The attached patch adds a directive to the config file, krb_server_hostname that allows the hostname that service tickets are obtained against to be different from the hostname of the db server.
We use this because the db server binds to a specific ip address which has a name that's different from what hostname() would return. it's against pogresql-8.0.0rc3 though it's not much different than a similar patch against 7.4.3. -Todd
Index: doc/src/sgml/runtime.sgml =================================================================== RCS file: postgresql-8.0.0rc3/doc/src/sgml/runtime.sgml,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- doc/src/sgml/runtime.sgml 26 Dec 2004 23:06:56 -0000 1.1.1.1 +++ doc/src/sgml/runtime.sgml 3 Jan 2005 23:18:44 -0000 1.2 @@ -952,6 +952,20 @@ </listitem> </varlistentry> + <varlistentry id="guc-krb_server_hostname" xreflabel="krb_server_hostname"> + <term><varname>krb_server_hostname</varname> (<type>string</type>)</term> + <indexterm> + <primary><varname>krb_server_hostname</> configuration parameter</primary> + </indexterm> + <listitem> + <para> + Sets the hostname that service tickets will be obtained against + (defaults to the hostname of the postgresql server) + <xref linkend="kerberos-auth"> for details. + </para> + </listitem> + </varlistentry> + <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace"> <term><varname>db_user_namespace</varname> (<type>boolean</type>)</term> <indexterm> Index: src/backend/libpq/auth.c =================================================================== RCS file: postgresql-8.0.0rc3/src/backend/libpq/auth.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- src/backend/libpq/auth.c 31 Dec 2004 21:59:50 -0000 1.1.1.1 +++ src/backend/libpq/auth.c 3 Jan 2005 14:59:44 -0000 1.2 @@ -41,6 +41,7 @@ static int recv_and_check_password_packet(Port *port); char *pg_krb_server_keyfile; +char *pg_krb_server_hostname = NULL; #ifdef USE_PAM #ifdef HAVE_PAM_PAM_APPL_H @@ -189,6 +190,12 @@ pg_krb5_init(void) { krb5_error_code retval; + char *svr_name; + + if(pg_krb_server_hostname) + svr_name = pg_krb_server_hostname; + else + svr_name = PG_KRB_SRVNAM; if (pg_krb5_initialised) return STATUS_OK; @@ -215,9 +222,10 @@ return STATUS_ERROR; } - retval = krb5_sname_to_principal(pg_krb5_context, NULL, PG_KRB_SRVNAM, - KRB5_NT_SRV_HST, &pg_krb5_server); - if (retval) + retval = krb5_sname_to_principal(pg_krb5_context, + pg_krb_server_hostname, PG_KRB_SRVNAM, + KRB5_NT_SRV_HST, &pg_krb5_server); + if (retval) { ereport(LOG, (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d", @@ -254,6 +262,12 @@ krb5_auth_context auth_context = NULL; krb5_ticket *ticket; char *kusername; + char *svr_name; + + if(pg_krb_server_hostname) + svr_name = pg_krb_server_hostname; + else + svr_name = PG_KRB_SRVNAM; ret = pg_krb5_init(); if (ret != STATUS_OK) Index: src/backend/utils/misc/guc.c =================================================================== RCS file: postgresql-8.0.0rc3/src/backend/utils/misc/guc.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- src/backend/utils/misc/guc.c 20 Dec 2004 18:15:07 -0000 1.1.1.1 +++ src/backend/utils/misc/guc.c 3 Jan 2005 14:59:45 -0000 1.2 @@ -1546,6 +1546,15 @@ }, { + {"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY, + gettext_noop("Sets the hostname of the Kerberos server."), + NULL + }, + &pg_krb_server_hostname, + NULL, NULL, NULL + }, + + { {"rendezvous_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Sets the Rendezvous broadcast service name."), NULL Index: src/bin/psql/tab-complete.c =================================================================== RCS file: postgresql-8.0.0rc3/src/bin/psql/tab-complete.c,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- src/bin/psql/tab-complete.c 24 Dec 2004 15:42:05 -0000 1.1.1.1 +++ src/bin/psql/tab-complete.c 3 Jan 2005 14:59:46 -0000 1.2 @@ -552,6 +552,7 @@ "geqo_threshold", "join_collapse_limit", "krb_server_keyfile", + "krb_server_hostname", "lc_messages", "lc_monetary", "lc_numeric", Index: src/include/libpq/auth.h =================================================================== RCS file: postgresql-8.0.0rc3/src/include/libpq/auth.h,v retrieving revision 1.1.1.1 retrieving revision 1.2 diff -u -r1.1.1.1 -r1.2 --- src/include/libpq/auth.h 31 Dec 2004 22:03:32 -0000 1.1.1.1 +++ src/include/libpq/auth.h 3 Jan 2005 14:59:47 -0000 1.2 @@ -27,5 +27,6 @@ #define PG_KRB5_VERSION "PGVER5.1" extern char *pg_krb_server_keyfile; +extern char *pg_krb_server_hostname; #endif /* AUTH_H */
---------------------------(end of broadcast)--------------------------- TIP 8: explain analyze is your friend