Обсуждение: [GENERAL] pg_ident mapping Kerberos Usernames

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to 
"user1" in postgres, or vice versa. I'm not picky about which way works.

Kerberos authentication works. I've gotten "user1" to login successfully 
with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD" to 
match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain, so 
they appear as "user1" rather then "user1@a.domain.tld".


pg_hba.conf:

local   all             postgres                                peer
host    all             all             127.0.0.1/32            md5
host    all             all             ::1/128                 md5
host    all             all             192.168.1.0/24          gss 
include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. 
Thunderbird is truncating lines.


pg_ident.conf:

testnet    /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$    \1
testnet    /^([0-9A-Za-z_-]+)$     \1


Regex that works for both in regexr.com:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm


Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: 
connection received: host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG:  connection 
authorized: user=user1 database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: 
disconnection: session time: 0:00:01.537 user=user1 database=user1 
host=192.168.1.201 port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos 
ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: 
connection received: host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: 
no match in usermap "testnet" for user "user1@A.DOMAIN.TLD" 
authenticated as "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > 
FATAL:  GSSAPI authentication failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > 
DETAIL:  Connection matched pg_hba.conf line 87: "host   all        all             192.168.1.0/24          gss
include_realm=1
 
map=testnet krb_realm=A.DOMAIN.TLD"


Is this something that is possible, or is it something where I need to 
pick one way to do it?

Thanks in advance,
Ryan


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On Sat, 2017-09-09 at 20:44 -0500, techmail+pgsql@dangertoaster.com
wrote:
> Hi,
> 
> I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD"
> to 
> "user1" in postgres, or vice versa. I'm not picky about which way
> works.
> 
> Kerberos authentication works. I've gotten "user1" to login
> successfully 
> with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD"
> to 
> match.
> 
> Environment:
> * PostgreSQL 9.6 from PostgreSQL repos
> * CentOS 7
> * FreeIPA for Kerberos, LDAP, etc.
> * Realm A.DOMAIN.TLD
> * "user1" database exists
> * "user1" role exists
> * Logging into CentOS usernames are configured to drop the domain,
> so 
> they appear as "user1" rather then "user1@a.domain.tld".
> 
> 
> pg_hba.conf:
> 
> local   all             postgres                                peer
> host    all             all             127.0.0.1/32            md5
> host    all             all             ::1/128                 md5
> host    all             all             192.168.1.0/24          gss 
> include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one
> line. 
> Thunderbird is truncating lines.
> 
> 
> pg_ident.conf:
> 
> testnet    /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$    \1
> testnet    /^([0-9A-Za-z_-]+)$     \1
> 
> 
> Regex that works for both in regexr.com:
> 
> /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm
> 
> 
> Command and lines from pg_log:
> 
> $ psql -h db0 # Logged in as user1 with Kerberos ticket
> 
> < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: 
> connection received: host=192.168.1.201 port=44918
> < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 >
> LOG:  connection 
> authorized: user=user1 database=user1
> < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: 
> disconnection: session time: 0:00:01.537 user=user1 database=user1 
> host=192.168.1.201 port=44918
> 
> $ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with
> Kerberos 
> ticket
> 
> < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: 
> connection received: host=192.168.1.201 port=44920
> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
> LOG: 
> no match in usermap "testnet" for user "user1@A.DOMAIN.TLD" 
> authenticated as "user1@A.DOMAIN.TLD"
> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > 
> FATAL:  GSSAPI authentication failed for user "user1@A.DOMAIN.TLD"
> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > 
> DETAIL:  Connection matched pg_hba.conf line 87: "host   all
>          all             192.168.1.0/24          gss include_realm=1 
> map=testnet krb_realm=A.DOMAIN.TLD"
> 
> 
> Is this something that is possible, or is it something where I need
> to 
> pick one way to do it?
> 
> Thanks in advance,
> Ryan
> 
> 


Hello,
I think you need a line in your pg_hba.conf file along the lines of:-

testnet all all 192.168.1.0/24 gss

as the error message says it can't find this relationship.

