On Sun, Sep 10, 2017 at 11:25 AM, <techmail+pgsql@xxxxxxxxxxxxxxxxx> wrote:
On 09/10/2017 02:39 AM, Magnus Hagander wrote:
On Sat, Sep 9, 2017 at 6:44 PM, <techmail+pgsql@dangertoaster.com <mailto:techmail+pgsql@dangertoaster.com >> wrote:
Hi,
I'm trying to get pg_ident to map "user1" and "user1@xxxxxxxxxxxx" to "user1" in postgres, or
vice versa. I'm not picky about which way works.
Kerberos authentication works. I've gotten "user1" to login successfully with a Kerberos ticket,
but I'm not able to get "user1@xxxxxxxxxxxx" to match.
Environment:
* PostgreSQL 9.6 from PostgreSQL repos
* CentOS 7
* FreeIPA for Kerberos, LDAP, etc.
* Realm A.DOMAIN.TLD
* "user1" database exists
* "user1" role exists
* Logging into CentOS usernames are configured to drop the domain, so they appear as "user1"
rather then "user1@xxxxxxxxxxxx".
pg_hba.conf:
local all postgres peer
host all all 127.0.0.1/32 <http://127.0.0.1/32> md5
host all all ::1/128 md5
host all all 192.168.1.0/24 <http://192.168.1.0/24> gss include_realm=1
map=testnet krb_realm=A.DOMAIN.TLD #This is on one line. Thunderbird is truncating lines.
pg_ident.conf:
testnet /^([0-9A-Za-z_-]+)@A\.DOMAIN\.TLD$ \1 Regex that works for both in regexr.com <http://regexr.com>:
testnet /^([0-9A-Za-z_-]+)$ \1
/^([0-9A-Za-z-_]+)(@A\.DOMAIN\.TLD)?$/gm all 192.168.1.0/24 <http://192.168.1.0/24> gss include_realm=1 map=testnet
Command and lines from pg_log:
$ psql -h db0 # Logged in as user1 with Kerberos ticket
< 2017-09-09 19:50:49.376 CDT - 192.168.1.201 [unknown] > LOG: connection received:
host=192.168.1.201 port=44918
< 2017-09-09 19:50:49.398 CDT - 192.168.1.201 user1 > LOG: connection authorized: user=user1
database=user1
< 2017-09-09 19:50:50.912 CDT - 192.168.1.201 user1 > LOG: disconnection: session time:
0:00:01.537 user=user1 database=user1 host=192.168.1.201 port=44918
$ psql -h db0 -U user1@xxxxxxxxxxxx # Logged in as user1 with Kerberos ticket
< 2017-09-09 19:50:54.959 CDT - 192.168.1.201 [unknown] > LOG: connection received:
host=192.168.1.201 port=44920
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > LOG: no match in usermap
"testnet" for user "user1@xxxxxxxxxxxx" authenticated as "user1@xxxxxxxxxxxx"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > FATAL: GSSAPI authentication
failed for user "user1@xxxxxxxxxxxx"
< 2017-09-09 19:50:55.023 CDT - 192.168.1.201 user1@xxxxxxxxxxxx > DETAIL: Connection matched
pg_hba.conf line 87: "host all
krb_realm=A.DOMAIN.TLD"
Is this something that is possible, or is it something where I need to pick one way to do it?
This looks like you are trying to connect with the actual username user1¡A.DOMAIN.TLD. pg_ident only sets what you are allowed to log in as, not what it will attempt.
If you are using psql, you are probably doing something like "psql -h myserver". You need to add the user, so "psql -h myserver -U user1", to instruct it of which username to actually use for the login.
--
Magnus Hagander
Me: https://www.hagander.net/ <http://www.hagander.net/>
Work: https://www.redpill-linpro.com/ <http://www.redpill-linpro.com/ >
Hi Magnus,
Yes, the system username is "user1", per the default ipa-client-install SSSD setup, and the map is working for that. Without the map, I have to specify the full Kerberos username, user@xxxxxxxxxx, in the psql command.
Works with map:
$ psql -h db0 #Implied -U user1 -d user1
$ psql -h db0 -U user1 -d user1
Does not work with map:
$ psql -h db0 -U user1@xxxxxxxxxxxx -d user1
If you want that to work with the map, then you need to change the map to add the domain, rather than removing it, which is what you currently do.
But it is hard to figure out what it is you actually want. You listed some cases that work and some that don't, but haven't said which ones you want to work and which you want not to work. (Presumably if you want **all** cases to work, you would just use 'trust' and be done with it.)