From: | Noah Misch <noah(at)leadboat(dot)com> |
---|---|
To: | Peter Eisentraut <peter(dot)eisentraut(at)2ndquadrant(dot)com> |
Cc: | Thomas Munro <thomas(dot)munro(at)enterprisedb(dot)com>, Michael Paquier <michael(at)paquier(dot)xyz>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
Subject: | Re: Kerberos test suite |
Date: | 2018-08-01 05:09:03 |
Message-ID: | 20180801050903.GA1392916@rfd.leadboat.com |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Thread: | |
Lists: | pgsql-hackers |
On Tue, Mar 06, 2018 at 10:58:54AM -0500, Peter Eisentraut wrote:
> On 3/5/18 16:34, Thomas Munro wrote:
> > On Tue, Mar 6, 2018 at 8:45 AM, Peter Eisentraut
> > <peter(dot)eisentraut(at)2ndquadrant(dot)com> wrote:
> >> New patch attached.
> >
> > Passes here. LGTM.
>
> committed
This fails on my machine, where /etc/hosts has:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
This is CentOS 7, but I may have written that myself. First failure:
psql: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "test1", database "postgres", SSL off
not ok 3 - succeeds with mapping
Bypassing that, by recognizing localhost.localdomain in pg_hba.conf, unearths:
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may provide more information
GSSAPI continuation error: Server krbtgt/LOCALDOMAIN(at)EXAMPLE(dot)COM not found in Kerberos database
not ok 3 - succeeds with mapping
On the client side, Kerberos is canonicalizing "localhost" to
"localhost.localdomain" as part of constructing the service principal.
"$service_principal = "$ENV{with_krb_srvnam}/localhost.localdomain" was a
quick workaround. For the long-term fix, let's use hostaddr= and a fictitious
host=, as attached. This makes us independent of local name resolution and
IPv6 configuration, and it's more like how PostgresNode operates on systems
that use TCP instead of unix_socket_directories (Windows). I considered
adding dns_canonicalize_hostname to $krb5_config, but that is new as of
krb5-1.12 and does not help the pg_hba.conf side of the problem.
Attachment | Content-Type | Size |
---|---|---|
kerberos-test-localhost-v1.patch | text/plain | 2.5 KB |
From | Date | Subject | |
---|---|---|---|
Next Message | Paul Guo | 2018-08-01 05:44:35 | [Patch] Create a new session in postmaster by calling setsid() |
Previous Message | Andrew Gierth | 2018-08-01 04:17:27 | Re: Should contrib modules install .h files? |