]> granicus.if.org Git - postgresql/commitdiff
Add authentication parameters compat_realm and upn_usename for SSPI
authorMagnus Hagander <magnus@hagander.net>
Fri, 8 Apr 2016 18:23:52 +0000 (20:23 +0200)
committerMagnus Hagander <magnus@hagander.net>
Fri, 8 Apr 2016 18:28:38 +0000 (20:28 +0200)
These parameters are available for SSPI authentication only, to make
it possible to make it behave more like "normal gssapi", while
making it possible to maintain compatibility.

compat_realm is on by default, but can be turned off to make the
authentication use the full Kerberos realm instead of the NetBIOS name.

upn_username is off by default, and can be turned on to return the users
Kerberos UPN rather than the SAM-compatible name (a user in Active
Directory can have both a legacy SAM-compatible username and a new
Kerberos one. Normally they are the same, but not always)

Author: Christian Ullrich
Reviewed by: Robbie Harwood, Alvaro Herrera, me

doc/src/sgml/client-auth.sgml
src/backend/libpq/auth.c
src/backend/libpq/hba.c
src/include/libpq/hba.h

index 28973e2c2b4d5206e9fe8433015126444856fc57..e28d02eafe4161bc8466693d8aa59dd5cf827315 100644 (file)
@@ -1106,6 +1106,43 @@ omicron         bryanh                  guest1
       </listitem>
      </varlistentry>
 
+     <varlistentry>
+      <term><literal>compat_realm</literal></term>
+      <listitem>
+       <para>
+        If set to 1, the domain's SAM-compatible name (also known as the
+        NetBIOS name) is used for the <literal>include_realm</literal>
+        option. This is the default. If set to 0, the true realm name from
+        the Kerberos user principal name is used.
+       </para>
+       <para>
+        Do not enable this option unless your server runs under a domain
+        account (this includes virtual service accounts on a domain member
+        system) and all clients authenticating through SSPI are also using
+        domain accounts, or authentication will fail.
+       </para>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry>
+      <term><literal>upn_username</literal></term>
+      <listitem>
+       <para>
+        If this option is enabled along with <literal>compat_realm</literal>,
+        the user name from the Kerberos UPN is used for authentication. If
+        it is disabled (the default), the SAM-compatible user name is used.
+        By default, these two names are identical for new user accounts.
+       </para>
+       <para>
+        Note that <application>libpq</> uses the SAM-compatible name if no
+        explicit user name is specified. If you use
+        <application>libpq</> or a driver based on it, you should
+        leave this option disabled or explicitly specify user name in the
+        connection string.
+       </para>
+      </listitem>
+     </varlistentry>
+
      <varlistentry>
       <term><literal>map</literal></term>
       <listitem>
index dbba712352f83bb11ac003b62e1602af130c2bb7..43bb13435503178f8e65552936cd246549d8831f 100644 (file)
@@ -166,6 +166,11 @@ typedef SECURITY_STATUS
                        (WINAPI * QUERY_SECURITY_CONTEXT_TOKEN_FN) (
                                                                                                           PCtxtHandle, void **);
 static int     pg_SSPI_recvauth(Port *port);
+static int pg_SSPI_make_upn(char *accountname,
+                                size_t accountnamesize,
+                                char *domainname,
+                                size_t domainnamesize,
+                                bool update_accountname);
 #endif
 
 /*----------------------------------------------------------------
@@ -1287,6 +1292,17 @@ pg_SSPI_recvauth(Port *port)
 
        free(tokenuser);
 
