8 files changed, 83 insertions, 24 deletions
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index b941ccd5030..7970f817561 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.123 2005/02/22 04:35:57 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -41,6 +41,8 @@ static char *recv_password_packet(Port *port);
 static int	recv_and_check_password_packet(Port *port);
 
 char	   *pg_krb_server_keyfile;
+char       *pg_krb_srvnam;
+bool		pg_krb_caseins_users;
 
 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -99,7 +101,7 @@ pg_krb4_recvauth(Port *port)
 	status = krb_recvauth(krbopts,
 						  port->sock,
 						  &clttkt,
-						  PG_KRB_SRVNAM,
+						  pg_krb_srvnam,
 						  instance,
 						  &port->raddr.in,
 						  &port->laddr.in,
@@ -219,16 +221,16 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
 
-	retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+	retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
 									 KRB5_NT_SRV_HST, &pg_krb5_server);
 	if (retval)
 	{
 		ereport(LOG,
 		 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 PG_KRB_SRVNAM, retval)));
+				 pg_krb_srvnam, retval)));
 		com_err("postgres", retval,
 				"while getting server principal for service \"%s\"",
-				PG_KRB_SRVNAM);
+				pg_krb_srvnam);
 		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
 		krb5_free_context(pg_krb5_context);
 		return STATUS_ERROR;
@@ -264,7 +266,7 @@ pg_krb5_recvauth(Port *port)
 		return ret;
 
 	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, PG_KRB_SRVNAM,
+						   (krb5_pointer) & port->sock, "postgres",
 						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
 	if (retval)
 	{
@@ -303,7 +305,11 @@ pg_krb5_recvauth(Port *port)
 	}
 
 	kusername = pg_an_to_ln(kusername);
-	if (strncmp(port->user_name, kusername, SM_DATABASE_USER))
+	if (pg_krb_caseins_users)
+		ret = strncasecmp(port->user_name, kusername, SM_DATABASE_USER);
+	else
+		ret = strncmp(port->user_name, kusername, SM_DATABASE_USER);
+	if (ret)
 	{
 		ereport(LOG,
 				(errmsg("unexpected Kerberos user name received from client (received \"%s\", expected \"%s\")",
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 7f89276b612..3d57509548f 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
  * Written by Peter Eisentraut <peter_e@gmx.net>.
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.263 2005/05/27 18:33:30 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $
  *
  *--------------------------------------------------------------------
  */
@@ -63,6 +63,9 @@
 #ifndef PG_KRB_SRVTAB
 #define PG_KRB_SRVTAB ""
 #endif
+#ifndef PG_KRB_SRVNAM
+#define PG_KRB_SRVNAM ""
+#endif
 
 #define CONFIG_FILENAME	"postgresql.conf"
 #define HBA_FILENAME	"pg_hba.conf"
@@ -860,6 +863,15 @@ static struct config_bool ConfigureNamesBool[] =
 #endif
 	},
 
+	{
+		{"krb_caseins_users", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets if Kerberos user names should be treated case insensitive."),
+			NULL
+		},
+		&pg_krb_caseins_users,
+		false, NULL, NULL
+	},
+
 	/* End-of-list marker */
 	{
 		{NULL, 0, 0, NULL, NULL}, NULL, false, NULL, NULL
@@ -1573,6 +1585,15 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"krb_srvname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets the name of the Kerberos service."),
+			NULL
+		},
+		&pg_krb_srvnam,
+		PG_KRB_SRVNAM, NULL, NULL
+	},
+
+	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour broadcast service name."),
 			NULL
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 0e88d4c5ed0..d54ae5fcfda 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -64,8 +64,11 @@
 #authentication_timeout = 60	# 1-600, in seconds
 #ssl = false
 #password_encryption = true
-#krb_server_keyfile = ''
 #db_user_namespace = false
+# Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = false
+#krb_srvname = 'postgres'
 
