Stephen Frost <sfr...@snowman.net> writes: > * Peter Eisentraut (peter.eisentr...@2ndquadrant.com) wrote: >> On 2019-04-05 04:59, Stephen Frost wrote: >> >>> Alright, that over-size error was a bug in the error-handling code, >>> which I've just pushed a fix for. That said... >> >> Yes, that looks better now. > > Great. > >>> This looks like it's a real issue and it's unclear what's going on >>> here. I wonder- are you certain that you're using all the same >>> Kerberos libraries for the KDC, the server, and psql? >> >> Right, it was built against the OS-provided Kerberos installation >> (/usr/bin etc.). If I build against the Homebrew-provided one then >> the tests pass. > > All of it was built against the OS-provided Kerberos install, and you > got the failure..? > >> So maybe that means that this encryption feature is not supported on >> that (presumably older) installation? (krb5-config --version says >> "Kerberos 5 release 1.7-prerelease") Is that plausible? Is a gentler >> failure mode possible?
Heimdal never had a 1.7 release - they went from 1.5.2 to 7.1.0. MIT did have a 1.7 release - in 2009. Apple doesn't open source their Kerberos implementation, so I can't exactly point a debugger at it. But if it's in fact somehow related to MIT 1.7-prerelease, I imagine they inherited a bug or two that's been fixed in the ten years since then. As for the code: I'm not doing anything complicated. The interface I'm using is as specified in RFC2743 and RFC2744, which is from 2000 (though I think technically I'm mostly backward compatible to RFC1509, from 1993), and Kerberos V5 itself is specified in RFC4120 (from 2005). > On a failure to set up an encrypted connection, we'll actually fall > back to a non-encrypted one, using GSSAPI *just* for authentication, > which is why I was asking if this worked before the encryption patch > went in. Also, which of the tests are still failing, exactly? The > authentication ones or the encryption ones or both? Good question. > If we determine that this is some issue with the MacOS-provided > Kerberos libraries, then we could try to detect them and disable > GSSAPI encryption in that case explicitly, I suppose, but I've seen > odd things with the MacOS-provided Kerberos libraries before on > released versions of PG (without any encryption support), so I'm not > yet convinced that this is an issue that's specific to adding support > for encryption. If we have to, a version check >1.7 would probably work. That'll remove the ability to work on RHEL/CentOS 5, but that's probably fine, and I'm not aware of any other supported OSs that would be impacted. Thanks, --Robbie
signature.asc
Description: PGP signature
