Hi
This is a two part patch against 7.4.5 implementing the option of
configuring what is now set using the #defined constant PG_KRB_SRVNAM
(the name of the service part of the kerberos principal the server
uses).
On the backend it can be configured by the (new) string option
krb_srvnam in postgresql.conf.
On the client it can be configured by setting the environment variable
PGKRBSRVNAM.
The default setting (for both) is the value given by PG_KRB_SRVNAM
mentioned above.
diff -uNr postgresql-7.4.5/src/backend/libpq/auth.c postgresql-7.4.5-mod/src/backend/libpq/auth.c
--- postgresql-7.4.5/src/backend/libpq/auth.c 2003-12-20 19:25:02.000000000 +0100
+++ postgresql-7.4.5-mod/src/backend/libpq/auth.c 2004-09-25 12:58:32.000000000 +0200
@@ -41,6 +41,7 @@
static int recv_and_check_password_packet(Port *port);
char *pg_krb_server_keyfile;
+char *pg_krb_srvnam;
#ifdef USE_PAM
#ifdef HAVE_PAM_PAM_APPL_H
@@ -99,7 +100,7 @@
status = krb_recvauth(krbopts,
port->sock,
&clttkt,
- PG_KRB_SRVNAM,
+ pg_krb_srvnam,
instance,
&port->raddr.in,
&port->laddr.in,
@@ -216,16 +217,16 @@
return STATUS_ERROR;
}
- retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM,
+ retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
KRB5_NT_SRV_HST, &pg_krb5_server);
if (retval)
{
ereport(LOG,
(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
- PG_KRB_SRVNAM, retval)));
+ pg_krb_srvnam, retval)));
com_err("postgres", retval,
"while getting server principal for service \"%s\"",
- PG_KRB_SRVNAM);
+ pg_krb_srvnam);
krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
krb5_free_context(pg_krb5_context);
return STATUS_ERROR;
@@ -261,7 +262,7 @@
return ret;
retval = krb5_recvauth(pg_krb5_context, &auth_context,
- (krb5_pointer) & port->sock, PG_KRB_SRVNAM,
+ (krb5_pointer) & port->sock, pg_krb_srvnam,
pg_krb5_server, 0, pg_krb5_keytab, &ticket);
if (retval)
{
diff -uNr postgresql-7.4.5/src/backend/utils/misc/guc.c postgresql-7.4.5-mod/src/backend/utils/misc/guc.c
--- postgresql-7.4.5/src/backend/utils/misc/guc.c 2004-08-11 23:10:52.000000000 +0200
+++ postgresql-7.4.5-mod/src/backend/utils/misc/guc.c 2004-09-25 11:47:45.000000000 +0200
@@ -59,6 +59,9 @@
#ifndef PG_KRB_SRVTAB
#define PG_KRB_SRVTAB ""
#endif
+#ifndef PG_KRB_SRVNAM
+#define PG_KRB_SRVNAM ""
+#endif
#ifdef EXEC_BACKEND
#define CONFIG_EXEC_PARAMS "global/config_exec_params"
@@ -1375,6 +1378,15 @@
},
{
+ {"krb_srvnam", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+ gettext_noop("Sets the name of the Postgres server Kerberos service."),
+ NULL
+ },
+ &pg_krb_srvnam,
+ PG_KRB_SRVNAM, NULL, NULL
+ },
+
+ {
{"rendezvous_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Rendezvous broadcast service name."),
NULL
diff -uNr postgresql-7.4.5/src/include/libpq/auth.h postgresql-7.4.5-mod/src/include/libpq/auth.h
--- postgresql-7.4.5/src/include/libpq/auth.h 2003-08-04 04:40:13.000000000 +0200
+++ postgresql-7.4.5-mod/src/include/libpq/auth.h 2004-09-25 12:13:05.000000000 +0200
@@ -27,5 +27,6 @@
#define PG_KRB5_VERSION "PGVER5.1"
extern char *pg_krb_server_keyfile;
+extern char *pg_krb_srvnam;
#endif /* AUTH_H */
diff -uNr postgresql-7.4.5/src/interfaces/libpq/fe-auth.c postgresql-7.4.5-mod/src/interfaces/libpq/fe-auth.c
--- postgresql-7.4.5/src/interfaces/libpq/fe-auth.c 2003-12-20 19:46:02.000000000 +0100
+++ postgresql-7.4.5-mod/src/interfaces/libpq/fe-auth.c 2004-09-25 12:22:26.000000000 +0200
@@ -116,6 +116,7 @@
/* for some reason, this is not defined in krb.h ... */
extern char *tkt_string(void);
+static char *pg_krb_srvnam;
/*
* pg_krb4_init -- initialization performed before any Kerberos calls are made
@@ -145,6 +146,11 @@
(void) snprintf(tktbuf, sizeof(tktbuf), "[EMAIL PROTECTED]", tkt_string(), realm);
krb_set_tkt_string(tktbuf);
}
+
+ pg_krb_srvnam = getenv("PGKRBSRVNAM");
+ if (pg_krb_srvnam == NULL) {
+ pg_krb_srvnam = PG_KRB_SRVNAM;
+ }
}
/*
@@ -216,7 +222,7 @@
status = krb_sendauth(krbopts,
sock,
&clttkt,
- PG_KRB_SRVNAM,
+ pg_krb_srvnam,
hostname,
realm,
(u_long) 0,
@@ -278,6 +284,7 @@
static krb5_ccache pg_krb5_ccache;
static krb5_principal pg_krb5_client;
static char *pg_krb5_name;
+static char *pg_krb_srvnam;
static int
@@ -333,6 +340,11 @@
pg_krb5_name = pg_an_to_ln(pg_krb5_name);
+ pg_krb_srvnam = getenv("PGKRBSRVNAM");
+ if (pg_krb_srvnam == NULL) {
+ pg_krb_srvnam = PG_KRB_SRVNAM;
+ }
+
pg_krb5_initialised = 1;
return STATUS_OK;
}
@@ -370,7 +382,7 @@
if (ret != STATUS_OK)
return ret;
- retval = krb5_sname_to_principal(pg_krb5_context, hostname, PG_KRB_SRVNAM,
+ retval = krb5_sname_to_principal(pg_krb5_context, hostname, pg_krb_srvnam,
KRB5_NT_SRV_HST, &server);
if (retval)
{
@@ -397,7 +409,7 @@
}
retval = krb5_sendauth(pg_krb5_context, &auth_context,
- (krb5_pointer) & sock, PG_KRB_SRVNAM,
+ (krb5_pointer) & sock, pg_krb_srvnam,
pg_krb5_client, server,
AP_OPTS_MUTUAL_REQUIRED,
NULL, 0, /* no creds, use ccache instead */
The use of this is mainly if several different users want to run their
own instance of postgresql on the same machine.
Regards
Daniel Ahlin
---------------------------(end of broadcast)---------------------------
TIP 2: you can get off all lists at once with the unregister command
(send "unregister YourEmailAddressHere" to [EMAIL PROTECTED])