HTH,
Rob


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 09/10/2017 02:39 AM, Magnus Hagander wrote:
> On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com
> <mailto:techmail+pgsql@dangertoaster.com>> wrote:
>
>     Hi,
>
>     I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to "user1" in postgres, or
>     vice versa. I'm not picky about which way works.
>
>     Kerberos authentication works. I've gotten "user1" to login successfully with a Kerberos ticket,
>     but I'm not able to get "user1@A.DOMAIN.TLD" to match.
>
>     Environment:
>     * PostgreSQL 9.6 from PostgreSQL repos
>     * CentOS 7
>     * FreeIPA for Kerberos, LDAP, etc.
>     * Realm A.DOMAIN.TLD
>     * "user1" database exists
>     * "user1" role exists
>     * Logging into CentOS usernames are configured to drop the domain, so they appear as "user1"
>     rather then "user1@a.domain.tld".
>
>
>     pg_hba.conf:
>
>     local   all             postgres                                peer
>     host    all             all 127.0.0.1/32 <http://127.0.0.1/32>            md5
>     host    all             all             ::1/128                 md5
>     host    all             all 192.168.1.0/24 <http://192.168.1.0/24>          gss include_realm=1
>     map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines.
>
>
>     pg_ident.conf:
>
>     testnet    /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$    \1
>     testnet    /^([0-9A-Za-z_-]+)$     \1
>
>
>     Regex that works for both in regexr.com <http://regexr.com>:
>
>     /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm
>
>
>     Command and lines from pg_log:
>
>     $ psql -h db0 # Logged in as user1 with Kerberos ticket
>
>     < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received:
>     host=192.168.1.201 port=44918
>     < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG:  connection authorized: user=user1
>     database=user1
>     < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time:
>     0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918
>
>     $ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos ticket
>
>     < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received:
>     host=192.168.1.201 port=44920
>     < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: no match in usermap
>     "testnet" for user "user1@A.DOMAIN.TLD" authenticated as "user1@A.DOMAIN.TLD"
>     < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > FATAL:  GSSAPI authentication
>     failed for user "user1@A.DOMAIN.TLD"
>     < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > DETAIL:  Connection matched
>     pg_hba.conf line 87: "host   all
>              all 192.168.1.0/24 <http://192.168.1.0/24>          gss include_realm=1 map=testnet
>     krb_realm=A.DOMAIN.TLD"
>
>
>     Is this something that is possible, or is it something where I need to pick one way to do it?
>
>
> This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD. pg_ident only
> sets what you are allowed to log in as, not what it will attempt.
>
> If you are using psql, you are probably doing something like "psql -h myserver". You need to add the
> user, so "psql -h myserver -U user1", to instruct it of which username to actually use for the login.
>
> --
>   Magnus Hagander
>   Me: https://www.hagander.net/ <http://www.hagander.net/>
>   Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>

Hi Magnus,

Yes, the system username is "user1", per the default ipa-client-install SSSD setup, and the map is
working for that. Without the map, I have to specify the full Kerberos username, user@DOMAIN.TLD, in
the psql command.

Works with map:

$ psql -h db0     #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1

Does not work with map:

$ psql -h db0 -U user1@A.DOMAIN.TLD -d user1


Works without map (provided I have a role created):

$ psql -h db0 -U user1@A.DOMAIN.TLD -d user1

Does not work without map:

$ psql -h db0     #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1


I can get one style or the other to work, but I just can't get both to work a the same time.

If this is something that can't be done, I understand, but it looks like it should be possible per
the documentation.

Thanks,
Ryan


--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 09/09/2017 09:28 PM, rob stone wrote:
> 
> 
> On Sat, 2017-09-09 at 20:44 -0500, techmail+pgsql@dangertoaster.com
> wrote:
>> Hi,
>>
>> I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD"
>> to
>> "user1" in postgres, or vice versa. I'm not picky about which way
>> works.
>>
>> Kerberos authentication works. I've gotten "user1" to login
>> successfully
>> with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD"
>> to
>> match.
>>
>> Environment:
>> * PostgreSQL 9.6 from PostgreSQL repos
>> * CentOS 7
>> * FreeIPA for Kerberos, LDAP, etc.
>> * Realm A.DOMAIN.TLD
>> * "user1" database exists
>> * "user1" role exists
>> * Logging into CentOS usernames are configured to drop the domain,
>> so
>> they appear as "user1" rather then "user1@a.domain.tld".
>>
>>
>> pg_hba.conf:
>>
>> local   all             postgres                                peer
>> host    all             all             127.0.0.1/32            md5
>> host    all             all             ::1/128                 md5
>> host    all             all             192.168.1.0/24          gss
>> include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one
>> line.
>> Thunderbird is truncating lines.
>>
>>
>> pg_ident.conf:
>>
>> testnet    /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$    \1
>> testnet    /^([0-9A-Za-z_-]+)$     \1
>>
>>
>> Regex that works for both in regexr.com:
>>
>> /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm
>>
>>
>> Command and lines from pg_log:
>>
>> $ psql -h db0 # Logged in as user1 with Kerberos ticket
>>
>> < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG:
>> connection received: host=192.168.1.201 port=44918
>> < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 >
>> LOG:  connection
>> authorized: user=user1 database=user1
>> < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG:
>> disconnection: session time: 0:00:01.537 user=user1 database=user1
>> host=192.168.1.201 port=44918
>>
>> $ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with
>> Kerberos
>> ticket
>>
>> < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG:
>> connection received: host=192.168.1.201 port=44920
>> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
>> LOG:
>> no match in usermap "testnet" for user "user1@A.DOMAIN.TLD"
>> authenticated as "user1@A.DOMAIN.TLD"
>> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
>> FATAL:  GSSAPI authentication failed for user "user1@A.DOMAIN.TLD"
>> < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
>> DETAIL:  Connection matched pg_hba.conf line 87: "host   all
>>           all             192.168.1.0/24          gss include_realm=1
>> map=testnet krb_realm=A.DOMAIN.TLD"
>>
>>
>> Is this something that is possible, or is it something where I need
>> to
>> pick one way to do it?
>>
>> Thanks in advance,
>> Ryan
>>
>>
> 
> 
> Hello,
> I think you need a line in your pg_hba.conf file along the lines of:-
> 
> testnet all all 192.168.1.0/24 gss
> 
> as the error message says it can't find this relationship.
> 
> HTH,
> Rob
> 
> 

