On Sat, 2017-09-09 at 20:44 -0500, techmail+pgsql@xxxxxxxxxxxxxxxxx wrote: > Hi, > > I'm trying to get pg_ident to map "user1" and "user1@xxxxxxxxxxxx" > to > "user1" in postgres, or vice versa. I'm not picky about which way > works. > > Kerberos authentication works. I've gotten "user1" to login > successfully > with a Kerberos ticket, but I'm not able to get "user1@xxxxxxxxxxxx" > to > match. > > Environment: > * PostgreSQL 9.6 from PostgreSQL repos > * CentOS 7 > * FreeIPA for Kerberos, LDAP, etc. > * Realm A.DOMAIN.TLD > * "user1" database exists > * "user1" role exists > * Logging into CentOS usernames are configured to drop the domain, > so > they appear as "user1" rather then "user1@xxxxxxxxxxxx". > > > pg_hba.conf: > > local all postgres peer > host all all 127.0.0.1/32 md5 > host all all ::1/128 md5 > host all all 192.168.1.0/24 gss > include_realm=1 map=testnet krb_realm=A.DOMAIN.TLD #This is on one > line. > Thunderbird is truncating lines. > > > pg_ident.conf: > > testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1 > testnet /^([0-9A-Za-z_-]+)$ \1 > > > Regex that works for both in regexr.com: > > /^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm > > > Command and lines from pg_log: > > $ psql -h db0 # Logged in as user1 with Kerberos ticket > > < 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: > connection received: host=192.168.1.201 port=44918 > < 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > > LOG: connection > authorized: user=user1 database=user1 > < 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: > disconnection: session time: 0:00:01.537 user=user1 database=user1 > host=192.168.1.201 port=44918 > > $ psql -h db0 -U user1@xxxxxxxxxxxx # Logged in as user1 with > Kerberos > ticket > > < 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: > connection received: host=192.168.1.201 port=44920 > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > > LOG: > no match in usermap "testnet" for user "user1@xxxxxxxxxxxx" > authenticated as "user1@xxxxxxxxxxxx" > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > > FATAL: GSSAPI authentication failed for user "user1@xxxxxxxxxxxx" > < 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > > DETAIL: Connection matched pg_hba.conf line 87: "host all > all 192.168.1.0/24 gss include_realm=1 > map=testnet krb_realm=A.DOMAIN.TLD" > > > Is this something that is possible, or is it something where I need > to > pick one way to do it? > > Thanks in advance, > Ryan > > Hello, I think you need a line in your pg_hba.conf file along the lines of:- testnet all all 192.168.1.0/24 gss as the error message says it can't find this relationship. HTH, Rob -- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
