Bill Studenmund <wrstuden@netbsd.org> writes:
> Attached please find a patch to make Postgres compile with Heimdal krb5
> support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> implies MIT krb5 support.
Couldn't we do this in a way that doesn't require a user configure switch?
--- src/backend/libpq/auth.c 2001/10/28 06:25:44 1.71
+++ src/backend/libpq/auth.c 2001/11/12 22:32:00
@@ -229,7 +229,7 @@
" Kerberos error %d\n", retval);
com_err("postgres", retval,
"while getting server principal for service %s",
- pg_krb_server_keyfile);
+ PG_KRB_SRVNAM);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
This change seems like a step backwards.
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
@@ -283,8 +283,13 @@
*
* I have no idea why this is considered necessary.
*/
+#ifdef KRB5_MIT
retval = krb5_unparse_name(pg_krb5_context,
ticket->enc_part2->client, &kusername);
+#else
+ retval = krb5_unparse_name(pg_krb5_context,
+ ticket->client, &kusername);
+#endif
If this is the only code change needed, couldn't we dispense with it
somehow? I notice that the previous authors of this code had grave
doubts about comparing the username at all. I don't know much about
Kerberos' security model --- is the fact that we got a ticket sufficient
authentication, and if not why not?
regards, tom lane
