David Steele <da...@pgmasters.net> writes: > On 2/15/16 12:45 PM, Robbie Harwood wrote: >> David Steele <da...@pgmasters.net> writes: >> >>> 1) It didn't apply cleanly to HEAD. It did apply cleanly on a455878 >>> which I figured was recent enough for testing. I didn't bisect to find >>> the exact commit that broke it. >> >> It applied to head of master (57c932475504d63d8f8a68fc6925d7decabc378a) >> for me (`patch -p1 < v4-GSSAPI-encryption-support.patch`). I rebased it >> anyway and cut a v5 anyway, just to be sure. It's attached, and >> available on github as well: >> https://github.com/frozencemetery/postgres/commit/dc10e3519f0f6c67f79abd157dc8ff1a1c293f53 > > It could have been my mistake. I'll give it another try when you have a > new patch.
Please do let me know how v5 goes. If you run into trouble, in addition to the logs you helpfully provided before, I'd like a traffic dump (pcap preferable; I need tcp/udp port 88 for Kerberos and tcp port 5432 or whatever you're running postgres on) if possible. Thanks! >>> 2) While I was able to apply the patch and get it compiled it seemed >>> pretty flaky - I was only able to logon about 1 in 10 times on average. >>> Here was my testing methodology: >> >> What I can't tell from looking at your methodology is whether both the >> client and server were running my patches or no. There's no fallback >> here (I'd like to talk about how that should work, with example from >> v1-v3, if people have ideas). This means that both the client and the >> server need to be running my patches for the moment. Is this your >> setup? > > I was testing on a system with no version of PostgreSQL installed. I > applied your patch to master and then ran both server and client from > that patched version. Is there something I'm missing? Not that I can immediately see. As long as the client and server are both patched, everything should work. My process is the same as with previous versions of this patchset [0], and though I'm using FreeIPA there is no reason it shouldn't work with any other KDC (MIT, for instance[1]) provided the IPA calls are converted. I am curious, though - I haven't changed any of the authentication code in v4/v5 from what's in ~master, so how often can you log in using GSSAPI using master? [0]: https://mivehind.net/2015/06/11/kerberized-postgresql/ [1]: http://web.mit.edu/kerberos/krb5-devel/doc/admin/install_kdc.html
signature.asc
Description: PGP signature
