On Tue, Mar 06, 2018 at 10:58:54AM -0500, Peter Eisentraut wrote:
> On 3/5/18 16:34, Thomas Munro wrote:
> > On Tue, Mar 6, 2018 at 8:45 AM, Peter Eisentraut
> > <peter.eisentr...@2ndquadrant.com> wrote:
> >> New patch attached.
> >
> > Passes here. LGTM.
>
> committed
This fails on my machine, where /etc/hosts has:
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
This is CentOS 7, but I may have written that myself. First failure:
psql: FATAL: no pg_hba.conf entry for host "127.0.0.1", user "test1",
database "postgres", SSL off
not ok 3 - succeeds with mapping
Bypassing that, by recognizing localhost.localdomain in pg_hba.conf, unearths:
psql: GSSAPI continuation error: Unspecified GSS failure. Minor code may
provide more information
GSSAPI continuation error: Server krbtgt/localdom...@example.com not found in
Kerberos database
not ok 3 - succeeds with mapping
On the client side, Kerberos is canonicalizing "localhost" to
"localhost.localdomain" as part of constructing the service principal.
"$service_principal = "$ENV{with_krb_srvnam}/localhost.localdomain" was a
quick workaround. For the long-term fix, let's use hostaddr= and a fictitious
host=, as attached. This makes us independent of local name resolution and
IPv6 configuration, and it's more like how PostgresNode operates on systems
that use TCP instead of unix_socket_directories (Windows). I considered
adding dns_canonicalize_hostname to $krb5_config, but that is new as of
krb5-1.12 and does not help the pg_hba.conf side of the problem.
diff --git a/src/test/kerberos/t/001_auth.pl b/src/test/kerberos/t/001_auth.pl
index 54f5647..1be89ae 100644
--- a/src/test/kerberos/t/001_auth.pl
+++ b/src/test/kerberos/t/001_auth.pl
@@ -48,6 +48,8 @@ if ($krb5_sbin_dir && -d $krb5_sbin_dir)
$krb5kdc = $krb5_sbin_dir . '/' . $krb5kdc;
}
+my $host = 'auth-test-localhost.postgresql.example.com';
+my $hostaddr = '127.0.0.1';
my $realm = 'EXAMPLE.COM';
my $krb5_conf = "${TestLib::tmp_check}/krb5.conf";
@@ -80,7 +82,7 @@ default_realm = $realm
[realms]
$realm = {
- kdc = localhost:$kdc_port
+ kdc = $hostaddr:$kdc_port
}!);
append_to_file(
@@ -94,8 +96,8 @@ if ($krb5_version >= 1.15)
{
append_to_file(
$kdc_conf,
- qq!kdc_listen = localhost:$kdc_port
-kdc_tcp_listen = localhost:$kdc_port
+ qq!kdc_listen = $hostaddr:$kdc_port
+kdc_tcp_listen = $hostaddr:$kdc_port
!);
}
else
@@ -122,7 +124,7 @@ mkdir $kdc_datadir or die;
$ENV{'KRB5_CONFIG'} = $krb5_conf;
$ENV{'KRB5_KDC_PROFILE'} = $kdc_conf;
-my $service_principal = "$ENV{with_krb_srvnam}/localhost";
+my $service_principal = "$ENV{with_krb_srvnam}/$host";
system_or_bail $kdb5_util, 'create', '-s', '-P', 'secret0';
@@ -143,7 +145,7 @@ note "setting up PostgreSQL instance";
my $node = get_new_node('node');
$node->init;
-$node->append_conf('postgresql.conf', "listen_addresses = 'localhost'");
+$node->append_conf('postgresql.conf', "listen_addresses = '$hostaddr'");
$node->append_conf('postgresql.conf', "krb_server_keyfile = '$keytab'");
$node->start;
@@ -160,7 +162,8 @@ sub test_access
'postgres',
'SELECT 1',
extra_params => [
- '-d', $node->connstr('postgres') . ' host=localhost',
+ '-d',
+ $node->connstr('postgres') . " host=$host
hostaddr=$hostaddr",
'-U', $role
]);
is($res, $expected_res, $test_name);
@@ -168,7 +171,8 @@ sub test_access
}
unlink($node->data_dir . '/pg_hba.conf');
-$node->append_conf('pg_hba.conf', qq{host all all localhost gss map=mymap});
+$node->append_conf('pg_hba.conf',
+ qq{host all all $hostaddr/32 gss map=mymap});
$node->restart;
test_access($node, 'test1', 2, 'fails without ticket');
@@ -185,7 +189,7 @@ test_access($node, 'test1', 0, 'succeeds with mapping');
truncate($node->data_dir . '/pg_ident.conf', 0);
unlink($node->data_dir . '/pg_hba.conf');
$node->append_conf('pg_hba.conf',
- qq{host all all localhost gss include_realm=0});
+ qq{host all all $hostaddr/32 gss include_realm=0});
$node->restart;
test_access($node, 'test1', 0, 'succeeds with include_realm=0');
