On Sat, Aug 22, 2015 at 4:06 AM, Robbie Harwood wrote:
>
> Michael Paquier <michael.paquier@gmail.com> writes:
> > Going through the docs, the overall approach taken by the patch looks neat,
> > and the default values as designed for both the client and the server are
> > good things to do. Now actually looking at the code I am suspecting that
> > some code portions could be largely simplified in the authentication
> > protocol code, though I don't have the time yet to look at that in details.
>
> If there are ways to make it simpler without sacrificing clarity, I
> welcome them. Fresh eyes could definitely help with that!
I'll look at that more at next week or the week after.
> > Also, when trying to connect with GSSAPI, I found the following problem:
> > psql: lost synchronization with server: got message type "S", length 22
> > This happens whatever the value of require_encrypt on server-side is,
> > either 0 or 1.
>
> Well that's not good! Since I'm not seeing this failure (even after
> rebuilding my setup with patches applied to master), can you give me
> more information here? Since it's independent of require_encrypt, can
> you verify it doesn't happen on master without my patches?
Well, I imagine that I have done nothing complicated... I have simply
set up a Kerberos KDC on a dev box, created necessary credentials on
this box in a keytab file that I have used afterwards to initialize a
Kerberos context with kinit for the psql client. On master things
worked fine, I was able to connect via gssapi. But with your patch the
communication protocol visibly lost track of the messages. I took a
memo about that, it's a bit rough, does not use pg_ident, but if that
can help:
http://michael.otacoo.com/manuals/postgresql/kerberos/
> What messages went over the wire to/from the server before this occurred (and
> what was it trying to send at the time)?
I haven't checked what were the messages sent over the network yet.
> Did you have valid credentials?
Yep. I just tried on master before switching to a build with your
patch that failed. After moving back to master things worked again.
--
Michael
