pg_ident mapping Kerberos Usernames

On Sat, 2017-09-09 at 20:44 -0500, techmail+pgsql@dangertoaster.com
wrote:

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD"
to
"user1" in postgres, or vice versa. I'm not picky about which way
works.

Kerberos authentication works. I've gotten "user1" to login
successfully
with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD"
to
match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain,
so
they appear as "user1" rather then "user1@a.domain.tld".

pg_hba.conf:

local all postgres peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
host all all 192.168.1.0/24 gss
include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one
line.
Thunderbird is truncating lines.

pg_ident.conf:

testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)$ \1

Regex that works for both in regexr.com:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm

Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG:
connection received: host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 >
LOG: connection
authorized: user=user1 database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG:
disconnection: session time: 0:00:01.537 user=user1 database=user1
host=192.168.1.201 port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with
Kerberos
ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG:
connection received: host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
LOG:
no match in usermap "testnet" for user "user1@A.DOMAIN.TLD"
authenticated as "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
FATAL: GSSAPI authentication failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
DETAIL: Connection matched pg_hba.conf line 87: "host all
all 192.168.1.0/24 gss include_realm=1
map=testnet krb_realm=A.DOMAIN.TLD"

Is this something that is possible, or is it something where I need
to
pick one way to do it?

Thanks in advance,
Ryan

Hello,
I think you need a line in your pg_hba.conf file along the lines of:-

testnet all all 192.168.1.0/24 gss

as the error message says it can't find this relationship.

HTH,
Rob

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com> wrote:

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to
"user1" in postgres, or vice versa. I'm not picky about which way works.

Kerberos authentication works. I've gotten "user1" to login successfully
with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD" to
match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain, so they
appear as "user1" rather then "user1@a.domain.tld".

pg_hba.conf:

local all postgres peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
host all all 192.168.1.0/24 gss
include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one line.
Thunderbird is truncating lines.

pg_ident.conf:

testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)$ \1

Regex that works for both in regexr.com:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm

Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection
received: host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG: connection
authorized: user=user1 database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection:
session time: 0:00:01.537 user=user1 database=user1 host=192.168.1.201
port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos
ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection
received: host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG:
no match in usermap "testnet" for user "user1@A.DOMAIN.TLD" authenticated
as "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
FATAL: GSSAPI authentication failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
DETAIL: Connection matched pg_hba.conf line 87: "host all
all 192.168.1.0/24 gss include_realm=1
map=testnet krb_realm=A.DOMAIN.TLD"

Is this something that is possible, or is it something where I need to
pick one way to do it?

This looks like you are trying to connect with the actual username
user1¡A.DOMAIN.TLD. pg_ident only sets what you are allowed to log in as,
not what it will attempt.

If you are using psql, you are probably doing something like "psql -h
myserver". You need to add the user, so "psql -h myserver -U user1", to
instruct it of which username to actually use for the login.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/&gt;
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/&gt;

On 09/10/2017 02:39 AM, Magnus Hagander wrote:

On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com
<mailto:techmail+pgsql@dangertoaster.com>> wrote:

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to "user1" in postgres, or
vice versa. I'm not picky about which way works.

Kerberos authentication works. I've gotten "user1" to login successfully with a Kerberos ticket,
but I'm not able to get "user1@A.DOMAIN.TLD" to match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain, so they appear as "user1"
rather then "user1@a.domain.tld".

pg_hba.conf:

local all postgres peer
host all all 127.0.0.1/32 <http://127.0.0.1/32&gt; md5
host all all ::1/128 md5
host all all 192.168.1.0/24 <http://192.168.1.0/24&gt; gss include_realm=1
map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines.

pg_ident.conf:

testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)$ \1

Regex that works for both in regexr.com <http://regexr.com&gt;:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm

Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received:
host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG: connection authorized: user=user1
database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time:
0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received:
host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: no match in usermap
"testnet" for user "user1@A.DOMAIN.TLD" authenticated as "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > FATAL: GSSAPI authentication
failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > DETAIL: Connection matched
pg_hba.conf line 87: "host all
all 192.168.1.0/24 <http://192.168.1.0/24&gt; gss include_realm=1 map=testnet
krb_realm=A.DOMAIN.TLD"

Is this something that is possible, or is it something where I need to pick one way to do it?

