Bug 1288607

Summary: missing kerberos/gssapi support in psql
Product: [Fedora] Fedora Reporter: Mike McLean <mikem>
Component: postgresqlAssignee: Pavel Raiskup <praiskup>
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: devrim, hhorak, jmlich83, jstanek, pkajaba, praiskup, tgl
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-07-19 18:34:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike McLean 2015-12-04 17:38:16 UTC 
Upgraded from F21 to F22 (yes, waited to last minute), and psql krb auth is broken.

postgresql-9.4.5-1.fc22.x86_64

% psql -h DBHOST DBNAME KRB_USER
psql: Kerberos 5 authentication not supported

Did we compile with gssapi support?
Comment 1 Mike McLean 2015-12-04 17:42:41 UTC 
It does appear to load the libs though.

$ strace psql -h DBHOST DBNAME KRB_USER 2>&1 |egrep -i 'krb|gss|kerb'
open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3
write(2, "psql: Kerberos 5 authentication "..., 46psql: Kerberos 5 authentication not supported
Comment 2 Pavel Raiskup 2015-12-04 18:08:13 UTC 
Mike, for the upgrade -- have you used 'postgresql-setup'?  That could mean
that you have new configuration (namely pg_hba.conf).  While the old
configuration is backed-up in '/var/lib/pgsql/data-old/pg_hba.conf.

Here is the f22 build log (--with-gssapi was used):
https://kojipkgs.fedoraproject.org//packages/postgresql/9.4.5/1.fc22/data/logs/x86_64/build.log
Comment 3 Tom Lane 2015-12-04 18:19:15 UTC 
This is an intentional upstream change, cf
http://www.postgresql.org/docs/9.4/static/release-9-4.html

  * Remove native support for Kerberos authentication (--with-krb5, etc) (Magnus Hagander)
    The supported way to use Kerberos authentication is with GSSAPI. The native code has been deprecated since PostgreSQL 8.3.

I take it you're trying to use 9.4+ psql with some older server version?  You should be able to switch the auth type in the server's pg_hba.conf from krb5 to gss without too much trouble.
Comment 4 Mike McLean 2015-12-04 21:42:27 UTC 
Yes, using psql to talk to an older server (8.2.14 looks like). However I do not control that server. Thanks for the info. I'll see what I can do.
Comment 5 Fedora End Of Life 2016-07-19 18:34:08 UTC 
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.