Your message dated Tue, 20 Dec 2005 18:43:45 +0100
with message-id <[EMAIL PROTECTED]>
and subject line Closing
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--------------------------------------
Received: (at submit) by bugs.debian.org; 26 Jul 2005 17:11:52 +0000
>From [EMAIL PROTECTED] Tue Jul 26 10:11:52 2005
Return-path: <[EMAIL PROTECTED]>
Received: from sysdev.oucs.ox.ac.uk [163.1.2.12]
by spohr.debian.org with esmtp (Exim 3.36 1 (Debian))
id 1DxSy8-0007da-00; Tue, 26 Jul 2005 10:11:52 -0700
Received: from plutonium.oucs.ox.ac.uk (plutonium.oucs.ox.ac.uk
[129.67.100.155])
by sysdev.oucs.ox.ac.uk (Postfix) with ESMTP id E505C1C039
for <[EMAIL PROTECTED]>; Tue, 26 Jul 2005 18:11:20 +0100 (BST)
Received: by plutonium.oucs.ox.ac.uk (Postfix, from userid 1000)
id B7C433E76; Tue, 26 Jul 2005 18:11:20 +0100 (BST)
From: pod <[EMAIL PROTECTED]>
To: Debian Bug Tracking System <[EMAIL PROTECTED]>
Subject: postgresql: krb5 authentication and multihomed server hosts
X-Debbugs-CC: pod <[EMAIL PROTECTED]>
Message-Id: <[EMAIL PROTECTED]>
Date: Tue, 26 Jul 2005 18:11:20 +0100 (BST)
Delivered-To: [EMAIL PROTECTED]
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=-11.0 required=4.0 tests=BAYES_00,HAS_PACKAGE,
X_DEBBUGS_CC autolearn=ham version=2.60-bugs.debian.org_2005_01_02
Package: postgresql
Severity: important
It is not always possible to use krb5 authentication to a server that is
listening on multiple interfaces other than to the 'primary' interface.
More specifically: src/backend/libpq/auth.c pg_krb5_init() fills in the
pg_krb5_server principal with a call to krb5_sname_to_principal with NULL
as the second argument (the hostname argument). This invokes the hostname
canonicalisation behaviour in the kerberos library which has insufficient
information to be able to return the correct answer in all cases.
zero-credibility:~# host zero-credibility.oucs.ox.ac.uk
zero-credibility.oucs.ox.ac.uk has address 163.1.2.14
zero-credibility:~# host pgsql-dev.oucs.ox.ac.uk
pgsql-dev.oucs.ox.ac.uk has address 163.1.2.37
zero-credibility:~# netstat -nie # check interfaces are up
Kernel Interface table
eth0 Link encap:Ethernet HWaddr 00:E0:81:63:D6:08
inet addr:163.1.2.14 Bcast:163.1.2.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:81ff:fe63:d608/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:4603401 errors:0 dropped:0 overruns:0 frame:0
TX packets:197179 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:342050931 (326.2 MiB) TX bytes:26094767 (24.8 MiB)
Base address:0xa000 Memory:f4020000-f4040000
eth0:37 Link encap:Ethernet HWaddr 00:E0:81:63:D6:08
inet addr:163.1.2.37 Bcast:163.1.255.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
Base address:0xa000 Memory:f4020000-f4040000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:222060 errors:0 dropped:0 overruns:0 frame:0
TX packets:222060 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:94776903 (90.3 MiB) TX bytes:94776903 (90.3 MiB)
zero-credibility:~# netstat -natp | grep 5432 # check postmaster is listening
tcp 0 0 0.0.0.:5432 0.0.0.0:* LISTEN
25267/postmaster
zero-credibility:~# klist -k /etc/postgresql/krb5.keytab # confirm keytab
contents
Keytab name: FILE:/etc/postgresql/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
3 postgres/[EMAIL PROTECTED]
3 postgres/[EMAIL PROTECTED]
[...flip to client...]
[EMAIL PROTECTED] psql -h pgsql-dev.oucs.ox.ac.uk template1 # try to connect
psql: Kerberos 5 authentication failed
[EMAIL PROTECTED] klist # confirm we got a service ticket
Ticket cache: FILE:/tmp/krb5cc_1000_rnx4Z0
Default principal: [EMAIL PROTECTED]
Valid starting Expires Service principal
07/26/05 09:48:01 07/26/05 19:48:01 krbtgt/[EMAIL PROTECTED]
07/26/05 13:26:33 07/26/05 19:48:01 postgres/[EMAIL PROTECTED]
[...back to server...]
zero-credibility:~# tail /var/log/postgresql/postgres.log
[...]
