Bug 1288607 - missing kerberos/gssapi support in psql
missing kerberos/gssapi support in psql
Status: CLOSED EOL
Product: Fedora
Classification: Fedora
Component: postgresql (Show other bugs)
22
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Pavel Raiskup
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-12-04 12:38 EST by Mike McLean
Modified: 2016-07-19 14:34 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-07-19 14:34:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Mike McLean 2015-12-04 12:38:16 EST
Upgraded from F21 to F22 (yes, waited to last minute), and psql krb auth is broken.

postgresql-9.4.5-1.fc22.x86_64

% psql -h DBHOST DBNAME KRB_USER
psql: Kerberos 5 authentication not supported

Did we compile with gssapi support?
Comment 1 Mike McLean 2015-12-04 12:42:41 EST
It does appear to load the libs though.

$ strace psql -h DBHOST DBNAME KRB_USER 2>&1 |egrep -i 'krb|gss|kerb'
open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3
write(2, "psql: Kerberos 5 authentication "..., 46psql: Kerberos 5 authentication not supported
Comment 2 Pavel Raiskup 2015-12-04 13:08:13 EST
Mike, for the upgrade -- have you used 'postgresql-setup'?  That could mean
that you have new configuration (namely pg_hba.conf).  While the old
configuration is backed-up in '/var/lib/pgsql/data-old/pg_hba.conf.

Here is the f22 build log (--with-gssapi was used):
https://kojipkgs.fedoraproject.org//packages/postgresql/9.4.5/1.fc22/data/logs/x86_64/build.log
Comment 3 Tom Lane 2015-12-04 13:19:15 EST
This is an intentional upstream change, cf
http://www.postgresql.org/docs/9.4/static/release-9-4.html

  * Remove native support for Kerberos authentication (--with-krb5, etc) (Magnus Hagander)
    The supported way to use Kerberos authentication is with GSSAPI. The native code has been deprecated since PostgreSQL 8.3.

I take it you're trying to use 9.4+ psql with some older server version?  You should be able to switch the auth type in the server's pg_hba.conf from krb5 to gss without too much trouble.
Comment 4 Mike McLean 2015-12-04 16:42:27 EST
Yes, using psql to talk to an older server (8.2.14 looks like). However I do not control that server. Thanks for the info. I'll see what I can do.
Comment 5 Fedora End Of Life 2016-07-19 14:34:08 EDT
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.