David Steele <da...@pgmasters.net> writes:

> On 2/15/16 12:45 PM, Robbie Harwood wrote:
>> David Steele <da...@pgmasters.net> writes:
>>> 1) It didn't apply cleanly to HEAD.  It did apply cleanly on a455878
>>> which I figured was recent enough for testing.  I didn't bisect to find
>>> the exact commit that broke it.
>> It applied to head of master (57c932475504d63d8f8a68fc6925d7decabc378a)
>> for me (`patch -p1 < v4-GSSAPI-encryption-support.patch`).  I rebased it
>> anyway and cut a v5 anyway, just to be sure.  It's attached, and
>> available on github as well:
>> https://github.com/frozencemetery/postgres/commit/dc10e3519f0f6c67f79abd157dc8ff1a1c293f53
> It could have been my mistake.  I'll give it another try when you have a
> new patch.

Please do let me know how v5 goes.  If you run into trouble, in addition
to the logs you helpfully provided before, I'd like a traffic dump (pcap
preferable; I need tcp/udp port 88 for Kerberos and tcp port 5432 or
whatever you're running postgres on) if possible.  Thanks!

>>> 2) While I was able to apply the patch and get it compiled it seemed
>>> pretty flaky - I was only able to logon about 1 in 10 times on average.
>>>  Here was my testing methodology:
>> What I can't tell from looking at your methodology is whether both the
>> client and server were running my patches or no.  There's no fallback
>> here (I'd like to talk about how that should work, with example from
>> v1-v3, if people have ideas).  This means that both the client and the
>> server need to be running my patches for the moment.  Is this your
>> setup?
> I was testing on a system with no version of PostgreSQL installed.  I
> applied your patch to master and then ran both server and client from
> that patched version.  Is there something I'm missing?

Not that I can immediately see.  As long as the client and server are
both patched, everything should work.  My process is the same as with
previous versions of this patchset [0], and though I'm using FreeIPA
there is no reason it shouldn't work with any other KDC (MIT, for
instance[1]) provided the IPA calls are converted.

I am curious, though - I haven't changed any of the authentication code
in v4/v5 from what's in ~master, so how often can you log in using
GSSAPI using master?

[0]: https://mivehind.net/2015/06/11/kerberized-postgresql/
[1]: http://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html

Attachment: signature.asc
Description: PGP signature

Reply via email to