some places.

--
Christian

Attachment Content-Type Size
sspi-real-realm.patch text/plain 7.2 KB

In response to

Responses

Browse pgsql-hackers by date

  From Date Subject
Next Message Andres Freund 2016-01-15 21:02:13 Re: checkpointer continuous flushing
Previous Message Tom Lane 2016-01-15 19:54:14 Re: Expanded Object Header and Flat Cache

Browse pgsql-bugs by date

  From Date Subject
Next Message David G. Johnston 2016-01-15 21:14:38 Re: BUG #13871: Format '%2f' invalid or incompatible with argument
Previous Message Christoph Berg 2016-01-15 20:12:41 Re: BUG #13867: apt.postgresql.org broken for postgresql-server-dev-9.4 and libpq-dev