Re: [PATCH v20] GSSAPI encryption support

Greetings,

* Peter Eisentraut (peter(dot)eisentraut(at)2ndquadrant(dot)com) wrote:
> On 2019-04-05 04:59, Stephen Frost wrote:
> > Alright, that over-size error was a bug in the error-handling code,
> > which I've just pushed a fix for. That said...
>
> Yes, that looks better now.

Great.

> > This looks like it's a real issue and it's unclear what's going on here.
> > I wonder- are you certain that you're using all the same Kerberos
> > libraries for the KDC, the server, and psql?
>
> Right, it was built against the OS-provided Kerberos installation
> (/usr/bin etc.). If I build against the Homebrew-provided one then the
> tests pass.

All of it was built against the OS-provided Kerberos install, and you
got the failure..?

> So maybe that means that this encryption feature is not supported on
> that (presumably older) installation? (krb5-config --version says
> "Kerberos 5 release 1.7-prerelease") Is that plausible? Is a gentler
> failure mode possible?

On a failure to set up an encrypted connection, we'll actually fall back
to a non-encrypted one, using GSSAPI *just* for authentication, which is
why I was asking if this worked before the encryption patch went in.
Also, which of the tests are still failing, exactly? The authentication
ones or the encryption ones or both?

If we determine that this is some issue with the MacOS-provided Kerberos
libraries, then we could try to detect them and disable GSSAPI
encryption in that case explicitly, I suppose, but I've seen odd things
with the MacOS-provided Kerberos libraries before on released versions
of PG (without any encryption support), so I'm not yet convinced that
this is an issue that's specific to adding support for encryption.

Thanks!

Stephen