Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Skip to content

Commit f7431bc

Browse files
committed
Explicitly require MIT Kerberos for GSSAPI
WHen building with GSSAPI support, explicitly require MIT Kerberos and check for gssapi_ext.h in configure.ac and meson.build. Also add documentation explicitly stating that we now require MIT Kerberos when building with GSSAPI support. Reveiwed by: Johnathan Katz Discussion: https://postgr.es/m/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1@postgresql.org
1 parent 6633cfb commit f7431bc

File tree

7 files changed

+57
-15
lines changed

7 files changed

+57
-15
lines changed

configure

+27
Original file line numberDiff line numberDiff line change
@@ -14104,6 +14104,33 @@ done
1410414104

1410514105
fi
1410614106

14107+
done
14108+
14109+
for ac_header in gssapi/gssapi_ext.h
14110+
do :
14111+
ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default"
14112+
if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then :
14113+
cat >>confdefs.h <<_ACEOF
14114+
#define HAVE_GSSAPI_GSSAPI_EXT_H 1
14115+
_ACEOF
14116+
14117+
else
14118+
for ac_header in gssapi_ext.h
14119+
do :
14120+
ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default"
14121+
if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
14122+
cat >>confdefs.h <<_ACEOF
14123+
#define HAVE_GSSAPI_EXT_H 1
14124+
_ACEOF
14125+
14126+
else
14127+
as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
14128+
fi
14129+
14130+
done
14131+
14132+
fi
14133+
1410714134
done
1410814135

1410914136
fi

configure.ac

+2
Original file line numberDiff line numberDiff line change
@@ -1562,6 +1562,8 @@ fi
15621562
if test "$with_gssapi" = yes ; then
15631563
AC_CHECK_HEADERS(gssapi/gssapi.h, [],
15641564
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
1565+
AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [],
1566+
[AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
15651567
fi
15661568

15671569
PGAC_PATH_PROGS(OPENSSL, openssl)

doc/src/sgml/client-auth.sgml

+1-1
Original file line numberDiff line numberDiff line change
@@ -1426,7 +1426,7 @@ omicron bryanh guest1
14261426
The keytab file is generated using the Kerberos software; see the
14271427
Kerberos documentation for details. The following example shows
14281428
doing this using the <application>kadmin</application> tool of
1429-
MIT-compatible Kerberos 5 implementations:
1429+
MIT Kerberos:
14301430
<screen>
14311431
<prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
14321432
<prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>

doc/src/sgml/installation.sgml

+11-10
Original file line numberDiff line numberDiff line change
@@ -252,9 +252,9 @@ documentation. See standalone-profile.xsl for details.
252252

253253
<listitem>
254254
<para>
255-
You need <application>Kerberos</application>, <productname>OpenLDAP</productname>,
256-
and/or <application>PAM</application>, if you want to support authentication
257-
using those services.
255+
You need <application>MIT Kerberos</application> (for GSSAPI),
256+
<productname>OpenLDAP</productname>, and/or <application>PAM</application>,
257+
if you want to support authentication using those services.
258258
</para>
259259
</listitem>
260260

@@ -1048,9 +1048,9 @@ build-postgresql:
10481048
<term><option>--with-gssapi</option></term>
10491049
<listitem>
10501050
<para>
1051-
Build with support for GSSAPI authentication. On many systems, the
1052-
GSSAPI system (usually a part of the Kerberos installation) is not
1053-
installed in a location
1051+
Build with support for GSSAPI authentication. MIT Kerberos is required
1052+
to be installed for GSSAPI. On many systems, the GSSAPI system (a part
1053+
of the MIT Kerberos installation) is not installed in a location
10541054
that is searched by default (e.g., <filename>/usr/include</filename>,
10551055
<filename>/usr/lib</filename>), so you must use the options
10561056
<option>--with-includes</option> and <option>--with-libraries</option> in
@@ -2497,10 +2497,11 @@ ninja install
24972497
<term><option>-Dgssapi={ auto | enabled | disabled }</option></term>
24982498
<listitem>
24992499
<para>
2500-
Build with support for GSSAPI authentication. On many systems, the
2501-
GSSAPI system (usually a part of the Kerberos installation) is not
2502-
installed in a location that is searched by default (e.g.,
2503-
<filename>/usr/include</filename>, <filename>/usr/lib</filename>). In
2500+
Build with support for GSSAPI authentication. MIT Kerberos is required
2501+
to be installed for GSSAPI. On many systems, the GSSAPI system (a part
2502+
of the MIT Kerberos installation) is not installed in a location
2503+
that is searched by default (e.g., <filename>/usr/include</filename>,
2504+
<filename>/usr/lib</filename>). In
25042505
those cases, PostgreSQL will query <command>pkg-config</command> to
25052506
detect the required compiler and linker options. Defaults to auto.
25062507
<filename>meson configure</filename> will check for the required

meson.build

+10
Original file line numberDiff line numberDiff line change
@@ -623,6 +623,16 @@ if not gssapiopt.disabled()
623623
have_gssapi = false
624624
endif
625625

626+
if not have_gssapi
627+
elif cc.check_header('gssapi/gssapi_ext.h', dependencies: gssapi, required: false,
628+
args: test_c_args, include_directories: postgres_inc)
629+
cdata.set('HAVE_GSSAPI_GSSAPI_EXT_H', 1)
630+
elif cc.check_header('gssapi_ext.h', args: test_c_args, dependencies: gssapi, required: gssapiopt)
631+
cdata.set('HAVE_GSSAPI_EXT_H', 1)
632+
else
633+
have_gssapi = false
634+
endif
635+
626636
if not have_gssapi
627637
elif cc.has_function('gss_init_sec_context', dependencies: gssapi,
628638
args: test_c_args, include_directories: postgres_inc)

src/backend/libpq/auth.c

+3-2
Original file line numberDiff line numberDiff line change
@@ -922,8 +922,9 @@ pg_GSS_recvauth(Port *port)
922922
gss_cred_id_t delegated_creds;
923923

924924
/*
925-
* Use the configured keytab, if there is one. Unfortunately, Heimdal
926-
* doesn't support the cred store extensions, so use the env var.
925+
* Use the configured keytab, if there is one. As we now require MIT
926+
* Kerberos, we might consider using the credential store extensions in
927+
* the future instead of the environment variable.
927928
*/
928929
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
929930
{

src/backend/libpq/be-secure-gssapi.c

+3-2
Original file line numberDiff line numberDiff line change
@@ -526,8 +526,9 @@ secure_open_gssapi(Port *port)
526526
PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
527527

528528
/*
529-
* Use the configured keytab, if there is one. Unfortunately, Heimdal
530-
* doesn't support the cred store extensions, so use the env var.
529+
* Use the configured keytab, if there is one. As we now require MIT
530+
* Kerberos, we might consider using the credential store extensions in the
531+
* future instead of the environment variable.
531532
*/
532533
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
533534
{

0 commit comments

Comments
 (0)