Hi Rob,

How would that work? I was under the impression the first column was for socket type and limited to 
local, host, hostssl, and hostnossl?

Thunderbird's config has been fixed, so here is the line from pg_hba.conf line without the 
formatting issues:

host all all 192.168.1.0/24 gss include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD


Thanks,
Ryan


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 09/10/2017 04:27 PM, Jeff Janes wrote:
> On Sun, Sep 10, 2017 at 11:25 AM, <techmail+pgsql@dangertoaster.com
> <mailto:techmail+pgsql@dangertoaster.com>> wrote:
>
>     On 09/10/2017 02:39 AM, Magnus Hagander wrote:
>
>         On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com
>         <mailto:techmail%2Bpgsql@dangertoaster.com> <mailto:techmail+pgsql@dangertoaster.com
>         <mailto:techmail%2Bpgsql@dangertoaster.com>>> wrote:
>
>              Hi,
>
>              I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to "user1" in
>         postgres, or
>              vice versa. I'm not picky about which way works.
>
>              Kerberos authentication works. I've gotten "user1" to login successfully with a
>         Kerberos ticket,
>              but I'm not able to get "user1@A.DOMAIN.TLD" to match.
>
>              Environment:
>              * PostgreSQL 9.6 from PostgreSQL repos
>              * CentOS 7
>              * FreeIPA for Kerberos, LDAP, etc.
>              * Realm A.DOMAIN.TLD
>              * "user1" database exists
>              * "user1" role exists
>              * Logging into CentOS usernames are configured to drop the domain, so they appear as
>         "user1"
>              rather then "user1@a.domain.tld".
>
>
>              pg_hba.conf:
>
>              local   all             postgres                                peer
>              host    all             all 127.0.0.1/32 <http://127.0.0.1/32> <http://127.0.0.1/32>
>                  md5
>              host    all             all             ::1/128                 md5
>              host    all             all 192.168.1.0/24 <http://192.168.1.0/24>
>         <http://192.168.1.0/24>          gss include_realm=1
>              map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines.
>
>
>              pg_ident.conf:
>
>              testnet    /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$    \1
>              testnet    /^([0-9A-Za-z_-]+)$     \1
>
>
>              Regex that works for both in regexr.com <http://regexr.com> <http://regexr.com>:
>
>              /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm
>
>
>              Command and lines from pg_log:
>
>              $ psql -h db0 # Logged in as user1 with Kerberos ticket
>
>              < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received:
>              host=192.168.1.201 port=44918
>              < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG:  connection authorized:
>         user=user1
>              database=user1
>              < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time:
>              0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918
>
>              $ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos ticket
>
>              < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received:
>              host=192.168.1.201 port=44920
>              < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: no match in usermap
>              "testnet" for user "user1@A.DOMAIN.TLD" authenticated as "user1@A.DOMAIN.TLD"
>              < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > FATAL:  GSSAPI
>         authentication
>              failed for user "user1@A.DOMAIN.TLD"
>              < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > DETAIL:  Connection
>         matched
>              pg_hba.conf line 87: "host   all
>                       all 192.168.1.0/24 <http://192.168.1.0/24> <http://192.168.1.0/24>
>         gss include_realm=1 map=testnet
>              krb_realm=A.DOMAIN.TLD"
>
>
>              Is this something that is possible, or is it something where I need to pick one way to
>         do it?
>
>
>         This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD.
>         pg_ident only sets what you are allowed to log in as, not what it will attempt.
>
>         If you are using psql, you are probably doing something like "psql -h myserver". You need to
>         add the user, so "psql -h myserver -U user1", to instruct it of which username to actually
>         use for the login.
>
>         --
>            Magnus Hagander
>            Me: https://www.hagander.net/ <http://www.hagander.net/>
>            Work: https://www.redpill-linpro.com/ <https://www.redpill-linpro.com/>
>         <http://www.redpill-linpro.com/ <http://www.redpill-linpro.com/>>
>
>
>     Hi Magnus,
>
>     Yes, the system username is "user1", per the default ipa-client-install SSSD setup, and the map
>     is working for that. Without the map, I have to specify the full Kerberos username,
>     user@DOMAIN.TLD, in the psql command.
>
>     Works with map:
>
>     $ psql -h db0     #Implied -U user1 -d user1
>     $ psql -h db0 -U user1 -d user1
>
>     Does not work with map:
>
>     $ psql -h db0 -U user1@A.DOMAIN.TLD -d user1
>
>
> If you want that to work with the map, then you need to change the map to add the domain, rather
> than removing it, which is what you currently do.
>
> But it is hard to figure out what it is you actually want.  You listed some cases that work and some
> that don't, but haven't said which ones you want to work and which you want not to work.
>   (Presumably if you want **all** cases to work, you would just use 'trust' and be done with it.)
>
>

