* Christian Ullrich wrote:
* Christian Ullrich wrote:
> According to the release notes, the default for the "include_realm"
> option in SSPI authentication was changed from off to on in 9.5 for
> > improved security. However, the authenticated user name, with the
> > option enabled, includes the NetBIOS domain name, *not* the Kerberos
> realm name:
Below is a patch to correct this behavior. I suspect it has some
serious compatibility issues, so I would appreciate feedback.
Updated patch, sorry. The first one worked by accident only.
--
Christian
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
new file mode 100644
index 3b2935c..7236459
*** a/doc/src/sgml/client-auth.sgml
--- b/doc/src/sgml/client-auth.sgml
*************** omicron bryanh
*** 1097,1102 ****
--- 1097,1132 ----
</varlistentry>
<varlistentry>
+ <term><literal>real_realm</literal></term>
+ <listitem>
+ <para>
+ If set to 0, the domain's SAM-compatible name (also known as the
+ NetBIOS name) is used for the <literal>include_realm</literal>
+ option. This is the default. If set to 1, the true realm name from
+ the Kerberos user principal name is used. If you used the
+ <literal>include_realm</literal> option, you can leave this option
+ disabled to maintain compatibility with existing
+ <filename>pg_ident.conf</filename> files.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><literal>upn_username</literal></term>
+ <listitem>
+ <para>
+ If this option is enabled along with <literal>real_realm</literal>,
+ the user name from the Kerberos UPN is used for authentication. If
+ it is disabled (the default), the SAM-compatible user name is used.
+ Note that <application>libpq</> uses the SAM-compatible name if no
+ explicit user name is specified. If you use
+ <application>libpq</> (e.g. through the ODBC driver), you should
+ leave this option disabled.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><literal>map</literal></term>
<listitem>
<para>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
new file mode 100644
index 0131bfd..0f28f54
*** a/src/backend/libpq/auth.c
--- b/src/backend/libpq/auth.c
*************** typedef SECURITY_STATUS
*** 155,160 ****
--- 155,165 ----
(WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
PCtxtHandle, void **);
static int pg_SSPI_recvauth(Port *port);
+ static int pg_SSPI_make_upn(char *accountname,
+ size_t accountnamesize,
+ char *domainname,
+ size_t domainnamesize,
+ bool
update_accountname);
#endif
/*----------------------------------------------------------------
*************** static int
*** 1026,1031 ****
--- 1031,1037 ----
pg_SSPI_recvauth(Port *port)
{
int mtype;
+ int status;
StringInfoData buf;
SECURITY_STATUS r;
CredHandle sspicred;
*************** pg_SSPI_recvauth(Port *port)
*** 1261,1266 ****
--- 1267,1281 ----
free(tokenuser);
+ if (port->hba->real_realm) {
+ status = pg_SSPI_make_upn(accountname, sizeof(accountname),
+ domainname,
sizeof(domainname),
+
port->hba->upn_username);
+ if (status != STATUS_OK) {
+ return status;
+ }
+ }
+
/*
* Compare realm/domain if requested. In SSPI, always compare case
* insensitive.
