Re: [PATCH v5] GSSAPI encryption support
От | Michael Paquier |
---|---|
Тема | Re: [PATCH v5] GSSAPI encryption support |
Дата | |
Msg-id | CAB7nPqTn65qwpePPUjf=V8wgW3+Dqx8Ck+JrPDN0Djbr9S2MUA@mail.gmail.com обсуждение исходный текст |
Ответ на | Re: [PATCH v5] GSSAPI encryption support (Robbie Harwood <rharwood@redhat.com>) |
Ответы |
Re: [PATCH v5] GSSAPI encryption support
(David Steele <david@pgmasters.net>)
|
Список | pgsql-hackers |
On Wed, Feb 24, 2016 at 7:12 PM, Robbie Harwood <rharwood@redhat.com> wrote: > David Steele <david@pgmasters.net> writes: > >> On 2/15/16 12:45 PM, Robbie Harwood wrote: >>> David Steele <david@pgmasters.net> writes: >>> >>>> 1) It didn't apply cleanly to HEAD. It did apply cleanly on a455878 >>>> which I figured was recent enough for testing. I didn't bisect to find >>>> the exact commit that broke it. >>> >>> It applied to head of master (57c932475504d63d8f8a68fc6925d7decabc378a) >>> for me (`patch -p1 < v4-GSSAPI-encryption-support.patch`). I rebased it >>> anyway and cut a v5 anyway, just to be sure. It's attached, and >>> available on github as well: >>> https://github.com/frozencemetery/postgres/commit/dc10e3519f0f6c67f79abd157dc8ff1a1c293f53 >> >> It could have been my mistake. I'll give it another try when you have a >> new patch. > > Please do let me know how v5 goes. If you run into trouble, in addition > to the logs you helpfully provided before, I'd like a traffic dump (pcap > preferable; I need tcp/udp port 88 for Kerberos and tcp port 5432 or > whatever you're running postgres on) if possible. Thanks! > >>>> 2) While I was able to apply the patch and get it compiled it seemed >>>> pretty flaky - I was only able to logon about 1 in 10 times on average. >>>> Here was my testing methodology: >>> >>> What I can't tell from looking at your methodology is whether both the >>> client and server were running my patches or no. There's no fallback >>> here (I'd like to talk about how that should work, with example from >>> v1-v3, if people have ideas). This means that both the client and the >>> server need to be running my patches for the moment. Is this your >>> setup? >> >> I was testing on a system with no version of PostgreSQL installed. I >> applied your patch to master and then ran both server and client from >> that patched version. Is there something I'm missing? > > Not that I can immediately see. As long as the client and server are > both patched, everything should work. My process is the same as with > previous versions of this patchset [0], and though I'm using FreeIPA > there is no reason it shouldn't work with any other KDC (MIT, for > instance[1]) provided the IPA calls are converted. I used a custom krb5kdc set up manually, and all my connection attempts are working on HEAD, not with your patch (both client and server patched). > I am curious, though - I haven't changed any of the authentication code > in v4/v5 from what's in ~master, so how often can you log in using > GSSAPI using master? My guess is that there is something not been correctly cleaned up when closing the connection. The first attempt worked for me, not after. -- Michael
В списке pgsql-hackers по дате отправления:
Следующее
От: Robert HaasДата:
Сообщение: Re: RFC: replace pg_stat_activity.waiting with something more descriptive