GSSAPI is the authentication mechanism of choice, and it's working fine.

Here is what I'm trying to accomplish.

'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1'.
From reading the docs, this is done via the pg_ident.conf file, and from reading the logs, there is
a problem with my map.

Hmm... Interesting thought.
*testing*
It sort of works. Setting the maps below maps the users straight across. 'user1' == 'user1' and
'user1@A.DOMAIN.TLD' == 'user1@A.DOMAIN.TLD', so it's partially working.

pg_indent.conf:
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1@A.DOMAIN.TLD

If it's not possible, that's fine. I'm just wondering if it can be done. I might be misunderstanding
the docs or expecting too much. I'm not quite sure which it is, but it does seem like this should be
possible.

Let me know if I can clear anything else up.

Ryan



--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

> > 
> 
> Hi Rob,
> 
> How would that work? I was under the impression the first column was
> for socket type and limited to 
> local, host, hostssl, and hostnossl?
> 
> Thunderbird's config has been fixed, so here is the line from
> pg_hba.conf line without the 
> formatting issues:
> 
> host all all 192.168.1.0/24 gss include_realm=1 map=testnet
> krb_realm=A.DOMAIN.TLD
> 
> 
> Thanks,
> Ryan


Hello Ryan,

I'm probably incorrect about this as I don't use pg_ident but my
understanding is that each line in pg_ident consists of three fields
being:-

mask-name external-credentials internal-credentials

so that the external log-on is converted to its Postgres log-on and
then the mask-name is used to find a line in pg_hba.conf to verify that
the external-credentials were submitted from an allowable IP address.

Maybe somebody more knowledgeable than myself could provide a better
example.


Cheers,
Rob




-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 09/11/2017 08:51 AM, rob stone wrote:
> 
> 
>>>
>>
>> Hi Rob,
>>
>> How would that work? I was under the impression the first column was
>> for socket type and limited to
>> local, host, hostssl, and hostnossl?
>>
>> Thunderbird's config has been fixed, so here is the line from
>> pg_hba.conf line without the
>> formatting issues:
>>
>> host all all 192.168.1.0/24 gss include_realm=1 map=testnet
>> krb_realm=A.DOMAIN.TLD
>>
>>
>> Thanks,
>> Ryan
> 
> 
> Hello Ryan,
> 
> I'm probably incorrect about this as I don't use pg_ident but my
> understanding is that each line in pg_ident consists of three fields
> being:-
> 
> mask-name external-credentials internal-credentials
> 
> so that the external log-on is converted to its Postgres log-on and
> then the mask-name is used to find a line in pg_hba.conf to verify that
> the external-credentials were submitted from an allowable IP address.
> 
> Maybe somebody more knowledgeable than myself could provide a better
> example.
> 
> 
> Cheers,
> Rob
> 
> 

Hi Rob,

That's my understanding of the syntax and workflow from the reading and 
small experiments I've done as well.

There's two of us, so we're on our way to a consensus. :)

Thanks!

Ryan


-- 
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general