*************** pg_SSPI_recvauth(Port *port)
*** 1296,1301 ****
--- 1311,1407 ----
else
return check_usermap(port->hba->usermap, port->user_name,
accountname, true);
}
+
+ static int pg_SSPI_make_upn(char *accountname,
+ size_t accountnamesize,
+ char *domainname,
+ size_t domainnamesize,
+ bool
update_accountname)
+ {
+ char *samname;
+ char *upname = NULL;
+ char *p = NULL;
+ ULONG upnamesize = 0;
+ size_t upnamerealmsize;
+ BOOLEAN res;
+
+ /* Build SAM name (DOMAIN\\user), then translate to UPN
+ (user@kerberos.realm). The realm name is returned in
+ lower case, but that is fine because in SSPI auth,
+ string comparisons are always case-insensitive. */
+
+ samname = psprintf("%s\\%s", domainname, accountname);
+ res = TranslateName(samname, NameSamCompatible, NameUserPrincipal,
+ NULL, &upnamesize);
+
+ if ((!res && GetLastError() != ERROR_INSUFFICIENT_BUFFER) || upnamesize
== 0) {
+ pfree(samname);
+ ereport(LOG,
+ (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+ errmsg("could not translate name")));
+ return STATUS_ERROR;
+ }
+
+ /* upnamesize includes the NUL. */
+ upname = (char*)malloc(upnamesize);
+
+ if (!upname) {
+ pfree(samname);
+ ereport(LOG,
+ (errcode(ERRCODE_OUT_OF_MEMORY),
+ errmsg("out of memory")));
+ return STATUS_ERROR;
+ }
+
+ res = TranslateName(samname, NameSamCompatible, NameUserPrincipal,
+ upname, &upnamesize);
+
+ pfree(samname);
+ if (res) {
+ p = strrchr(upname, '@');
+ }
+
+ if (!res || p == NULL) {
+ ereport(LOG,
+ (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+ errmsg("could not translate name")));
+ return STATUS_ERROR;
+ }
+
+ /* Length of realm name after the '@', including the NUL. */
+ upnamerealmsize = upnamesize - (p - upname + 1);
+
+ /* Replace domainname with realm name. */
+ if (upnamerealmsize > domainnamesize) {
+ free(upname);
+ ereport(LOG,
+ (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+ errmsg("realm name too long")));
+ return STATUS_ERROR;
+ }
+
+ /* Length is now safe. */
+ strcpy(domainname, p+1);
+
+ /* Replace account name as well (in case UPN != SAM)? */
+ if (update_accountname) {
+ if ((p - upname + 1) > accountnamesize) {
+ free(upname);
+ ereport(LOG,
+
(errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+ errmsg("translated account name too
long")));
+ return STATUS_ERROR;
+ }
+
+ *p = 0;
+ strcpy(accountname, upname);
+ }
+
+ free(upname);
+ return STATUS_OK;
+ }
+
+
#endif /* ENABLE_SSPI */
diff --git a/src/backend/libpq/hba.c b/src/backend/libpq/hba.c
new file mode 100644
index 28f9fb5..f8defab
*** a/src/backend/libpq/hba.c
--- b/src/backend/libpq/hba.c
*************** parse_hba_line(List *line, int line_num,
*** 1287,1292 ****
--- 1287,1302 ----
parsedline->auth_method == uaSSPI)
parsedline->include_realm = true;
+ /*
+ * For SSPI, include_realm defaults to the SAM-compatible domain
+ * (aka NetBIOS name) and user names instead of the Kerberos
+ * principal name for compatibility.
+ */
+ if (parsedline->auth_method == uaSSPI) {
+ parsedline->real_realm = false;
+ parsedline->upn_username = false;
+ }
+
/* Parse remaining arguments */
while ((field = lnext(field)) != NULL)
{
*************** parse_hba_auth_opt(char *name, char *val
*** 1570,1575 ****
--- 1580,1603 ----
else
hbaline->include_realm = false;
}
+ else if (strcmp(name, "real_realm") == 0)
+ {
+ if (hbaline->auth_method != uaSSPI)
+ INVALID_AUTH_OPTION("real_realm", gettext_noop("sspi"));
+ if (strcmp(val, "1") == 0)
+ hbaline->real_realm = true;
+ else
+ hbaline->real_realm = false;
+ }
+ else if (strcmp(name, "upn_username") == 0)
+ {
+ if (hbaline->auth_method != uaSSPI)
+ INVALID_AUTH_OPTION("upn_username",
gettext_noop("sspi"));
+ if (strcmp(val, "1") == 0)
+ hbaline->upn_username = true;
+ else
+ hbaline->upn_username = false;
+ }
else if (strcmp(name, "radiusserver") == 0)
{
struct addrinfo *gai_result;
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
new file mode 100644
index 68a953a..9e4ad8e
*** a/src/include/libpq/hba.h
--- b/src/include/libpq/hba.h
*************** typedef struct HbaLine
*** 77,82 ****
--- 77,84 ----
bool clientcert;
char *krb_realm;
bool include_realm;
+ bool real_realm;
+ bool upn_username;
char *radiusserver;
char *radiussecret;
char *radiusidentifier;
--
Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-hackers
