Re: [PATCH v20] GSSAPI encryption support

Greetings,

* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> Kerberos tests are now failing for me (macOS). I'm seeing
>
> psql: error: could not connect to server: Over-size error packet sent by
> the server.
> not ok 3 - GSS encryption without auth
>
> # Failed test 'GSS encryption without auth'
> # at t/002_enc.pl line 170.
> # got: '2'
> # expected: '0'
>
> (and repeated for several other tests).

Alright, that over-size error was a bug in the error-handling code,
which I've just pushed a fix for. That said...

* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> On 2019-04-04 17:35, Stephen Frost wrote:
> > Ok, it looks like there's a server-side error happening here, and it
> > would be good to see what that is, so can you send the server logs?
>
> These errors appear several times in the server logs:
>
> FATAL: GSSAPI context error
> DETAIL: Miscellaneous failure (see text): Decrypt integrity check
> failed for checksum type hmac-sha1-96-aes256, key type
> aes256-cts-hmac-sha1-96
>
> FATAL: accepting GSS security context failed
> DETAIL: Miscellaneous failure (see text): Decrypt integrity check
> failed for checksum type hmac-sha1-96-aes256, key type
> aes256-cts-hmac-sha1-96

This looks like it's a real issue and it's unclear what's going on here.
I wonder- are you certain that you're using all the same Kerberos
libraries for the KDC, the server, and psql?

If you go back to before the GSSAPI encryption patch, does it work..?

I've certainly seen interesting issues on MacOS, in particular, due to
different Kerberos libraries/tools being installed and I wonder if
that's what is going on here. Maybe you could check klist vs. psql wrt
what libraries are linked in?

Thanks,

Stephen