Thread: PostgreSQL and Kerberos 5 on Solaris
Prior to Solaris 11 (Nevada), the full Kerberos 5 API was never exposed (only the gss interface), so building PostgreSQL with the "--with-krb5" option is a problem. In Nevada, Sun has exposed the full MIT Kerberos 5 API (v1.4.0). So building PostgreSQL with Kerberos should be possible/easy. If I try to build 8.1.4 though, it fails with the following error: $ ./configure --with-krb5 --without-readline checking build system type... sparc-sun-solaris2.11 checking host system type... sparc-sun-solaris2.11 ... snip ... checking for library containing com_err... -lkrb5 checking for library containing krb5_encrypt... no configure: error: could not find function 'krb5_encrypt' required for Kerberos 5 This is because in krb5 v1.4.0, the krb5_encrypt() function is deprecated/removed, so doesn't exist anywhere in the Solaris libraries. It is replaced by krb5_c_encrypt() (I think this change occurred sometime between krb5 v1.2.1 and v1.4.0) But looking more closely at the PostgreSQL 8.1.4 code, I see that it never even uses the krb5_encrypt() function anyway! So although it's presence might be a useful method for detecting the presence of Kerberos 5 (pre v1.4.0), it seems unnecessary for the successful operation of PostgreSQL. By simply removing the check for krb5_encrypt() from the configure script, I can successfully build PostgreSQL with krb5 on Nevada. Does anyone know why the check for krb5_encrypt() exists in configure when the code doesn't use it? And would absence of a good reason indicate this is a bug (and the check should be removed)? Regards, Jim
James Gates <James.Gates@Sun.COM> writes:
> Does anyone know why the check for krb5_encrypt() exists in configure
> when the code doesn't use it?
At the time it was chosen, it was probably a reasonable choice of
function to probe for to make sure Kerberos libraries are present.
Do you have a better suggestion?
regards, tom lane
Never saw a followup on this. I'd suggest krb5_init_context() since it's the first thing any Kerberos app needs to do, and the returned context value is used on 99% of all other calls. That's assuming that there aren't other kerberos checks that make it unnecessary of course. On Jul 2, 2006, at 8:39 PM, Tom Lane wrote: > James Gates <James.Gates@Sun.COM> writes: >> Does anyone know why the check for krb5_encrypt() exists in configure >> when the code doesn't use it? > > At the time it was chosen, it was probably a reasonable choice of > function to probe for to make sure Kerberos libraries are present. > Do you have a better suggestion? > > regards, tom lane ------------------------------------------------------------------------ ---- The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu
I cannot find krb5_encrypt() referenced anywhere in configure, or anywhere else in CVS HEAD, nor in any of the back branches. --------------------------------------------------------------------------- Henry B. Hotz wrote: > Never saw a followup on this. > > I'd suggest krb5_init_context() since it's the first thing any > Kerberos app needs to do, and the returned context value is used on > 99% of all other calls. That's assuming that there aren't other > kerberos checks that make it unnecessary of course. > > On Jul 2, 2006, at 8:39 PM, Tom Lane wrote: > > > James Gates <James.Gates@Sun.COM> writes: > >> Does anyone know why the check for krb5_encrypt() exists in configure > >> when the code doesn't use it? > > > > At the time it was chosen, it was probably a reasonable choice of > > function to probe for to make sure Kerberos libraries are present. > > Do you have a better suggestion? > > > > regards, tom lane > > ------------------------------------------------------------------------ > ---- > The opinions expressed in this message are mine, > not those of Caltech, JPL, NASA, or the US Government. > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu > > > > ---------------------------(end of broadcast)--------------------------- > TIP 3: Have you checked our extensive FAQ? > > http://www.postgresql.org/docs/faq -- Bruce Momjian bruce@momjian.us EnterpriseDB http://www.enterprisedb.com + If your life is a hard drive, Christ can be your backup. +
That's because Tom applied a patch for this already: http://archives.postgresql.org/pgsql-committers/2006-07/msg00080.php //Magnus > -----Original Message----- > From: pgsql-ports-owner@postgresql.org [mailto:pgsql-ports- > owner@postgresql.org] On Behalf Of Bruce Momjian > Sent: Thursday, October 05, 2006 5:20 AM > To: Henry B. Hotz > Cc: Tom Lane; James.Gates@Sun.COM; pgsql-ports@postgresql.org > Subject: Re: [PORTS] PostgreSQL and Kerberos 5 on Solaris > > > I cannot find krb5_encrypt() referenced anywhere in configure, or > anywhere else in CVS HEAD, nor in any of the back branches. > > ------------------------------------------------------------------- > -------- > > Henry B. Hotz wrote: > > Never saw a followup on this. > > > > I'd suggest krb5_init_context() since it's the first thing any > > Kerberos app needs to do, and the returned context value is used > on > > 99% of all other calls. That's assuming that there aren't other > > kerberos checks that make it unnecessary of course. > > > > On Jul 2, 2006, at 8:39 PM, Tom Lane wrote: > > > > > James Gates <James.Gates@Sun.COM> writes: > > >> Does anyone know why the check for krb5_encrypt() exists in > > >> configure when the code doesn't use it? > > > > > > At the time it was chosen, it was probably a reasonable choice > of > > > function to probe for to make sure Kerberos libraries are > present. > > > Do you have a better suggestion? > > > > > > regards, tom lane > > > > ----------------------------------------------------------------- > ----- > > -- > > ---- > > The opinions expressed in this message are mine, not those of > Caltech, > > JPL, NASA, or the US Government. > > Henry.B.Hotz@jpl.nasa.gov, or hbhotz@oxy.edu > > > > > > > > ---------------------------(end of > > broadcast)--------------------------- > > TIP 3: Have you checked our extensive FAQ? > > > > http://www.postgresql.org/docs/faq > > -- > Bruce Momjian bruce@momjian.us > EnterpriseDB http://www.enterprisedb.com > > + If your life is a hard drive, Christ can be your backup. + > > ---------------------------(end of broadcast)---------------------- > ----- > TIP 4: Have you searched our list archives? > > http://archives.postgresql.org