[HACKERS] GSSAPI doesn't play nice with non-canonical host names

Tom Lane Sun, 27 Jan 2008 16:03:51 -0800

Whilst trying to reproduce bug #3902 I noticed that the code doesn't
work with an abbreviated host name:


$ psql -l -h rh2.sss.pgh.pa.us
       List of databases
       ... everything's fine ...

$ psql -l -h rh2              
psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may 
provide more information
GSSAPI continuation error: Unknown code krb5 7
$

Considering that my DNS system knows perfectly well what to resolve the
short name to, it seems reasonable that GSSAPI should be able to deal
with it.  Looking into the KDC log shows that psql is trying everything
but the right thing for the hostname part of the server principal:

Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for postgres/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for postgres/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database
Jan 27 18:41:19 rh2.sss.pgh.pa.us krb5kdc[3993](info): TGS_REQ (7 etypes {18 17 
16 23 1 3 2}) 192.168.0.8: UNKNOWN_SERVER: authtime 1201474768,  [EMAIL 
PROTECTED] for krbtgt/[EMAIL PROTECTED], Server not found in Kerberos database

This could be a configuration error on my part (I've never set up a
Kerberos server before today) but what it looks like to me is that
something in the GSSAPI library is assuming it's being handed a fully
qualified domain name.  Perhaps pg_GSS_startup() shouldn't be using
just conn->pghost, but the fully resolved server domain name?

This is on Fedora 8, krb5-libs-1.6.2-9.fc8.x86_64, in case it matters.

While I'm complaining: that's got to be one of the least useful error
messages I've ever seen, and it's for a case that's surely going to be
fairly common in practice.  Can't we persuade GSSAPI to produce
something more user-friendly?  At least convert "7" to "Server not
found in Kerberos database"?

                        regards, tom lane

---------------------------(end of broadcast)---------------------------
TIP 6: explain analyze is your friend

[HACKERS] GSSAPI doesn't play nice with non-canonical host names

Reply via email to