 
 #---------------------------------------------------------------------------
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 3aef036078f..b8fd25eb64f 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -7,7 +7,7 @@
  * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.26 2004/12/31 22:03:32 pgsql Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.27 2005/06/04 20:42:42 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -27,5 +27,7 @@ extern void ClientAuthentication(Port *port);
 #define PG_KRB5_VERSION "PGVER5.1"
 
 extern char *pg_krb_server_keyfile;
+extern char *pg_krb_srvnam;
+extern bool pg_krb_caseins_users;
 
 #endif   /* AUTH_H */
diff --git a/src/include/pg_config.h.in b/src/include/pg_config.h.in
index 51a13907bb0..da29557e927 100644
--- a/src/include/pg_config.h.in
+++ b/src/include/pg_config.h.in
@@ -602,7 +602,7 @@
 /* Define to the version of this package. */
 #undef PACKAGE_VERSION
 
-/* Define to the name of the PostgreSQL service principal in Kerberos.
+/* Define to the name of the default PostgreSQL service principal in Kerberos.
    (--with-krb-srvnam=NAME) */
 #undef PG_KRB_SRVNAM
 
@@ -635,6 +635,9 @@
 /* Define to 1 to build with assertion checks. (--enable-cassert) */
 #undef USE_ASSERT_CHECKING
 
+/* Define to 1 to build with Bonjour support. (--with-bonjour) */
+#undef USE_BONJOUR
+
 /* Define to 1 if you want 64-bit integer timestamp and interval support.
    (--enable-integer-datetimes) */
 #undef USE_INTEGER_DATETIMES
@@ -645,9 +648,6 @@
 /* Define to 1 to build with PAM support. (--with-pam) */
 #undef USE_PAM
 
-/* Define to 1 to build with Bonjour support. (--with-bonjour) */
-#undef USE_BONJOUR
-
 /* Use replacement snprintf() functions. */
 #undef USE_SNPRINTF
 
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index 0dda34401bb..6624df1ad0a 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -10,7 +10,7 @@
  * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.100 2005/03/25 00:34:28 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.101 2005/06/04 20:42:43 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -196,7 +196,8 @@ static int
 pg_krb4_sendauth(char *PQerrormsg, int sock,
 				 struct sockaddr_in * laddr,
 				 struct sockaddr_in * raddr,
-				 const char *hostname)
+				 const char *hostname, 
+				 const char *servicename)
 {
 	long		krbopts = 0;	/* one-way authentication */
 	KTEXT_ST	clttkt;
@@ -216,7 +217,7 @@ pg_krb4_sendauth(char *PQerrormsg, int sock,
 	status = krb_sendauth(krbopts,
 						  sock,
 						  &clttkt,
-						  PG_KRB_SRVNAM,
+						  servicename,
 						  hostname,
 						  realm,
 						  (u_long) 0,
@@ -260,6 +261,10 @@ pg_krb4_sendauth(char *PQerrormsg, int sock,
  *	   provide an aname mapping database...it may be a better idea to use
  *	   krb5_an_to_ln, except that it punts if multiple components are found,
  *	   and we can't afford to punt.
+ *
+ * For WIN32, convert username to lowercase because the Win32 kerberos library
+ * generates tickets with the username as the user entered it instead of as
+ * it is entered in the directory.
  */
 static char *
 pg_an_to_ln(char *aname)
@@ -268,6 +273,11 @@ pg_an_to_ln(char *aname)
 
 	if ((p = strchr(aname, '/')) || (p = strchr(aname, '@')))
 		*p = '\0';
+#ifdef WIN32
+	for (p = aname; *p ; p++)
+		*p = pg_tolower(*p);
+#endif
+
 	return aname;
 }
 
@@ -360,7 +370,7 @@ pg_krb5_authname(char *PQerrormsg)
  *					   the server
  */
 static int
-pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
+pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *servicename)
 {
 	krb5_error_code retval;
 	int			ret;
@@ -379,7 +389,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
 	if (ret != STATUS_OK)
 		return ret;
 
