* Brian Crowell (brian@fluggo.com) wrote:
> On Mon, Feb 24, 2014 at 12:50 PM, Brian Crowell <brian@fluggo.com> wrote:
> > 2014-02-24 11:30:40 CST LOG: provided user name (Brian) and
> > authenticated user name (BCrowell@REALM.COM) do not match
> >
> > But the Kerberos ticket is perfectly valid, and matches a Postgres
> > user. In this case, the program attempting to log in is incapable of
> > determining the correct Postgres user name to send (see Npgsql bug for
> > the dirty details), so why not just accept the Kerberos principal
> > name?
>=20
> Or in other words, I'm trying to log in as the Postgres user
> "BCrowell@REALM.COM" (which is in the Kerberos ticket), and not as
> "Brian" (which is in the startup packet, because Npgsql doesn't know
> what else to do).
To PG, you're trying to log in as PG user 'Brian' and there's no mapping
which allows the kerb princ "BCrowell@REALM.COM" to log in as that user.
Also, is the PG user really "BCrowell@REALM.COM", or is it actually
'bcrowell', in which case you need a mapping for that (unless you tell
PG to just strip the realm off, but I generally recommend against such
since you can end up with cross-realm issues if you ever define a trust
relationship to another realm with different users who might have the
same princs as your local users).
Thanks,
Stephen