Heimdal Kerberos 5 support in 7.1.3

The following patch allowed me to compile 7.1.3 with krb5 support from the
Heimdal krb5 port. Configure with --with-heimdal rather than --with-krb5.

--- ./src/backend/libpq/auth.c.~1~ Thu Mar 22 04:59:30 2001
+++ ./src/backend/libpq/auth.c Fri Dec 7 13:31:18 2001
@@ -277,7 +277,12 @@
* I have no idea why this is considered necessary.
*/
retval = krb5_unparse_name(pg_krb5_context,
- ticket->enc_part2->client, &kusername);
+#ifdef HEIMDAL
+ ticket->client,
+#else
+ ticket->enc_part2->client,
+#endif
+ &kusername);
if (retval)
{
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
--- ./src/include/config.h.in.~1~ Sun Apr 15 00:55:02 2001
+++ ./src/include/config.h.in Fri Dec 7 12:59:26 2001
@@ -54,8 +54,12 @@
/* Define to build with Kerberos 4 support (--with-krb4[=DIR]) */
#undef KRB4

-/* Define to build with Kerberos 5 support (--with-krb5[=DIR]) */
+/* Define to build with Kerberos 5 support (--with-krb5[=DIR])
+ or with Heimdal Kerberos 5 support (--with-heimdal[=DIR])*/
#undef KRB5
+
+/* Define to build with Heimdal Kerberos 5 support (--with-heimdal[=DIR]) */
+#undef HEIMDAL

/* Kerberos name of the Postgres service principal (--with-krb-srvnam=NAME) */
#undef PG_KRB_SRVNAM
--- ./src/interfaces/libpq/fe-auth.c.~1~ Thu Mar 22 05:01:25 2001
+++ ./src/interfaces/libpq/fe-auth.c Fri Dec 7 12:58:01 2001
@@ -37,6 +37,7 @@
#ifdef WIN32
#include "win32.h"
#else
+#include <errno.h>
#include <unistd.h>
#include <fcntl.h>
#include <sys/param.h> /* for MAXHOSTNAMELEN on most */
@@ -399,9 +400,14 @@
{
if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
{
+#ifdef HEIMDAL
+ snprintf(PQerrormsg, PQERRORMSG_LENGTH,
+ "pg_krb5_sendauth: authentication rejected.");
+#else
snprintf(PQerrormsg, PQERRORMSG_LENGTH,
"pg_krb5_sendauth: authentication rejected: \"%*s\"",
err_ret->text.length, err_ret->text.data);
+#endif
}
else
{
--- ./configure.in.~1~ Thu Aug 16 20:36:31 2001
+++ ./configure.in Fri Dec 7 13:03:25 2001
@@ -470,6 +470,28 @@
AC_SUBST(with_krb5)


+#
+# Heimdal Kerberos 5
+#
+PGAC_ARG_OPTARG(with, heimdal, [ --with-heimdal[=DIR] build with Heimdal Kerberos 5 support [/usr/heimdal]],
+ [krb5_prefix=/usr/heimdal],
+ [krb5_prefix=$withval],
+[
+ AC_MSG_RESULT([building with Heimdal Kerberos 5 support])
+ AC_DEFINE(KRB5, 1, [Define if you are building with Kerberos 5 support.])
+ AC_DEFINE(HEIMDAL, 1, [Define if you are building with Heimdal Kerberos 5 support.])
+
+ if test -d "$krb5_prefix/include"; then
+ INCLUDES="$INCLUDES -I$krb5_prefix/include"
+ fi
+ if test -d "$krb5_prefix/lib"; then
+ LIBDIRS="$LIBDIRS -L$krb5_prefix/lib"
+ fi
+
+ krb_srvtab="FILE:\$(sysconfdir)/krb5.keytab"
+])
+
+
# Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work.
if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
@@ -692,6 +714,14 @@
AC_CHECK_LIB(com_err, [com_err], [], [AC_MSG_ERROR([library 'com_err' is required for Kerberos 5])])
AC_CHECK_LIB(crypto, [krb5_encrypt], [],
[AC_CHECK_LIB(k5crypto, [krb5_encrypt], [], [AC_MSG_ERROR([library 'crypto' or 'k5crypto' is required for Kerberos 5])])])
+ AC_CHECK_LIB(krb5, [krb5_sendauth], [], [AC_MSG_ERROR([library 'krb5' is required for Kerberos 5])])
+fi
+
+if test "$with_heimdal" = yes ; then
+ AC_CHECK_LIB(com_err, [com_err], [], [AC_MSG_ERROR([library 'com_err' is required for Heimdal Kerberos 5])])
+ AC_CHECK_LIB(asn1, [free_Checksum], [], [AC_MSG_ERROR([library 'asn1' is required for Heimdal Kerberos 5])])
+ AC_CHECK_LIB(roken, [roken_getaddrinfo_hostspec], [], [AC_MSG_ERROR([library 'roken' is required for Heimdal Kerberos 5])])
+ AC_CHECK_LIB(des, [des_set_odd_parity], [], [AC_MSG_ERROR([library 'des' is required for Heimdal Kerberos 5])])
AC_CHECK_LIB(krb5, [krb5_sendauth], [], [AC_MSG_ERROR([library 'krb5' is required for Kerberos 5])])
fi

