Postgres Pro
Downloads
Home   >   mailing lists

Thread: Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2

Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2

From
"Magnus Hagander"
Date:
> Now, our code has been modified since his patch was applied,
> but we now
> have:
>
>     /*
>      * If no hostname was specified, pg_krb_server_hostname is already
>      * NULL. If it's set to blank, force it to NULL.
>      */
>     khostname = pg_krb_server_hostname;
>     if (khostname && khostname[0] == '\0')
>         khostname = NULL;
>
>     retval = krb5_sname_to_principal(pg_krb5_context,
>                                      khostname,
>                                      pg_krb_srvnam,
>                                      KRB5_NT_SRV_HST,
>                                      &pg_krb5_server);
>
> The basic affect is if the GUC krb_server_hostname is empty/NULL,
> krb5_sname_to_principal() gets called with a 2nd argument
> (hostname) of NULL.  The documentation for this function says
> for this argument:

Yup, that's correct it's the new behaviour.


> http://publib.boulder.ibm.com/iseries/v5r1/ic2924/index.htm?in
> fo/apis/krb5list.htm
>
>     hostname  (Input)
>
>     The host containing the desired service instance. The
> local host is used
>     if NULL is specified for this parameter.
>
> Which says it doesn't accept any service entry in keytab, but
> rather binds the server hostname to 'localhost'.  I think
> this is why it wasn't working for Magnus.

No. This is how it is now, after Tom applied my patch. It now works just
fine for me.

Previously, we set pg_krb5_server to NULL, which is something completely
different than pg_krb_srvname=NULL (yes, they are named very closely,
but they are completely different things).  krb5_sname_to_principal()
was never called.

This is what wasn't working for me.

> I have applied the following patch which updates the
> documentation to reflect 'localhost', and improves the error
> message to always print the server name as well as the
> service name.  (We have had complaints about poor Kerberos
> error messages before.)

This is not correct.
The default is *not* "localhost". It's the "local host name". As in
what's returned by gethostname().

//Magnus

Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2

From
Bruce Momjian
Date:
Magnus Hagander wrote:
> Previously, we set pg_krb5_server to NULL, which is something completely
> different than pg_krb_srvname=NULL (yes, they are named very closely,
> but they are completely different things).  krb5_sname_to_principal()
> was never called.
>
> This is what wasn't working for me.
>
> > I have applied the following patch which updates the
> > documentation to reflect 'localhost', and improves the error
> > message to always print the server name as well as the
> > service name.  (We have had complaints about poor Kerberos
> > error messages before.)
>
> This is not correct.
> The default is *not* "localhost". It's the "local host name". As in
> what's returned by gethostname().

Ah, local host name, not localhost.  Poor wording.  Text updated:

    If not set, the default is the server hostname.  See <xref
    linkend="kerberos-auth"> for details.  This parameter can only be set at
    server start.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073

Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2

From
Tom Lane
Date:
Bruce Momjian <pgman@candle.pha.pa.us> writes:
> Magnus Hagander wrote:
>> This is not correct.
>> The default is *not* "localhost". It's the "local host name". As in
>> what's returned by gethostname().

> Ah, local host name, not localhost.  Poor wording.  Text updated:

>     If not set, the default is the server hostname.  See <xref
>     linkend="kerberos-auth"> for details.  This parameter can only be set at
>     server start.

The code patch also assumed that "localhost" is a valid way to describe
the default; you have to do something about that too.

            regards, tom lane

Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2

From
Bruce Momjian
Date:
Tom Lane wrote:
> Bruce Momjian <pgman@candle.pha.pa.us> writes:
> > Magnus Hagander wrote:
> >> This is not correct.
> >> The default is *not* "localhost". It's the "local host name". As in
> >> what's returned by gethostname().
>
> > Ah, local host name, not localhost.  Poor wording.  Text updated:
>
> >     If not set, the default is the server hostname.  See <xref
> >     linkend="kerberos-auth"> for details.  This parameter can only be set at
> >     server start.
>
> The code patch also assumed that "localhost" is a valid way to describe
> the default; you have to do something about that too.

OK, I changed it to "server hostname".  Is there a cleaner way to do it?
I don't see us printing the server name anywhere in the our code.  I
don't see us calling gethostname() anywhere in our code.

--
  Bruce Momjian                        |  http://candle.pha.pa.us
  pgman@candle.pha.pa.us               |  (610) 359-1001
  +  If your life is a hard drive,     |  13 Roberts Road
  +  Christ can be your backup.        |  Newtown Square, Pennsylvania 19073