This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD. pg_ident only
sets what you are allowed to log in as, not what it will attempt.

If you are using psql, you are probably doing something like "psql -h myserver". You need to add the
user, so "psql -h myserver -U user1", to instruct it of which username to actually use for the login.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/&gt;
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/&gt;

Hi Magnus,

Yes, the system username is "user1", per the default ipa-client-install SSSD setup, and the map is
working for that. Without the map, I have to specify the full Kerberos username, user@DOMAIN.TLD, in
the psql command.

Works with map:

$ psql -h db0 #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1

Does not work with map:

$ psql -h db0 -U user1@A.DOMAIN.TLD -d user1

Works without map (provided I have a role created):

$ psql -h db0 -U user1@A.DOMAIN.TLD -d user1

Does not work without map:

$ psql -h db0 #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1

I can get one style or the other to work, but I just can't get both to work a the same time.

If this is something that can't be done, I understand, but it looks like it should be possible per
the documentation.

Thanks,
Ryan

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 09/09/2017 09:28 PM, rob stone wrote:

On Sat, 2017-09-09 at 20:44 -0500, techmail+pgsql@dangertoaster.com
wrote:

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD"
to
"user1" in postgres, or vice versa. I'm not picky about which way
works.

Kerberos authentication works. I've gotten "user1" to login
successfully
with a Kerberos ticket, but I'm not able to get "user1@A.DOMAIN.TLD"
to
match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain,
so
they appear as "user1" rather then "user1@a.domain.tld".

pg_hba.conf:

local all postgres peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
host all all 192.168.1.0/24 gss
include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one
line.
Thunderbird is truncating lines.

pg_ident.conf:

testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)$ \1

Regex that works for both in regexr.com:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm

Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG:
connection received: host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 >
LOG: connection
authorized: user=user1 database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG:
disconnection: session time: 0:00:01.537 user=user1 database=user1
host=192.168.1.201 port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with
Kerberos
ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG:
connection received: host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
LOG:
no match in usermap "testnet" for user "user1@A.DOMAIN.TLD"
authenticated as "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
FATAL: GSSAPI authentication failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
DETAIL: Connection matched pg_hba.conf line 87: "host all
all 192.168.1.0/24 gss include_realm=1
map=testnet krb_realm=A.DOMAIN.TLD"

Is this something that is possible, or is it something where I need
to
pick one way to do it?

Thanks in advance,
Ryan

Hello,
I think you need a line in your pg_hba.conf file along the lines of:-

testnet all all 192.168.1.0/24 gss

as the error message says it can't find this relationship.

HTH,
Rob

Hi Rob,

How would that work? I was under the impression the first column was for socket type and limited to
local, host, hostssl, and hostnossl?

Thunderbird's config has been fixed, so here is the line from pg_hba.conf line without the
formatting issues:

host all all 192.168.1.0/24 gss include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD

Thanks,
Ryan

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On Sun, Sep 10, 2017 at 11:25 AM, <techmail+pgsql@dangertoaster.com> wrote:

On 09/10/2017 02:39 AM, Magnus Hagander wrote:

On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com
<mailto:techmail+pgsql@dangertoaster.com>> wrote:

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD"
to "user1" in postgres, or
vice versa. I'm not picky about which way works.

Kerberos authentication works. I've gotten "user1" to login
successfully with a Kerberos ticket,
but I'm not able to get "user1@A.DOMAIN.TLD" to match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain, so
they appear as "user1"
rather then "user1@a.domain.tld".

pg_hba.conf:

local all postgres peer
host all all 127.0.0.1/32 <http://127.0.0.1/32&gt;
md5
host all all ::1/128 md5
host all all 192.168.1.0/24 <http://192.168.1.0/24&gt;
gss include_realm=1
map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird
is truncating lines.

pg_ident.conf:

testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)$ \1

Regex that works for both in regexr.com <http://regexr.com&gt;:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm

Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG:
connection received:
host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG:
connection authorized: user=user1
database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG:
disconnection: session time:
0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with
Kerberos ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG:
connection received:
host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
LOG: no match in usermap
"testnet" for user "user1@A.DOMAIN.TLD" authenticated as
"user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
FATAL: GSSAPI authentication
failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD >
DETAIL: Connection matched
pg_hba.conf line 87: "host all
all 192.168.1.0/24 <http://192.168.1.0/24&gt; gss
include_realm=1 map=testnet
krb_realm=A.DOMAIN.TLD"

Is this something that is possible, or is it something where I need
to pick one way to do it?

