Home > mailing lists

Kerberos authentication, Active Directory, and PostgreSQL - Mailing list pgsql-bugs

From	Turner, Ian
Subject	Kerberos authentication, Active Directory, and PostgreSQL
Date	October 13, 2009 00:42:59
Msg-id	28A4DB436106924BADF219EA31CE80AEF4BAB0@mailnyc2.nyc.deshaw.com Whole thread Raw
Responses	Re: Kerberos authentication, Active Directory, and PostgreSQL Re: Kerberos authentication, Active Directory, and PostgreSQL
List	pgsql-bugs

Tree view

Hello pgsql-bugs,

While trying to connect our PostgreSQL database to our Kerberos realm, we e=
ncountered the obscure message "Invalid message length". Tracking this down=
, we discovered that it was emitted by src/backend/libpq/pqcomm.c in respon=
se to a rather large Kerberos message. The root cause is as follows, and a =
patch is below.

The code in src/backend/libpq/auth.c contains a hard-coded limit on the siz=
e of GSS messages, and in particular on the message containing the client's=
 Kerberos ticket for the postgres server. The limit was 2,000 bytes, which =
is normally adequate for tickets based on TGTs issued by Unix KDCs. However=
, TGTs issued by Windows domain controllers contain an authorization field =
known as the PAC (privilege attribute certificate), which contains the user=
's Windows permissions (group memberships etc.). The PAC is copied into all=
 tickets obtained on the basis of this TGT (even those issued by Unix realm=
s which the Windows realm trusts), and can be several K in size. Thus, GSS =
authentication was failing with a "invalid message length" error. We simply=
 upped the limit to 32k, which ought to be sufficient.

The patch is quite brief:

--- postgresql-8.4-8.4.1/src/backend/libpq/auth.c=A0=A0=A0=A0=A0=A0 2009-06=
-25 12:30:08.000000000 +0100
+++ postgresql-8.4-8.4.1-fixed/src/backend/libpq/auth.c 2009-09-15 20:27:01=
.000000000 +0100
@@ -166,6 +166,8 @@
=A0#endif

=A0static int=A0=A0=A0=A0 pg_GSS_recvauth(Port *port);
+
+#define GSS_MAX_TOKEN_LENGTH (32767)
=A0#endif=A0=A0 /* ENABLE_GSS */


@@ -937,7 +939,7 @@

=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 /* Get the actual GSS token */
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 initStringInfo(&buf);
-=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 if (pq_getmessage(&buf, 2000))
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 if (pq_getmessage(&buf, GSS_MAX=
_TOKEN_LENGTH))
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 {
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 /* EO=
F - pq_getmessage already logged error */
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 pfree=
(buf.data);


Please let me know if anything additional is required in order to get this =
fix into the next release.

Best regards,

--Ian Turner
  Sr. UNIX Systems Engineer
  D. E. Shaw & Co.

pgsql-bugs by date:

From: Balazs Klein
Date: 12 October 2009, 20:42:12
Subject: Re: BUG #5108: plpgsql function name conflict with table alias

From: Tom Lane
Date: 13 October 2009, 01:05:03
Subject: Re: BUG #5108: plpgsql function name conflict with table alias

Kerberos authentication, Active Directory, and PostgreSQL - Mailing list pgsql-bugs

Previous

Next