Good afternoon, We can successfully connect via GSSAPI/Kerberos using our Active Directory credentials when we map the domain user to a database user that matches the name when the domain information is removed.
When we have a user called mich**** C:\Users\mich2581>"c:\Program Files\PostgreSQL\14\bin"\psql -h dev00*****.esri.com snoopynet**1 Pg_hba: host all all 0.0.0.0/0 gss include_realm=1 map=map Pg_ident: # MAPNAME SYSTEM-USERNAME PG-USERNAME map /^(.*)@ESRI\.COM$ \1 map /^(.*)@esri\.com$ \1 If we create a database role called mich9...@esri.com<mailto:mich9...@esri.com>, if we run psql or other clients without providing a name with the command, we fail like this: 2023-03-09 16:58:51.732 PST [3654539] LOG: provided user name (mich****) and authenticated user name (mich****@ESRI.COM) do not match 2023-03-09 16:58:51.732 PST [3654539] FATAL: GSSAPI authentication failed for user "mich2581" If we specify the full name with domain at the command line, it will connect as the role with the full name with domain name. We test that without the mapping set above. >From what we can ascertain, this appears to be default behavior. The thing is, >many notes on setting this up on the interweb have examples creating the >database user with the full name including domain. Is it possible to do that? We are not certain where the domain name is being stripped off. Thanks, Michael