-	retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
+	retval = krb5_sname_to_principal(pg_krb5_context, hostname, servicename,
 									 KRB5_NT_SRV_HST, &server);
 	if (retval)
 	{
@@ -405,7 +415,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname)
 	}
 
 	retval = krb5_sendauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & sock, PG_KRB_SRVNAM,
+						   (krb5_pointer) & sock, "postgres",
 						   pg_krb5_client, server,
 						   AP_OPTS_MUTUAL_REQUIRED,
 						   NULL, 0,		/* no creds, use ccache instead */
@@ -602,7 +612,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
 			if (pg_krb4_sendauth(PQerrormsg, conn->sock,
 							   (struct sockaddr_in *) & conn->laddr.addr,
 							   (struct sockaddr_in *) & conn->raddr.addr,
-								 hostname) != STATUS_OK)
+								 hostname, conn->krbsrvname) != STATUS_OK)
 			{
 				/* PQerrormsg already filled in */
 				pgunlock_thread();
@@ -620,7 +630,7 @@ fe_sendauth(AuthRequest areq, PGconn *conn, const char *hostname,
 #ifdef KRB5
 			pglock_thread();
 			if (pg_krb5_sendauth(PQerrormsg, conn->sock,
-								 hostname) != STATUS_OK)
+								 hostname, conn->krbsrvname) != STATUS_OK)
 			{
 				/* PQerrormsg already filled in */
 				pgunlock_thread();
diff --git a/src/interfaces/libpq/fe-connect.c b/src/interfaces/libpq/fe-connect.c
index 15bcf5f911b..05899450237 100644
--- a/src/interfaces/libpq/fe-connect.c
+++ b/src/interfaces/libpq/fe-connect.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.306 2005/05/05 16:40:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-connect.c,v 1.307 2005/06/04 20:42:43 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -170,6 +170,12 @@ static const PQconninfoOption PQconninfoOptions[] = {
 	{"sslmode", "PGSSLMODE", DefaultSSLMode, NULL,
 	"SSL-Mode", "", 8},			/* sizeof("disable") == 8 */
 
+#if defined(KRB4) || defined(KRB5)
+	/* Kerberos authentication supports specifying the service name */
+	{"krbsrvname", "PGKRBSRVNAME", PG_KRB_SRVNAM, NULL,
+	 "Kerberos-service-name", "", 20},
+#endif
+
 	/* Terminating entry --- MUST BE LAST */
 	{NULL, NULL, NULL, NULL,
 	NULL, NULL, 0}
@@ -393,6 +399,10 @@ connectOptions1(PGconn *conn, const char *conninfo)
 		conn->sslmode = strdup("require");
 	}
 #endif
+#if defined(KRB4) || defined(KRB5)
+	tmp = conninfo_getval(connOptions, "krbsrvname");
+	conn->krbsrvname = tmp ? strdup(tmp) : NULL;
+#endif
 
 	/*
 	 * Free the option info - all is in conn now
@@ -2074,6 +2084,10 @@ freePGconn(PGconn *conn)
 		free(conn->pgpass);
 	if (conn->sslmode)
 		free(conn->sslmode);
+#if defined(KRB4) || defined(KRB5)
+	if (conn->krbsrvname)
+		free(conn->krbsrvname);
+#endif
 	/* Note that conn->Pfdebug is not ours to close or free */
 	notify = conn->notifyHead;
 	while (notify != NULL)
diff --git a/src/interfaces/libpq/libpq-int.h b/src/interfaces/libpq/libpq-int.h
index 9862e01bc91..e4692d5d5f6 100644
--- a/src/interfaces/libpq/libpq-int.h
+++ b/src/interfaces/libpq/libpq-int.h
@@ -12,7 +12,7 @@
  * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.100 2005/01/06 00:59:47 tgl Exp $
+ * $PostgreSQL: pgsql/src/interfaces/libpq/libpq-int.h,v 1.101 2005/06/04 20:42:43 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -261,6 +261,9 @@ struct pg_conn
 	char	   *pguser;			/* Postgres username and password, if any */
 	char	   *pgpass;
 	char	   *sslmode;		/* SSL mode (require,prefer,allow,disable) */
+#if defined(KRB5) || defined(KRB4)
+	char       *krbsrvname;     /* Kerberos service name */
+#endif
 
 	/* Optional file to write trace info to */
 	FILE	   *Pfdebug;