Re: [HACKERS] Testing, Hello?

At 4:18 PM -0800 11/25/98, Tom Lane wrote:
>"Henry B. Hotz" <hotz@jpl.nasa.gov> writes:
>> I'm still testing, but basically it looks like if you have kerberos 4 then
>> you need to disable use of the system crypt routines.  This *should* be
>> handled in the configure stuff.
>
>That's fairly unpleasant, since it's not out of the question that a
>given site might need to support both auth methods to cope with varying
>clients.

Yeah.  I note that if you use the Solaris built-in kerberos support the
conflict should not exist.  For Postgres this problem is specific to the
KTH kerberos implementation I think, but it also exists with SSL.  I have
no information about MIT kerberos IV or V.

>> The function des_encrypt exists in both the KTH kerberos and the system
>> crypt libraries with different arguments.
>
>Not everywhere --- there's no such routine in my crypt library, for
>instance.  I would not like to see kerberos + crypt disabled everywhere
>because it does not work on your machine.

This is Solaris 2.5, presumably 2.6 and 7 have the same problem.

>Ideally we'd need an autoconf test to discover whether kerberos and
>crypt libraries are compatible on a given machine, and an autoconf
>--with switch to allow the user to decide which one to include if
>they're not.  Do you have any ideas about a simple way to check whether
>this problem exists on a given platform?

If you include <crypt.h> and <krb.h> from the system and
/usr/athena/include respectively then you get a compile error.

My problem may actually be a bit obscure.  I'm using the KTH implementation
of kerberos IV because I want to be able to use the JPL AFS kerberos
server.  (AFS kerberos is an incompatable variant of MIT kerberos IV for
those who don't know.  Solaris and NetBSD come with MIT kerberos IV support
built-in.  MIT kerberos V can support both kerberos IV variants, but
Postgres is a client.)

I will put in a plug for autoconf support for kerberos in any case.  We
need a --with-kerberos[={4,5}] option and --with-kerberos-include=..,
--with-kerberos-lib=.., and --with-kerberos-srvtab=.. options.

The administrator guide says support for kerberos IV will disappear when 5
is released.  I think there should be a fairly long delay in that.  Many
people will need to use kerberos IV in order to use an institutional
capability, like AFS accounting.  Many people should prefer to use the
built-in capabilities of their OS and all current bundled kerberos support
is at version IV.  This will take a *long* time.

Finally let me put in a big public thank-you to Tom Ivar Helbekkmo for
patiently explaining many things that I should have understood from the
documentation.

Signature failed Preliminary Design Review.
Feasibility of a new signature is currently being evaluated.
h.b.hotz@jpl.nasa.gov, or hbhotz@oxy.edu