On Wed, Jul 1, 2015 at 7:36 PM, xujian <jamesxu@xxxxxxxxxxx> wrote:
Since we need to add user name in the command, which is not we want, I removed the map in the pg_ident.conf file, and created role xxx@xxxxxxxxxxx in postgresqlthe pg_hba.conf looks like:host all all all gss include_realm=1in pg_ident.conf, I removed all itemsin postgresql, I create rolecreate role "xxx@COMPANY.COM" loginI thought it would work, because my credential is xxx@COMPANY.COM, and there was user xxx@COMPANY.COM in postgresql, it should map the my credential to user xxx@COMPANY.COM.however, when I login with kerberos, I got error below on server sideLOG: provided user name (xxx) and authenticated user name (xxx@xxxxxxxxxxx) do not matchFATAL: GSSAPI authentication failed for user "xxx"Do anyone know why it doesn't work? thanks
The PostgreSQL clients (psql in this case) will default to what you are logged into on the local machine with (the result of getpwuid()). This returns "xxx", so that's what PostgreSQL logs in with. It does not explicitly ask the gss system what credentials are there until a much later stage.
To do what you want, you need to create "xxx" in the database, and have a pg_ident mapping xxx@xxxxxxxxxxx to xxx (using a regexp map probably).
