Re: Kerberos test suite

On Tue, Mar 06, 2018 at 10:58:54AM -0500, Peter Eisentraut wrote:
> On 3/5/18 16:34, Thomas Munro wrote:
> > On Tue, Mar 6, 2018 at 8:45 AM, Peter Eisentraut
> > <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> >> New patch attached.
> >
> > Passes here. LGTM.
>
> committed

This fails on my machine, where /etc/hosts has:

127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6

This is CentOS 7, but I may have written that myself. First failure:

psql: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "test1", database "postgres", SSL off
not ok 3 - succeeds with mapping

Bypassing that, by recognizing localhost.localdomain in pg_hba.conf, unearths:

psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server krbtgt/LOCALDOMAIN(at)EXAMPLE(dot)COM not found in Kerberos database
not ok 3 - succeeds with mapping

On the client side, Kerberos is canonicalizing "localhost" to
"localhost.localdomain" as part of constructing the service principal.
"$service_principal = "$ENV{with_krb_srvnam}/localhost.localdomain" was a
quick workaround. For the long-term fix, let's use hostaddr= and a fictitious
host=, as attached. This makes us independent of local name resolution and
IPv6 configuration, and it's more like how PostgresNode operates on systems
that use TCP instead of unix_socket_directories (Windows). I considered
adding dns_canonicalize_hostname to $krb5_config, but that is new as of
krb5-1.12 and does not help the pg_hba.conf side of the problem.