Re: [PATCH v5] GSSAPI encryption support

On Wed, Feb 24, 2016 at 7:12 PM, Robbie Harwood <rharwood@redhat.com> wrote:
> David Steele <david@pgmasters.net> writes:
>
>> On 2/15/16 12:45 PM, Robbie Harwood wrote:
>>> David Steele <david@pgmasters.net> writes:
>>>
>>>> 1) It didn't apply cleanly to HEAD.  It did apply cleanly on a455878
>>>> which I figured was recent enough for testing.  I didn't bisect to find
>>>> the exact commit that broke it.
>>>
>>> It applied to head of master (57c932475504d63d8f8a68fc6925d7decabc378a)
>>> for me (`patch -p1 < v4-GSSAPI-encryption-support.patch`).  I rebased it
>>> anyway and cut a v5 anyway, just to be sure.  It's attached, and
>>> available on github as well:
>>> https://github.com/frozencemetery/postgres/commit/dc10e3519f0f6c67f79abd157dc8ff1a1c293f53
>>
>> It could have been my mistake.  I'll give it another try when you have a
>> new patch.
>
> Please do let me know how v5 goes.  If you run into trouble, in addition
> to the logs you helpfully provided before, I'd like a traffic dump (pcap
> preferable; I need tcp/udp port 88 for Kerberos and tcp port 5432 or
> whatever you're running postgres on) if possible.  Thanks!
>
>>>> 2) While I was able to apply the patch and get it compiled it seemed
>>>> pretty flaky - I was only able to logon about 1 in 10 times on average.
>>>>  Here was my testing methodology:
>>>
>>> What I can't tell from looking at your methodology is whether both the
>>> client and server were running my patches or no.  There's no fallback
>>> here (I'd like to talk about how that should work, with example from
>>> v1-v3, if people have ideas).  This means that both the client and the
>>> server need to be running my patches for the moment.  Is this your
>>> setup?
>>
>> I was testing on a system with no version of PostgreSQL installed.  I
>> applied your patch to master and then ran both server and client from
>> that patched version.  Is there something I'm missing?
>
> Not that I can immediately see.  As long as the client and server are
> both patched, everything should work.  My process is the same as with
> previous versions of this patchset [0], and though I'm using FreeIPA
> there is no reason it shouldn't work with any other KDC (MIT, for
> instance[1]) provided the IPA calls are converted.

I used a custom krb5kdc set up manually, and all my connection
attempts are working on HEAD, not with your patch (both client and
server patched).

> I am curious, though - I haven't changed any of the authentication code
> in v4/v5 from what's in ~master, so how often can you log in using
> GSSAPI using master?

My guess is that there is something not been correctly cleaned up when
closing the connection. The first attempt worked for me, not after.
-- 
Michael