I'm going to file this as a bug as well, but I guess I'm hoping to catch some developers here for discussion.
I'm working with the Npgsql group on getting integrated security to "just work" in the same way SQL Server's does. I wrote a workaround for one issue, only to find out that I need more workarounds, and I finally realized that this a problem with the way Postgres handles GSSAPI/SSPI logins. You can read my full description here:
The short version is that Postgres requires two user names when using GSSAPI/SSPI: one from the startup packet, and one from the Kerberos ticket, and if these don't match exactly, the login fails. It's generally impossible to determine the correct user name to send in the startup packet.
I think Postgres should either not require or ignore the user name in the startup packet for these two login types. What do you think?
I think Postgres should either not require or ignore the user name in the startup packet for these two login types. What do you think?
—Brian