Bug 189698 - authd doesn't work with postgresql
authd doesn't work with postgresql
Product: Fedora
Classification: Fedora
Component: postgresql (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom Lane
David Lawrence
: Reopened
Depends On:
  Show dependency treegraph
Reported: 2006-04-23 07:11 EDT by Behdad Esfahbod
Modified: 2013-07-02 23:09 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-08-11 08:10:56 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Behdad Esfahbod 2006-04-23 07:11:14 EDT
Description of problem:
The authd ident service doesn't play nice with postgres for some reason. 
oidentd works.

How reproducible:

Steps to Reproduce:
1. enable auth service in xinetd
2. start postgres service
3. run "sudo -u postgres psql -h localhost"
Actual results:

Error that Ident authentication failed

Expected results:

psql should run

Additional info:

Uninstalling authd and installing oidentd makes it work.
Comment 1 Adam Tkac 2006-06-26 10:52:41 EDT
make sure that auth service configured correctly. you can't send postgresql
encrypted data (server_args without -E)

service auth
        disable         = no
        socket_type     = stream
        wait            = no
        user            = ident
        cps             = 4096 10
        instances       = UNLIMITED
        server          = /usr/sbin/in.authd
        server_args     = -t60 --xerror --os #-E

# sudo -u postgres psql -h localhost
Welcome to psql 8.1.3, the PostgreSQL interactive terminal.
Comment 2 Behdad Esfahbod 2006-07-04 10:12:10 EDT
So, shouldn't this be the default configuration then?
Comment 3 Karel Zak 2006-07-25 05:30:55 EDT
What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server
side setting correct?
Comment 4 Behdad Esfahbod 2006-07-25 16:03:49 EDT
(In reply to comment #3)
> What do you have in /var/lib/pgsql/data/pg_hba.conf? Is your postgresql server
> side setting correct?

I was using the default configuration, and it's been working flawlessly in
previous versions of Fedora.
Comment 5 Martin Stransky 2006-08-08 08:56:24 EDT
Encryption is the default option in FC5....
Comment 6 Behdad Esfahbod 2006-08-10 17:04:40 EDT
This *is* a bug.  If encryption is the default in Fedora, then postgres default
config should be made to understand it.  NOTABUG doesn't fix it.
Comment 7 Martin Stransky 2006-08-11 05:21:12 EDT
Okay, reassignig to posgresql, could we enable the encryption here?
Comment 8 Tom Lane 2006-08-11 08:10:56 EDT
No.  To postgres, the entire point of ident authentication is to find out the real username of the 
connecting process, and encrypted authd purposely prevents the requestor from finding that out.  The 
fact that the complainer thinks it's a bug doesn't make it so :-( ... it's just a difference of opinion about 
the goals of the ident protocol.

If you really want to use ident auth on a tcp connection with an encrypting authd, you can find out what 
authd will return as the "username" for each real user, and set up an ident map file to map that to 
postgres user names (ie, don't use "ident sameuser").  Unfortunately I see no way for postgres to 
determine that mapping automatically --- the encryption would be useless if easily reversed, no?

There's been some upstream discussion about moving away from ident as the default auth method for 
tcp connections, but that won't happen before PG 8.2 at the earliest.
Comment 9 Behdad Esfahbod 2006-08-11 11:56:35 EDT
(In reply to comment #8)
> The fact that the complainer thinks it's a bug doesn't make it so :-( ...

True.  But the fact that we ship defaults that don't work /is/ a bug.  And in
this case, it's even a regression since it's been working in FC4 and before.

Note You need to log in before you can comment on or make changes to this bug.