| From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
|---|---|
| To: | Peter Eisentraut <peter_e(at)gmx(dot)net> |
| Cc: | PG Hackers <pgsql-hackers(at)postgresql(dot)org>, Magnus Hagander <magnus(at)hagander(dot)net> |
| Subject: | Re: Spurious Kerberos error messages |
| Date: | 2008-11-04 15:48:59 |
| Message-ID: | 18509.1225813739@sss.pgh.pa.us |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Peter Eisentraut <peter_e(at)gmx(dot)net> writes:
> Nothing has changed about when it fails, only the extra krb error
> message before the usual error messages (could not connect, server is
> starting up) are new. This probably has something to do with Magnus's
> work on concatenating rather than hiding error messages across multiple
> passes.
> I see this on Mac and Linux, so it should be reproducible with any
> Kerberos-enabled build.
Ah ... I had to try it on a machine *without* a credentials cache to
see something funny ;-)
What's happening is that pg_fe_getauthname -> pg_krb5_authname ->
pg_krb5_init fails and sets an error message in conn->errorMessage,
which we don't care about because we will get the username from
pqGetpwuid if Kerberos can't help us. But because of the concatenation
change, this gets added onto the (unrelated) later failure message.
I'm tempted to say that this code path simply shouldn't be setting
errorMessage at all. Alternatively we could have pg_fe_getauthname
clear out errorMessage upon successfully fetching a non-Kerberized
username ... but that would lose anything previously put into
errorMessage. (In which connection it seems like a bad thing that
pg_krb5_init uses printfPQExpBuffer rather than appendPQExpBuffer.)
Thoughts?
regards, tom lane
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ron Mayer | 2008-11-04 15:50:09 | Re: Patch for SQL-Standard Interval output and decoupling DateStyle from IntervalStyle |
| Previous Message | Heikki Linnakangas | 2008-11-04 15:46:09 | Re: [WIP] In-place upgrade |