This looks like you are trying to connect with the actual username
user1¡A.DOMAIN.TLD. pg_ident only sets what you are allowed to log in as,
not what it will attempt.

If you are using psql, you are probably doing something like "psql -h
myserver". You need to add the user, so "psql -h myserver -U user1", to
instruct it of which username to actually use for the login.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/&gt;
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/&gt;

Hi Magnus,

Yes, the system username is "user1", per the default ipa-client-install
SSSD setup, and the map is working for that. Without the map, I have to
specify the full Kerberos username, user@DOMAIN.TLD, in the psql command.

Works with map:

$ psql -h db0 #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1

Does not work with map:

$ psql -h db0 -U user1@A.DOMAIN.TLD -d user1

If you want that to work with the map, then you need to change the map to
add the domain, rather than removing it, which is what you currently do.

But it is hard to figure out what it is you actually want. You listed some
cases that work and some that don't, but haven't said which ones you want
to work and which you want not to work. (Presumably if you want **all**
cases to work, you would just use 'trust' and be done with it.)

On 09/10/2017 04:27 PM, Jeff Janes wrote:

On Sun, Sep 10, 2017 at 11:25 AM, <techmail+pgsql@dangertoaster.com
<mailto:techmail+pgsql@dangertoaster.com>> wrote:

On 09/10/2017 02:39 AM, Magnus Hagander wrote:

On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com
<mailto:techmail%2Bpgsql@dangertoaster.com> <mailto:techmail+pgsql@dangertoaster.com
<mailto:techmail%2Bpgsql@dangertoaster.com>>> wrote:

Hi,

I'm trying to get pg_ident to map "user1" and "user1@A.DOMAIN.TLD" to "user1" in
postgres, or
vice versa. I'm not picky about which way works.

Kerberos authentication works. I've gotten "user1" to login successfully with a
Kerberos ticket,
but I'm not able to get "user1@A.DOMAIN.TLD" to match.

Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain, so they appear as
"user1"
rather then "user1@a.domain.tld".

pg_hba.conf:

local all postgres peer
host all all 127.0.0.1/32 <http://127.0.0.1/32&gt; <http://127.0.0.1/32&gt;
md5
host all all ::1/128 md5
host all all 192.168.1.0/24 <http://192.168.1.0/24&gt;
<http://192.168.1.0/24&gt; gss include_realm=1
map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines.

pg_ident.conf:

testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)$ \1

Regex that works for both in regexr.com <http://regexr.com&gt; <http://regexr.com&gt;:

/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm

Command and lines from pg_log:

$ psql -h db0 # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received:
host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG: connection authorized:
user=user1
database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time:
0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918

$ psql -h db0 -U user1@A.DOMAIN.TLD # Logged in as user1 with Kerberos ticket

< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received:
host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > LOG: no match in usermap
"testnet" for user "user1@A.DOMAIN.TLD" authenticated as "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > FATAL: GSSAPI
authentication
failed for user "user1@A.DOMAIN.TLD"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@A.DOMAIN.TLD > DETAIL: Connection
matched
pg_hba.conf line 87: "host all
all 192.168.1.0/24 <http://192.168.1.0/24&gt; <http://192.168.1.0/24&gt;
gss include_realm=1 map=testnet
krb_realm=A.DOMAIN.TLD"

Is this something that is possible, or is it something where I need to pick one way to
do it?

This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD.
pg_ident only sets what you are allowed to log in as, not what it will attempt.

If you are using psql, you are probably doing something like "psql -h myserver". You need to
add the user, so "psql -h myserver -U user1", to instruct it of which username to actually
use for the login.

--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/&gt;
Work: https://www.redpill-linpro.com/ <https://www.redpill-linpro.com/&gt;
<http://www.redpill-linpro.com/ <http://www.redpill-linpro.com/&gt;&gt;

Hi Magnus,

Yes, the system username is "user1", per the default ipa-client-install SSSD setup, and the map
is working for that. Without the map, I have to specify the full Kerberos username,
user@DOMAIN.TLD, in the psql command.

