Re: PostgreSQL and Kerberos 5 on Solaris

Prior to Solaris 11 (Nevada), the full Kerberos 5 API was never exposed
(only the gss interface), so building PostgreSQL with the "--with-krb5"
option is a problem.

In Nevada, Sun has exposed the full MIT Kerberos 5 API (v1.4.0). So
building PostgreSQL with Kerberos should be possible/easy. If I try to
build 8.1.4 though, it fails with the following error:

$ ./configure --with-krb5 --without-readline
checking build system type... sparc-sun-solaris2.11
checking host system type... sparc-sun-solaris2.11
... snip ...
checking for library containing com_err... -lkrb5
checking for library containing krb5_encrypt... no
configure: error: could not find function 'krb5_encrypt' required for
Kerberos 5

This is because in krb5 v1.4.0, the krb5_encrypt() function is
deprecated/removed, so doesn't exist anywhere in the Solaris libraries.
It is replaced by krb5_c_encrypt() (I think this change occurred
sometime between krb5 v1.2.1 and v1.4.0)

But looking more closely at the PostgreSQL 8.1.4 code, I see that it
never even uses the krb5_encrypt() function anyway! So although it's
presence might be a useful method for detecting the presence of Kerberos
5 (pre v1.4.0), it seems unnecessary for the successful operation of
PostgreSQL.

By simply removing the check for krb5_encrypt() from the configure
script, I can successfully build PostgreSQL with krb5 on Nevada.

Does anyone know why the check for krb5_encrypt() exists in configure
when the code doesn't use it? And would absence of a good reason
indicate this is a bug (and the check should be removed)?

Regards,

Jim

James Gates <James(dot)Gates(at)Sun(dot)COM> writes:
> Does anyone know why the check for krb5_encrypt() exists in configure
> when the code doesn't use it?

At the time it was chosen, it was probably a reasonable choice of
function to probe for to make sure Kerberos libraries are present.
Do you have a better suggestion?

regards, tom lane

Never saw a followup on this.

I'd suggest krb5_init_context() since it's the first thing any
Kerberos app needs to do, and the returned context value is used on
99% of all other calls. That's assuming that there aren't other
kerberos checks that make it unnecessary of course.

On Jul 2, 2006, at 8:39 PM, Tom Lane wrote:

> James Gates <James(dot)Gates(at)Sun(dot)COM> writes:
>> Does anyone know why the check for krb5_encrypt() exists in configure
>> when the code doesn't use it?
>
> At the time it was chosen, it was probably a reasonable choice of
> function to probe for to make sure Kerberos libraries are present.
> Do you have a better suggestion?
>
> regards, tom lane

------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu

I cannot find krb5_encrypt() referenced anywhere in configure, or
anywhere else in CVS HEAD, nor in any of the back branches.

---------------------------------------------------------------------------

Henry B. Hotz wrote:
> Never saw a followup on this.
>
> I'd suggest krb5_init_context() since it's the first thing any
> Kerberos app needs to do, and the returned context value is used on
> 99% of all other calls. That's assuming that there aren't other
> kerberos checks that make it unnecessary of course.
>
> On Jul 2, 2006, at 8:39 PM, Tom Lane wrote:
>
> > James Gates <James(dot)Gates(at)Sun(dot)COM> writes:
> >> Does anyone know why the check for krb5_encrypt() exists in configure
> >> when the code doesn't use it?
> >
> > At the time it was chosen, it was probably a reasonable choice of
> > function to probe for to make sure Kerberos libraries are present.
> > Do you have a better suggestion?
> >
> > regards, tom lane
>
> ------------------------------------------------------------------------
> ----
> The opinions expressed in this message are mine,
> not those of Caltech, JPL, NASA, or the US Government.
> Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 3: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/docs/faq

--
Bruce Momjian bruce(at)momjian(dot)us
EnterpriseDB http://www.enterprisedb.com

+ If your life is a hard drive, Christ can be your backup. +

That's because Tom applied a patch for this already:
http://archives.postgresql.org/pgsql-committers/2006-07/msg00080.php

//Magnus

> -----Original Message-----
> From: pgsql-ports-owner(at)postgresql(dot)org [mailto:pgsql-ports-
> owner(at)postgresql(dot)org] On Behalf Of Bruce Momjian
> Sent: Thursday, October 05, 2006 5:20 AM
> To: Henry B. Hotz
> Cc: Tom Lane; James(dot)Gates(at)Sun(dot)COM; pgsql-ports(at)postgresql(dot)org
> Subject: Re: [PORTS] PostgreSQL and Kerberos 5 on Solaris
>
>
> I cannot find krb5_encrypt() referenced anywhere in configure, or
> anywhere else in CVS HEAD, nor in any of the back branches.
>
> -------------------------------------------------------------------
> --------
>
> Henry B. Hotz wrote:
> > Never saw a followup on this.
> >
> > I'd suggest krb5_init_context() since it's the first thing any
> > Kerberos app needs to do, and the returned context value is used
> on
> > 99% of all other calls. That's assuming that there aren't other
> > kerberos checks that make it unnecessary of course.
> >
> > On Jul 2, 2006, at 8:39 PM, Tom Lane wrote:
> >
> > > James Gates <James(dot)Gates(at)Sun(dot)COM> writes:
> > >> Does anyone know why the check for krb5_encrypt() exists in
> > >> configure when the code doesn't use it?
> > >
> > > At the time it was chosen, it was probably a reasonable choice
> of
> > > function to probe for to make sure Kerberos libraries are
> present.
> > > Do you have a better suggestion?
> > >
> > > regards, tom lane
> >
> > -----------------------------------------------------------------
> -----
> > --
> > ----
> > The opinions expressed in this message are mine, not those of
> Caltech,
> > JPL, NASA, or the US Government.
> > Henry(dot)B(dot)Hotz(at)jpl(dot)nasa(dot)gov, or hbhotz(at)oxy(dot)edu
> >
> >
> >
> > ---------------------------(end of
> > broadcast)---------------------------
> > TIP 3: Have you checked our extensive FAQ?
> >
> > http://www.postgresql.org/docs/faq
>
> --
> Bruce Momjian bruce(at)momjian(dot)us
> EnterpriseDB http://www.enterprisedb.com
>
> + If your life is a hard drive, Christ can be your backup. +
>
> ---------------------------(end of broadcast)----------------------
> -----
> TIP 4: Have you searched our list archives?
>
> http://archives.postgresql.org