Torbj|rn Lindh writes:

> The following patch allowed me to compile 7.1.3 with krb5 support from the
> Heimdal krb5 port. Configure with --with-heimdal rather than --with-krb5.

We'll try to get Heimdal support into the release after 7.2.

--
Peter Eisentraut peter_e(at)gmx(dot)net

Your patch has been added to the PostgreSQL unapplied patches list at:

http://candle.pha.pa.us/cgi-bin/pgpatches

I will try to apply it within the next 48 hours. Will need review along
with other Kerberos patch.

---------------------------------------------------------------------------

Torbj|rn Lindh wrote:
> The following patch allowed me to compile 7.1.3 with krb5 support from the
> Heimdal krb5 port. Configure with --with-heimdal rather than --with-krb5.
>
> --- ./src/backend/libpq/auth.c.~1~ Thu Mar 22 04:59:30 2001
> +++ ./src/backend/libpq/auth.c Fri Dec 7 13:31:18 2001
> @@ -277,7 +277,12 @@
> * I have no idea why this is considered necessary.
> */
> retval = krb5_unparse_name(pg_krb5_context,
> - ticket->enc_part2->client, &kusername);
> +#ifdef HEIMDAL
> + ticket->client,
> +#else
> + ticket->enc_part2->client,
> +#endif
> + &kusername);
> if (retval)
> {
> snprintf(PQerrormsg, PQERRORMSG_LENGTH,
> --- ./src/include/config.h.in.~1~ Sun Apr 15 00:55:02 2001
> +++ ./src/include/config.h.in Fri Dec 7 12:59:26 2001
> @@ -54,8 +54,12 @@
> /* Define to build with Kerberos 4 support (--with-krb4[=DIR]) */
> #undef KRB4
>
> -/* Define to build with Kerberos 5 support (--with-krb5[=DIR]) */
> +/* Define to build with Kerberos 5 support (--with-krb5[=DIR])
> + or with Heimdal Kerberos 5 support (--with-heimdal[=DIR])*/
> #undef KRB5
> +
> +/* Define to build with Heimdal Kerberos 5 support (--with-heimdal[=DIR]) */
> +#undef HEIMDAL
>
> /* Kerberos name of the Postgres service principal (--with-krb-srvnam=NAME) */
> #undef PG_KRB_SRVNAM
> --- ./src/interfaces/libpq/fe-auth.c.~1~ Thu Mar 22 05:01:25 2001
> +++ ./src/interfaces/libpq/fe-auth.c Fri Dec 7 12:58:01 2001
> @@ -37,6 +37,7 @@
> #ifdef WIN32
> #include "win32.h"
> #else
> +#include <errno.h>
> #include <unistd.h>
> #include <fcntl.h>
> #include <sys/param.h> /* for MAXHOSTNAMELEN on most */
> @@ -399,9 +400,14 @@
> {
> if (retval == KRB5_SENDAUTH_REJECTED && err_ret)
> {
> +#ifdef HEIMDAL
> + snprintf(PQerrormsg, PQERRORMSG_LENGTH,
> + "pg_krb5_sendauth: authentication rejected.");
> +#else
> snprintf(PQerrormsg, PQERRORMSG_LENGTH,
> "pg_krb5_sendauth: authentication rejected: \"%*s\"",
> err_ret->text.length, err_ret->text.data);
> +#endif
> }
> else
> {
> --- ./configure.in.~1~ Thu Aug 16 20:36:31 2001
> +++ ./configure.in Fri Dec 7 13:03:25 2001
> @@ -470,6 +470,28 @@
> AC_SUBST(with_krb5)
>
>
> +#
> +# Heimdal Kerberos 5
> +#
> +PGAC_ARG_OPTARG(with, heimdal, [ --with-heimdal[=DIR] build with Heimdal Kerberos 5 support [/usr/heimdal]],