Works with map:

$ psql -h db0 #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1

Does not work with map:

$ psql -h db0 -U user1@A.DOMAIN.TLD -d user1

If you want that to work with the map, then you need to change the map to add the domain, rather
than removing it, which is what you currently do.

But it is hard to figure out what it is you actually want. You listed some cases that work and some
that don't, but haven't said which ones you want to work and which you want not to work.
(Presumably if you want **all** cases to work, you would just use 'trust' and be done with it.)

GSSAPI is the authentication mechanism of choice, and it's working fine.

Here is what I'm trying to accomplish.

'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1'.

From reading the docs, this is done via the pg_ident.conf file, and from reading the logs, there is
a problem with my map.

Hmm... Interesting thought.
*testing*
It sort of works. Setting the maps below maps the users straight across. 'user1' == 'user1' and
'user1@A.DOMAIN.TLD' == 'user1@A.DOMAIN.TLD', so it's partially working.

pg_indent.conf:
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1@A.DOMAIN.TLD

If it's not possible, that's fine. I'm just wondering if it can be done. I might be misunderstanding
the docs or expecting too much. I'm not quite sure which it is, but it does seem like this should be
possible.

Let me know if I can clear anything else up.

Ryan

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

Hi Rob,

How would that work? I was under the impression the first column was
for socket type and limited to
local, host, hostssl, and hostnossl?

Thunderbird's config has been fixed, so here is the line from
pg_hba.conf line without the
formatting issues:

host all all 192.168.1.0/24 gss include_realm=1 map=testnet
krb_realm=A.DOMAIN.TLD

Thanks,
Ryan

Hello Ryan,

I'm probably incorrect about this as I don't use pg_ident but my
understanding is that each line in pg_ident consists of three fields
being:-

mask-name external-credentials internal-credentials

so that the external log-on is converted to its Postgres log-on and
then the mask-name is used to find a line in pg_hba.conf to verify that
the external-credentials were submitted from an allowable IP address.

Maybe somebody more knowledgeable than myself could provide a better
example.

Cheers,
Rob

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On 09/11/2017 08:51 AM, rob stone wrote:

Hi Rob,

How would that work? I was under the impression the first column was
for socket type and limited to
local, host, hostssl, and hostnossl?

Thunderbird's config has been fixed, so here is the line from
pg_hba.conf line without the
formatting issues:

host all all 192.168.1.0/24 gss include_realm=1 map=testnet
krb_realm=A.DOMAIN.TLD

Thanks,
Ryan

Hello Ryan,

I'm probably incorrect about this as I don't use pg_ident but my
understanding is that each line in pg_ident consists of three fields
being:-

mask-name external-credentials internal-credentials

so that the external log-on is converted to its Postgres log-on and
then the mask-name is used to find a line in pg_hba.conf to verify that
the external-credentials were submitted from an allowable IP address.

Maybe somebody more knowledgeable than myself could provide a better
example.

Cheers,
Rob

Hi Rob,

That's my understanding of the syntax and workflow from the reading and
small experiments I've done as well.

There's two of us, so we're on our way to a consensus. :)

Thanks!

Ryan

--
Sent via pgsql-general mailing list (pgsql-general@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general

On Sun, Sep 10, 2017 at 4:31 PM, <techmail+pgsql@dangertoaster.com> wrote:

GSSAPI is the authentication mechanism of choice, and it's working fine.

Here is what I'm trying to accomplish.

'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1'.

From reading the docs, this is done via the pg_ident.conf file, and from
reading the logs, there is a problem with my map.

Hmm... Interesting thought.
*testing*
It sort of works. Setting the maps below maps the users straight across.
'user1' == 'user1' and 'user1@A.DOMAIN.TLD' == 'user1@A.DOMAIN.TLD', so
it's partially working.

pg_indent.conf:
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1@A.DOMAIN.TLD

I think you want this:

testnet /(.*)
\1
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1
testnet /^([0-9A-Za-z_-]+)
\1@A.DOMAIN.TLD

But since your pg_hba has include_realm=1, I don't know how you are getting
the realmless "system user" names in the first place, so the last line
really shouldn't be necessary.

Cheers,

Jeff