+       if (!port->hba->compat_realm)
+       {
+               int                     status = pg_SSPI_make_upn(accountname, sizeof(accountname),
+                                                                                         domainname, sizeof(domainname),
+                                                                                         port->hba->upn_username);
+
+               if (status != STATUS_OK)
+                       /* Error already reported from pg_SSPI_make_upn */
+                       return status;
+       }
+
        /*
         * Compare realm/domain if requested. In SSPI, always compare case
         * insensitive.
@@ -1322,6 +1338,100 @@ pg_SSPI_recvauth(Port *port)
        else
                return check_usermap(port->hba->usermap, port->user_name, accountname, true);
 }
+
+/*
+ * Replaces the domainname with the Kerberos realm name,
+ * and optionally the accountname with the Kerberos user name.
+ */
+static int
+pg_SSPI_make_upn(char *accountname,
+                                size_t accountnamesize,
+                                char *domainname,
+                                size_t domainnamesize,
+                                bool update_accountname)
+{
+       char       *samname;
+       char       *upname = NULL;
+       char       *p = NULL;
+       ULONG           upnamesize = 0;
+       size_t          upnamerealmsize;
+       BOOLEAN         res;
+
+       /*
+        * Build SAM name (DOMAIN\user), then translate to UPN
+        * (user@kerberos.realm). The realm name is returned in lower case, but
+        * that is fine because in SSPI auth, string comparisons are always
+        * case-insensitive.
+        */
+
+       samname = psprintf("%s\\%s", domainname, accountname);
+       res = TranslateName(samname, NameSamCompatible, NameUserPrincipal,
+                                               NULL, &upnamesize);
+
+       if ((!res && GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+               || upnamesize == 0)
+       {
+               pfree(samname);
+               ereport(LOG,
+                               (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+                                errmsg("could not translate name")));
+               return STATUS_ERROR;
+       }
+
+       /* upnamesize includes the terminating NUL. */
+       upname = palloc(upnamesize);
+
+       res = TranslateName(samname, NameSamCompatible, NameUserPrincipal,
+                                               upname, &upnamesize);
+
+       pfree(samname);
+       if (res)
+               p = strchr(upname, '@');
+
+       if (!res || p == NULL)
+       {
+               pfree(upname);
+               ereport(LOG,
+                               (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+                                errmsg("could not translate name")));
+               return STATUS_ERROR;
+       }
+
+       /* Length of realm name after the '@', including the NUL. */
+       upnamerealmsize = upnamesize - (p - upname + 1);
+
+       /* Replace domainname with realm name. */
+       if (upnamerealmsize > domainnamesize)
+       {
+               pfree(upname);
+               ereport(LOG,
+                               (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+                                errmsg("realm name too long")));
+               return STATUS_ERROR;
+       }
+
+       /* Length is now safe. */
+       strcpy(domainname, p + 1);
+
+       /* Replace account name as well (in case UPN != SAM)? */
+       if (update_accountname)
+       {
+               if ((p - upname + 1) > accountnamesize)
+               {
+                       pfree(upname);
+                       ereport(LOG,
+                                       (errcode(ERRCODE_INVALID_ROLE_SPECIFICATION),
+                                        errmsg("translated account name too long")));
+                       return STATUS_ERROR;
+               }
+
+               *p = 0;
+               strcpy(accountname, upname);
+       }
+
+       pfree(upname);
+       return STATUS_OK;
+}
 #endif   /* ENABLE_SSPI */
 
 
index a4c415da77a1b17484b62e9cbde5b3dda2d87317..1b4bbce42dd0849868b22a34fa5ddc226c7047e0 100644 (file)
@@ -1293,6 +1293,17 @@ parse_hba_line(List *line, int line_num, char *raw_line)
                parsedline->auth_method == uaSSPI)
                parsedline->include_realm = true;
 
+       /*
+        * For SSPI, include_realm defaults to the SAM-compatible domain (aka
+        * NetBIOS name) and user names instead of the Kerberos principal name for
+        * compatibility.
+        */
+       if (parsedline->auth_method == uaSSPI)
+       {
+               parsedline->compat_realm = true;
+               parsedline->upn_username = false;
+       }
+
        /* Parse remaining arguments */
        while ((field = lnext(field)) != NULL)
        {
@@ -1585,6 +1596,24 @@ parse_hba_auth_opt(char *name, char *val, HbaLine *hbaline, int line_num)
                else
                        hbaline->include_realm = false;
        }
+       else if (strcmp(name, "compat_realm") == 0)
+       {
+               if (hbaline->auth_method != uaSSPI)
+                       INVALID_AUTH_OPTION("compat_realm", gettext_noop("sspi"));
+               if (strcmp(val, "1") == 0)
+                       hbaline->compat_realm = true;
+               else
+                       hbaline->compat_realm = false;
+       }
+       else if (strcmp(name, "upn_username") == 0)
+       {
+               if (hbaline->auth_method != uaSSPI)
+                       INVALID_AUTH_OPTION("upn_username", gettext_noop("sspi"));
+               if (strcmp(val, "1") == 0)
+                       hbaline->upn_username = true;
+               else
+                       hbaline->upn_username = false;
+       }
        else if (strcmp(name, "radiusserver") == 0)
        {
                struct addrinfo *gai_result;
index 58f90fec80d3563936f776549b7ada33f0887fea..dc7d2572eaa29d2997060c2ec6aab9d42a3a9ee1 100644 (file)
@@ -79,6 +79,8 @@ typedef struct HbaLine
        bool            clientcert;
        char       *krb_realm;
        bool            include_realm;
+       bool            compat_realm;
+       bool            upn_username;
        char       *radiusserver;
        char       *radiussecret;
        char       *radiusidentifier;