> + [krb5_prefix=/usr/heimdal],
> + [krb5_prefix=$withval],
> +[
> + AC_MSG_RESULT([building with Heimdal Kerberos 5 support])
> + AC_DEFINE(KRB5, 1, [Define if you are building with Kerberos 5 support.])
> + AC_DEFINE(HEIMDAL, 1, [Define if you are building with Heimdal Kerberos 5 support.])
> +
> + if test -d "$krb5_prefix/include"; then
> + INCLUDES="$INCLUDES -I$krb5_prefix/include"
> + fi
> + if test -d "$krb5_prefix/lib"; then
> + LIBDIRS="$LIBDIRS -L$krb5_prefix/lib"
> + fi
> +
> + krb_srvtab="FILE:\$(sysconfdir)/krb5.keytab"
> +])
> +
> +
> # Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work.
> if test "$with_krb4" = yes && test "$with_krb5" = yes ; then
> AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined])
> @@ -692,6 +714,14 @@
> AC_CHECK_LIB(com_err, [com_err], [], [AC_MSG_ERROR([library 'com_err' is required for Kerberos 5])])
> AC_CHECK_LIB(crypto, [krb5_encrypt], [],
> [AC_CHECK_LIB(k5crypto, [krb5_encrypt], [], [AC_MSG_ERROR([library 'crypto' or 'k5crypto' is required for Kerberos 5])])])
> + AC_CHECK_LIB(krb5, [krb5_sendauth], [], [AC_MSG_ERROR([library 'krb5' is required for Kerberos 5])])
> +fi
> +
> +if test "$with_heimdal" = yes ; then
> + AC_CHECK_LIB(com_err, [com_err], [], [AC_MSG_ERROR([library 'com_err' is required for Heimdal Kerberos 5])])
> + AC_CHECK_LIB(asn1, [free_Checksum], [], [AC_MSG_ERROR([library 'asn1' is required for Heimdal Kerberos 5])])
> + AC_CHECK_LIB(roken, [roken_getaddrinfo_hostspec], [], [AC_MSG_ERROR([library 'roken' is required for Heimdal Kerberos 5])])
> + AC_CHECK_LIB(des, [des_set_odd_parity], [], [AC_MSG_ERROR([library 'des' is required for Heimdal Kerberos 5])])
> AC_CHECK_LIB(krb5, [krb5_sendauth], [], [AC_MSG_ERROR([library 'krb5' is required for Kerberos 5])])
> fi
>
>
>
> ---------------------------(end of broadcast)---------------------------
> TIP 5: Have you checked our extensive FAQ?
>
> http://www.postgresql.org/users-lounge/docs/faq.html
>

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

Peter Eisentraut wrote:
> Bruce Momjian writes:
>
> > I will try to apply it within the next 48 hours. Will need review along
> > with other Kerberos patch.
>
> I'm compiling Heimdal now to check out these patches. I do have the
> "favorite" patch from Bill Studenmund saved up.

I have to say the kerberos thread was the hardest to understand.

--
Bruce Momjian | http://candle.pha.pa.us
pgman(at)candle(dot)pha(dot)pa(dot)us | (610) 853-3000
+ If your life is a hard drive, | 830 Blythe Avenue
+ Christ can be your backup. | Drexel Hill, Pennsylvania 19026

Bruce Momjian writes:

> I will try to apply it within the next 48 hours. Will need review along
> with other Kerberos patch.

I'm compiling Heimdal now to check out these patches. I do have the
"favorite" patch from Bill Studenmund saved up.

--
Peter Eisentraut peter_e(at)gmx(dot)net