Description of problem: The default permissions on /etc/sysconfig/pgsql prevent krb5 authentication from working. Version-Release number of selected component (if applicable): 7.3.4-3.rhl9 How reproducible: Always. Steps to Reproduce: 1. Configure a user to require "krb5" authentication in pg_hba.conf 2. Extract the database key into a keytab in the default location (/etc/sysconfig/pgsql/krb5.keytab). 3. Make the keytab readable by postgresql (chgrp postgres /etc/sysconfig/pgsql/krb5.keytab; chmod g+r /etc/sysconfig/pgsql/krb5.keytab). 4. Restart postgresql just in case. 5. Attempt to connect as the user (psql -h hostname -l). Actual results: User will get a "Kerberos 5 authentication failed" error, and the server will log an error 13 (EACCES) in /var/log/messages. Expected results: Authentication should succeed, user does the dance of joy. Additional info: A workaround is to make /etc/sysconfig/pgsql 0750, group postgres, but I don't know of any other implications to making this change.
More than that: Postgres also expects pg_service.conf to be in the --sysconfdir directory, so we'd have to make the directory world-readable if we want to use it as --sysconfdir. I cannot see any good reason offhand why it's not world-readable; other subdirectories of /etc/sysconfig are.
A fix slated for RHEL3 Update 2 is now in QA.
A (slightly different) fix is also in Postgres 7.4.2 RPMs btw, both Fedora Core 2 and the PGDG RPM sets.
An errata has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2004-116.html