Greetings, * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: > On 2019-04-05 04:59, Stephen Frost wrote: > > Alright, that over-size error was a bug in the error-handling code, > > which I've just pushed a fix for. That said... > > Yes, that looks better now.
Great. > > This looks like it's a real issue and it's unclear what's going on here. > > I wonder- are you certain that you're using all the same Kerberos > > libraries for the KDC, the server, and psql? > > Right, it was built against the OS-provided Kerberos installation > (/usr/bin etc.). If I build against the Homebrew-provided one then the > tests pass. All of it was built against the OS-provided Kerberos install, and you got the failure..? > So maybe that means that this encryption feature is not supported on > that (presumably older) installation? (krb5-config --version says > "Kerberos 5 release 1.7-prerelease") Is that plausible? Is a gentler > failure mode possible? On a failure to set up an encrypted connection, we'll actually fall back to a non-encrypted one, using GSSAPI *just* for authentication, which is why I was asking if this worked before the encryption patch went in. Also, which of the tests are still failing, exactly? The authentication ones or the encryption ones or both? If we determine that this is some issue with the MacOS-provided Kerberos libraries, then we could try to detect them and disable GSSAPI encryption in that case explicitly, I suppose, but I've seen odd things with the MacOS-provided Kerberos libraries before on released versions of PG (without any encryption support), so I'm not yet convinced that this is an issue that's specific to adding support for encryption. Thanks! Stephen
signature.asc
Description: PGP signature
