Thread: Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2
> Now, our code has been modified since his patch was applied, > but we now > have: > > /* > * If no hostname was specified, pg_krb_server_hostname is already > * NULL. If it's set to blank, force it to NULL. > */ > khostname = pg_krb_server_hostname; > if (khostname && khostname[0] == '\0') > khostname = NULL; > > retval = krb5_sname_to_principal(pg_krb5_context, > khostname, > pg_krb_srvnam, > KRB5_NT_SRV_HST, > &pg_krb5_server); > > The basic affect is if the GUC krb_server_hostname is empty/NULL, > krb5_sname_to_principal() gets called with a 2nd argument > (hostname) of NULL. The documentation for this function says > for this argument: Yup, that's correct it's the new behaviour. > http://publib.boulder.ibm.com/iseries/v5r1/ic2924/index.htm?in > fo/apis/krb5list.htm > > hostname (Input) > > The host containing the desired service instance. The > local host is used > if NULL is specified for this parameter. > > Which says it doesn't accept any service entry in keytab, but > rather binds the server hostname to 'localhost'. I think > this is why it wasn't working for Magnus. No. This is how it is now, after Tom applied my patch. It now works just fine for me. Previously, we set pg_krb5_server to NULL, which is something completely different than pg_krb_srvname=NULL (yes, they are named very closely, but they are completely different things). krb5_sname_to_principal() was never called. This is what wasn't working for me. > I have applied the following patch which updates the > documentation to reflect 'localhost', and improves the error > message to always print the server name as well as the > service name. (We have had complaints about poor Kerberos > error messages before.) This is not correct. The default is *not* "localhost". It's the "local host name". As in what's returned by gethostname(). //Magnus
Magnus Hagander wrote: > Previously, we set pg_krb5_server to NULL, which is something completely > different than pg_krb_srvname=NULL (yes, they are named very closely, > but they are completely different things). krb5_sname_to_principal() > was never called. > > This is what wasn't working for me. > > > I have applied the following patch which updates the > > documentation to reflect 'localhost', and improves the error > > message to always print the server name as well as the > > service name. (We have had complaints about poor Kerberos > > error messages before.) > > This is not correct. > The default is *not* "localhost". It's the "local host name". As in > what's returned by gethostname(). Ah, local host name, not localhost. Poor wording. Text updated: If not set, the default is the server hostname. See <xref linkend="kerberos-auth"> for details. This parameter can only be set at server start. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073
Bruce Momjian <pgman@candle.pha.pa.us> writes: > Magnus Hagander wrote: >> This is not correct. >> The default is *not* "localhost". It's the "local host name". As in >> what's returned by gethostname(). > Ah, local host name, not localhost. Poor wording. Text updated: > If not set, the default is the server hostname. See <xref > linkend="kerberos-auth"> for details. This parameter can only be set at > server start. The code patch also assumed that "localhost" is a valid way to describe the default; you have to do something about that too. regards, tom lane
Tom Lane wrote: > Bruce Momjian <pgman@candle.pha.pa.us> writes: > > Magnus Hagander wrote: > >> This is not correct. > >> The default is *not* "localhost". It's the "local host name". As in > >> what's returned by gethostname(). > > > Ah, local host name, not localhost. Poor wording. Text updated: > > > If not set, the default is the server hostname. See <xref > > linkend="kerberos-auth"> for details. This parameter can only be set at > > server start. > > The code patch also assumed that "localhost" is a valid way to describe > the default; you have to do something about that too. OK, I changed it to "server hostname". Is there a cleaner way to do it? I don't see us printing the server name anywhere in the our code. I don't see us calling gethostname() anywhere in our code. -- Bruce Momjian | http://candle.pha.pa.us pgman@candle.pha.pa.us | (610) 359-1001 + If your life is a hard drive, | 13 Roberts Road + Christ can be your backup. | Newtown Square, Pennsylvania 19073