Red Hat Bugzilla – Bug 1288607
missing kerberos/gssapi support in psql
Last modified: 2016-07-19 14:34:08 EDT
Upgraded from F21 to F22 (yes, waited to last minute), and psql krb auth is broken.
% psql -h DBHOST DBNAME KRB_USER
psql: Kerberos 5 authentication not supported
Did we compile with gssapi support?
It does appear to load the libs though.
$ strace psql -h DBHOST DBNAME KRB_USER 2>&1 |egrep -i 'krb|gss|kerb'
open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) = 3
write(2, "psql: Kerberos 5 authentication "..., 46psql: Kerberos 5 authentication not supported
Mike, for the upgrade -- have you used 'postgresql-setup'? That could mean
that you have new configuration (namely pg_hba.conf). While the old
configuration is backed-up in '/var/lib/pgsql/data-old/pg_hba.conf.
Here is the f22 build log (--with-gssapi was used):
This is an intentional upstream change, cf
* Remove native support for Kerberos authentication (--with-krb5, etc) (Magnus Hagander)
The supported way to use Kerberos authentication is with GSSAPI. The native code has been deprecated since PostgreSQL 8.3.
I take it you're trying to use 9.4+ psql with some older server version? You should be able to switch the auth type in the server's pg_hba.conf from krb5 to gss without too much trouble.
Yes, using psql to talk to an older server (8.2.14 looks like). However I do not control that server. Thanks for the info. I'll see what I can do.
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.
If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
Thank you for reporting this bug and we are sorry it could not be fixed.