Magnus, et al, * Magnus Hagander (mag...@hagander.net) wrote: > Looking at the open item about the new error message shown when Kerberos > is compiled in, and not used: > assword: > FATAL: password authentication failed for user "mha" > psql: pg_krb5_init: krb5_cc_get_principal: No credentials cache found > FATAL: password authentication failed for user "mha"
That is annoying, I can understand that. > The reason this is happening is that we are initializing Kerberos even > if we're not going to use it. The reason for doing *this*, is that if > kerberos is compiled in, we use it to find out if we should try a > different username than the one logged in to the local system - we look > at the kerberos login. This made sense before we had mappings support because the only user you could possibly be in PG is the one you authenticated as. > We don't do this for any other login, including kerberos over GSSAPI. > AFAIK, we've heard no complaints. Well, I havn't moved all my systems to GSSAPI yet.. :) > Thoughts? Now that we have support for mappings, I expect it will be more common for a user to authenticate with princ 'A' and then connect using their Unix id 'B' to a PG user 'B'. As such, I'm alright with dropping support for this. Users can always use -U (or equiv) if necessary. Thanks, Stephen
signature.asc
Description: Digital signature