Greetings, * Tom Lane (t...@sss.pgh.pa.us) wrote: > Stephen Frost <sfr...@snowman.net> writes: > > I suspected there would be an issue with OSX but hadn't expected an > > issue with NetBSD. I had tested this across a few Linux platforms and > > cfbot showed it wasn't causing issues on Windows or the platforms that > > are run there. Would be really great to have a way to test these things > > out on these other platforms other than just committing them and seeing > > what happens on the buildfarm. > > I poked around a bit more and found that: > > * NetBSD's package collection[1] includes both Heimdal and MIT Kerberos > (mit-krb5). Apparently what's installed on at least some of the buildfarm > animals is the former. > > * FreeBSD seems to offer *only* Heimdal [2]; OpenBSD ditto [3]. > > * I cannot find any sign of either gss_store_cred_into or gssapi_ext.h > in FreeBSD's Heimdal (7.8.0_6). > > So it does not look like supporting Heimdal is going to be optional, > and that means the credential delegation feature is going to have > to be optional, or else we need to find some equivalent Heimdal APIs.
Thanks for doing that digging! I've been looking too and while Heimdal added gss_store_cred_into in their development branch 5 years ago[1] (!), it's not made it into an actual release. Good that they seem to at least be maintaining it enough to deal with CVEs, but unfortunately I'm fairly confident that there won't be a way to support constrained delegation (which is the next goal, once unconstrained delegation is in and working) on the Heimdal platforms. I suspected that would have to be optional anyway, but I hadn't expected it to hit all the BSD platforms. In any case, for this I'm working switching over to gss_store_cred() which does seem to be available in the Heimdal Debian packages that I was able to install locally (looks to be 7.7.0) and should work just fine for these purposes, though it requires a bit more work on the libpq side as we need to tell libpq explicitly the name which was on the delegated credential when we call gss_acquire_cred(). Once that's done, should be able to drop the gssapi_ext.h include entirely and still have the test suite able to run with MIT Kerberos. One thing I'm on the fence about is trying to make the test suite actually work with Heimdal.. I'm planning to install the Heimdal KDC, et al, and see what happens but if it ends up looking like it's a lot of work then I might forgo that effort. I'm not sure it's really necessary but I could be argued out of that position without too much effort. The stated Heimdal goal is to be a re-implementation of MIT Kerberos and these are all documented APIs with RFCs, after all. > I share your feeling that we could probably blow off Apple's built-in > GSSAPI. MacPorts offers both Heimdal and kerberos5, and I imagine > Homebrew has at least one of them, so Mac people could easily get > hold of newer implementations. But the BSDen are going to be a > problem. Yeah. Unfortunate that Heimdal doesn't seem to really be moving forward in terms of new development. Thanks, Stephen [1] https://github.com/heimdal/heimdal/commit/e0bb9c10cad0fd98245caecf8af8fca855b2df49
signature.asc
Description: PGP signature
