|Nasty PostgreSQL + Kerberos interaction
||[Jan. 13th, 2010|03:07 pm]
We've been using Kerberos as part of our single signon solution at $WORK. We also use PostgreSQL for most of our database needs. Well, for the Rails apps, anyway.
On our preview box we have an older version of PostgreSQL (8.1.x). I was tinkering with kerberos (using kinit) on the preview box Monday.
That's when things started to go awry for one of our Rails apps.
For some reason that had us completely baffled it was trying to use the wrong database username. Not so coincidentally, the name it was trying to use happened to match the latest kerberos principal name.
Upon reading the latest and greatest PostgreSQL (8.4.x) documentation, I found this in the release note:
Previously, a Kerberos-capable build of libpq would use the principal name from any available Kerberos ticket as default database username, even if the connection wasn’t using Kerberos authentication. This was deemed inconsistent and confusing. The default username is now determined the same way with or without Kerberos. Note however that the database username must still match the ticket when Kerberos authentication is used.
Sweet mother of Jesus! Are you F****** kidding me?
So, ladies and gentleman, be sure to upgrade your PostgreSQL installs if you plan on working with Kerberos anytime soon.