On Thu, Sep 10, 2015 at 1:44 AM, Robbie Harwood <rharw...@redhat.com> wrote: > Michael Paquier <michael.paqu...@gmail.com> writes: > >> On Wed, Sep 9, 2015 at 4:12 AM, Robbie Harwood wrote: >>> Michael Paquier writes: >>> As promised, here's a V2 to address your issues with comments. I >>> haven't heard back on the issues you found in testing, so no other >>> changes are present. >> >> Well, the issue is still here: login through gssapi fails with your >> patch, not with HEAD. This patch is next on my review list by the way >> so I'll see what I can do about it soon even if I am in the US for >> Postgres Open next week. Still, how did you test it? I am just >> creating by myself a KDC, setting up a valid credential with kinit, >> and after setting up Postgres for this purpose the protocol >> communication just fails. > > My KDC is setup through freeIPA; I create a service for postgres, > acquire a keytab, set it in the config file, and fire up the server. It > should go without saying that this is working for me, which is why I > asked you for more information so I could try to debug. I wrote a post > on this back in June when this was still in development: > http://mivehind.net/page/view-page-slug/16/postgres-kerberos
Hm. OK. I'll give it a try with freeipa and your patch with Fedora for example. Could you as well try the configuration I have used? In any case, it seems to me that we have a real problem with your patch: the gss authentication protocol is broken with your patch and *not* HEAD when using a custom kdc like the one I have set up manually on one of my VMs. -- Michael -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers