Lists: | pgsql-hackerspgsql-patches |
---|
From: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
---|---|
To: | "Tom Lane" <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | <pgsql-hackers(at)postgresql(dot)org>, "PostgreSQL-patches" <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2 |
Date: | 2005-10-08 15:09:36 |
Message-ID: | 6BCB9D8A16AC4241919521715F4D8BCE92E70F@algol.sollentuna.se |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers pgsql-patches |
> The point is I'm having a hard time seeing what the actual
> gain is in not changing it back. If the principal name
> mismatches, we're going to get rejected anyway, so it's not
> really a problem there. Even though the gain in changing it
> back isn't all that big either, why should we introduce
> abackwards-incompatibility if there is no real gain in a
> different part of the code.
Here's a patch that fixes the big problem and reverts the behaviour of
appl_version to be compatible with 8.0. It's easy enough to isolate the
changes that are around the appl_version - one line in
backend/libpq/auth.c call to krb5_recvauth and one in
interfaces/libpq/fe-auth.c call to krb5_sendauth.
The call in backend/libpq/auth.c to krb5_sname_to_principal in 8.1beta2
was completely broken for a scenario where you *didn't* use virtual
hosts, by setting pg_krb5_server to NULL... The call is needed there as
well.
//Magnus
Attachment | Content-Type | Size |
---|---|---|
krb5fix.patch | application/octet-stream | 3.2 KB |
From: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
---|---|
To: | "Magnus Hagander" <mha(at)sollentuna(dot)net> |
Cc: | "PostgreSQL-patches" <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2 |
Date: | 2005-10-08 19:36:01 |
Message-ID: | 29966.1128800161@sss.pgh.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers pgsql-patches |
"Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
> Here's a patch that fixes the big problem and reverts the behaviour of
> appl_version to be compatible with 8.0.
Applied with trivial stylistic cleanups.
BTW, the documentation seems a bit broken:
krb_server_hostname (string)
Sets the hostname part of the service principal. This, combined
with krb_srvname, is used to generate the complete service
principal, i.e. krb_server_hostname/krb_server_hostname(at)REALM(dot)
I suppose one of those last two should be "krb_srvname", but which?
regards, tom lane
From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Magnus Hagander <mha(at)sollentuna(dot)net>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2 |
Date: | 2005-10-13 17:04:28 |
Message-ID: | 200510131704.j9DH4Sx11363@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers pgsql-patches |
I need a comment on this.
---------------------------------------------------------------------------
Tom Lane wrote:
> "Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
> > Here's a patch that fixes the big problem and reverts the behaviour of
> > appl_version to be compatible with 8.0.
>
> Applied with trivial stylistic cleanups.
>
> BTW, the documentation seems a bit broken:
>
> krb_server_hostname (string)
>
> Sets the hostname part of the service principal. This, combined
> with krb_srvname, is used to generate the complete service
> principal, i.e. krb_server_hostname/krb_server_hostname(at)REALM(dot)
>
> I suppose one of those last two should be "krb_srvname", but which?
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073
From: | Bruce Momjian <pgman(at)candle(dot)pha(dot)pa(dot)us> |
---|---|
To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
Cc: | Magnus Hagander <mha(at)sollentuna(dot)net>, PostgreSQL-patches <pgsql-patches(at)postgresql(dot)org> |
Subject: | Re: [HACKERS] Kerberos brokenness and oops question in 8.1beta2 |
Date: | 2005-10-13 21:14:55 |
Message-ID: | 200510132114.j9DLEto02422@candle.pha.pa.us |
Views: | Raw Message | Whole Thread | Download mbox | Resend email |
Lists: | pgsql-hackers pgsql-patches |
This has been fixed in current CVS:
<varname>krb_srvname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
---------------------------------------------------------------------------
Tom Lane wrote:
> "Magnus Hagander" <mha(at)sollentuna(dot)net> writes:
> > Here's a patch that fixes the big problem and reverts the behaviour of
> > appl_version to be compatible with 8.0.
>
> Applied with trivial stylistic cleanups.
>
> BTW, the documentation seems a bit broken:
>
> krb_server_hostname (string)
>
> Sets the hostname part of the service principal. This, combined
> with krb_srvname, is used to generate the complete service
> principal, i.e. krb_server_hostname/krb_server_hostname(at)REALM(dot)
>
> I suppose one of those last two should be "krb_srvname", but which?
>
> regards, tom lane
>
> ---------------------------(end of broadcast)---------------------------
> TIP 1: if posting/reading through Usenet, please send an appropriate
> subscribe-nomail command to majordomo(at)postgresql(dot)org so that your
> message can get through to the mailing list cleanly
>
--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 359-1001
+ If your life is a hard drive, | 13 Roberts Road
+ Christ can be your backup. | Newtown Square, Pennsylvania 19073