Re: Ident authentication fails due to bind error on server (8.4.8)

On Fri, 17 Jun 2011 19:51:59 +0200, Tom Lane <tgl@sss.pgh.pa.us> wrote:

> I looked at the glibc source code for getaddrinfo, and it looks like
> they do reliably set sin_port to zero when no service argument is
> provided, despite the above documentation statement.  So that's why it
> works for me.  But still, if you're on a non-Linux platform it seems
> possible that this is the mechanism for what's biting you.

Both client and server are Linux systems here and sin_port is 0 also
according to debug output I added. I cannot reproduce the problem reliably
(the users are much better testers it seems), so I'm a bit stuck with my
best guess being TIME_WAIT issues, perhaps FIN packets getting lost. I've
set

sysctl -w net.ipv4.tcp_tw_reuse=1

now and will post again if there is any change.

> (BTW, is it really sane to be using ident auth over a "high latency
> connection"?  That would certainly suggest to me that you could be
> getting connections from untrustworthy machines ...)

Both endpoints are properly firewalled (the sane sysadmins say so) and for
this particular connection only one client IP address is allowed by
pg_hba.conf, the reason why we also use ident authentication is to allow
only a few select uid's on the client host to connect to certain DSNs.

Thanks for all the helpful info!

Regards,
  Marinos