On Thu, May 28, 2009 at 2:07 PM, Peter Koczan wrote:
> On Thu, May 28, 2009 at 1:30 PM, Tom Lane wrote:
>> Peter Koczan writes:
>>> It was rather convenient to know that whatever Kerberos principal was
>>> used was going to be the database user.
>>
>> Isn't that still true? (Modulo the auth.c b
On Thu, May 28, 2009 at 1:30 PM, Tom Lane wrote:
> Peter Koczan writes:
>> It was rather convenient to know that whatever Kerberos principal was
>> used was going to be the database user.
>
> Isn't that still true? (Modulo the auth.c bug fix of course.) The only
> issue here is where the defaul
Peter Koczan writes:
> I should also point out that old clients still exhibit the old behavior.
Sure, because this is a libpq change.
> It was rather convenient to know that whatever Kerberos principal was
> used was going to be the database user.
Isn't that still true? (Modulo the auth.c bug
On Wed, May 27, 2009 at 5:16 PM, Tom Lane wrote:
> What this still leaves us with is whether that change is a bad idea or
> not. I still think it's OK, but maybe Peter can point to something
> else.
I recompiled postgres with the auth.c patch.
This is only an issue if you are trying to connect
Magnus Hagander writes:
> Magnus Hagander wrote:
>> Tom Lane wrote:
>>> Magnus Hagander writes:
Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
"return ret" not "return STATUS_OK".
>>> Doh.
>>
>> yeah. WIll apply patch.
> And, applied.
I have also patched the
Magnus Hagander wrote:
> Tom Lane wrote:
>> Magnus Hagander writes:
>>> Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
>>> "return ret" not "return STATUS_OK".
>> Doh.
>
> yeah. WIll apply patch.
And, applied.
--
Magnus Hagander
Self: http://www.hagander.net/
Work
I don't know if it's much use now, but here you go.
On Wed, May 27, 2009 at 3:15 PM, Magnus Hagander wrote:
> We are certainly *supposed* to do that. And we have been doing that. So
> if that's not done, it's been broken in 8.4 (most likely by me).
>
> Peter, are you using gssapi or krb5? Only kr
Tom Lane wrote:
> Magnus Hagander writes:
>> Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
>> "return ret" not "return STATUS_OK".
>
> Doh.
yeah. WIll apply patch.
>> Wow, that's a bad bug :-O
>
> Hey, that's what beta is for ;-)
:-)
Do we need to announce it some
Magnus Hagander writes:
> Tom, or someone else... auth.c line 1076. I'm pretty sure that should be
> "return ret" not "return STATUS_OK".
Doh.
> Wow, that's a bad bug :-O
Hey, that's what beta is for ;-)
You might want to take a quick look for copy-and-pastes of same error.
I see none offhand,
Peter Koczan wrote:
> I don't know if it's much use now, but here you go.
> May 27 15:37:29 mitchell postgres[30609]: [629-1] LOG: provided
> username (koczan) and authenticated username (strivia) don't match
> May 27 15:37:29 mitchell postgres[30609]: [630-1] LOG: connection
> authorized: use
Magnus Hagander wrote:
> Tom Lane wrote:
>> Peter Koczan writes:
>>> This is trust authentication with one rather inconsequential bit of
>>> verification, that's a fundamental breakage. One of the major points
>>> of Kerberos is that, for anything that talks Kerberos, you are the
>>> principal in
Tom Lane wrote:
> Peter Koczan writes:
>> This is trust authentication with one rather inconsequential bit of
>> verification, that's a fundamental breakage. One of the major points
>> of Kerberos is that, for anything that talks Kerberos, you are the
>> principal in that ticket. I understand the
* Tom Lane (t...@sss.pgh.pa.us) wrote:
> Peter Koczan writes:
> > This is trust authentication with one rather inconsequential bit of
> > verification, that's a fundamental breakage. One of the major points
> > of Kerberos is that, for anything that talks Kerberos, you are the
> > principal in tha
Peter Koczan writes:
> This is trust authentication with one rather inconsequential bit of
> verification, that's a fundamental breakage. One of the major points
> of Kerberos is that, for anything that talks Kerberos, you are the
> principal in that ticket. I understand the desire to change some
> We should probably at least clarify this release note. Do you want
> to make an argument that this is a fundamental breakage and we need
> to revert it? If so, what's the argument?
Certainly.
It seems like with the changes in 8.4, krb5/gssapi auth looks for a
valid ticket, and if it finds one
"Peter Koczan" writes:
> PostgreSQL version: 8.4beta2
> Description:KRB5/GSSAPI authentication fails when user != principal
> When authenticating with Kerberos/GSSAPI, if the Kerberos principal is not
> the same as the shell user, authentication fails.
> It appears to assume that the shel
The following bug has been logged online:
Bug reference: 4824
Logged by: Peter Koczan
Email address: pjkoc...@gmail.com
PostgreSQL version: 8.4beta2
Operating system: Red Hat Enterprise Linux 5.3
Description:KRB5/GSSAPI authentication fails when user != principal
Deta
17 matches
Mail list logo
