Magnus Hagander wrote: > Tom Lane wrote: >> Peter Koczan <pjkoc...@gmail.com> writes: >>> This is trust authentication with one rather inconsequential bit of >>> verification, that's a fundamental breakage. One of the major points >>> of Kerberos is that, for anything that talks Kerberos, you are the >>> principal in that ticket. I understand the desire to change some of >>> that old code, but why is that principal being ignored? >> Well, the reason for that change was that the libpq code was absorbing >> userid from any available Kerberos ticket, even if the server >> subsequently issued a non-Kerberos authentication challenge. I still >> think that was wrong. What your complaint seems to suggest is that >> the server-side Kerberos auth code should be insisting that the supplied >> principal's first component match the requested database userid. >> I kinda thought we *had* been doing that, but can't claim to have read >> that code closely. Magnus? > > We are certainly *supposed* to do that. And we have been doing that. So > if that's not done, it's been broken in 8.4 (most likely by me). > > Peter, are you using gssapi or krb5? Only krb5 has changed wrt libpq, > but from your messages it looks like you have gssapi? > > Can you show us your pg_hba.conf file, and all lines with krb in them > from postgresql.conf? > > Also, can you try it with the server set to log at DEBUG4, and let us > know what output you get?
Crap, I think I found the problem. Tom, or someone else... auth.c line 1076. I'm pretty sure that should be "return ret" not "return STATUS_OK". Wow, that's a bad bug :-O //Magnus -- Sent via pgsql-bugs mailing list (pgsql-bugs@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-bugs