Jul 26 13:35:23 zero-credibility postgres[25963]: [1-1] LOG: connection
received: host=129.67.100.155 port=33718
Jul 26 13:35:23 zero-credibility postgres[25963]: [2-1] LOG: Kerberos recvauth
returned error -1765328240
Jul 26 13:35:23 zero-credibility postgres[25963]: [3-1] FATAL: Kerberos5
authentication failed for user "pod"
zero-credibility:~# grep -e -1765328240 /usr/include/krb5.h # what is that err?
#define KRB5KRB_AP_WRONG_PRINC (-1765328240L)
I append a patch that 'fixes' behaviour for the limited case where a
virtual_host is specified in /etc/postgresql/postgresql.conf. I'm not
sure it is possible to fix the INADDR_ANY case without changes to
krb5_recvauth() which is, of course, not your concern.
[...apply patch, run patched server...]
zero-credibility:~# grep -e virtual_host /etc/postgresql/postgresql.conf
virtual_host = '163.1.2.37'
[...try again on client...]
[EMAIL PROTECTED] psql -h pgsql-dev.oucs.ox.ac.uk template1
Welcome to psql 7.4.7, the PostgreSQL interactive terminal.
Type: \copyright for distribution terms
\h for help with SQL commands
\? for help on internal slash commands
\g or terminate with semicolon to execute query
\q to quit
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
template1=> \q
--------------------
--- postgresql-7.4.7-old/src/backend/libpq/auth.c 2003-12-20
18:25:02.000000000 +0000
+++ postgresql-7.4.7/src/backend/libpq/auth.c 2005-07-25 19:55:26.000000000
+0100
@@ -216,8 +216,18 @@
return STATUS_ERROR;
}
- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ if( VirtualHost && VirtualHost[0] )
+ {
+ char *host=VirtualHost;
+ while(*host==' ') host++; /* skip leading spaces (cf
postmaster.c) */
+ retval = krb5_sname_to_principal(pg_krb5_context, host,
PG_KRB_SRVNAM,
+
KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
+ else
+ {
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL,
PG_KRB_SRVNAM,
KRB5_NT_SRV_HST, &pg_krb5_server);
+ }
if (retval)
{
ereport(LOG,
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.4.18-1-686
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
---------------------------------------
Received: (at 332500-done) by bugs.debian.org; 20 Dec 2005 17:44:16 +0000
>From [EMAIL PROTECTED] Tue Dec 20 09:44:16 2005
Return-path: <[EMAIL PROTECTED]>
Received: from box79162.elkhouse.de ([213.9.79.162])
by spohr.debian.org with esmtp (Exim 4.50)
id 1EolX6-0004M4-1a
for [EMAIL PROTECTED]; Tue, 20 Dec 2005 09:44:16 -0800
Received: from localhost.localdomain (unknown [195.227.105.180])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(Client CN "Martin Pitt (workstation)", Issuer "piware CA" (verified
OK))
by box79162.elkhouse.de (Postfix) with ESMTP id 4E8912DFFF
for <[EMAIL PROTECTED]>; Tue, 20 Dec 2005 18:43:41 +0100 (CET)
Received: by localhost.localdomain (Postfix, from userid 1000)
id 5A0AC30FA1; Tue, 20 Dec 2005 18:43:45 +0100 (CET)
Date: Tue, 20 Dec 2005 18:43:45 +0100
From: Martin Pitt <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Closing
Message-ID: <[EMAIL PROTECTED]>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="3yk1sSvxP8cRAjBs"
Content-Disposition: inline
User-Agent: Mutt/1.5.11
X-Spam-Checker-Version: SpamAssassin 2.60-bugs.debian.org_2005_01_02
(1.212-2003-09-23-exp) on spohr.debian.org
X-Spam-Level:
X-Spam-Status: No, hits=0.6 required=4.0 tests=BAYES_00,ONEWORD,
RCVD_IN_SBLXBL,RCVD_IN_SBLXBL_CBL,RCVD_IN_SORBS,RCVD_IN_SORBS_WEB
autolearn=no version=2.60-bugs.debian.org_2005_01_02
--3yk1sSvxP8cRAjBs
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi!
This issue has been fixed upstream for 8.1, and Debian's 7.4 version
has a patch for it. There is no patch for 8.0, and the existing ones
are pretty hard to backport. Since the 8.0 packages are obsolete
anyway and will be removed in a not too far future, I close this bug
since nothing will be done about it anyway.
Thanks,
Martin
--=20
Martin Pitt http://www.piware.de
Ubuntu Developer http://www.ubuntu.com
Debian Developer http://www.debian.org
In a world without walls and fences, who needs Windows and Gates?
--3yk1sSvxP8cRAjBs
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDqELQDecnbV4Fd/IRAsAgAJoDzOA18jcTtp8BGPd7e+sOzHHapgCgqqat
jsGbW5EOOWg8IFR9B2O3YcM=
=fQqQ
-----END PGP SIGNATURE-----
--3yk1sSvxP8cRAjBs--
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
