Cleanups from the remove-native-krb5 patch

krb_srvname is actually not available anymore as a parameter server-side, since
with gssapi we accept all principals in our keytab. It's still used in libpq for
client side specification.

In passing remove declaration of krb_server_hostname, where all the functionality
was already removed.

Noted by Stephen Frost, though a different solution than his suggestion

doc/src/sgml/client-auth.sgml

@@ -923,17 +923,15 @@ omicron         bryanh                  guest1
     <productname>Kerberos</productname>, it uses a standard principal
     in the format
     <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
-    <replaceable>servicename</> can be set on the server side using the
+    The PostgreSQL server will accept any principal that is included in the keytab used by
-    <xref linkend="guc-krb-srvname"> configuration parameter, and on the
+    the server, but care needs to be taken to specify the correct principal details when
-    client side using the <literal>krbsrvname</> connection parameter. (See
+    making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
     also <xref linkend="libpq-paramkeywords">.) The installation default can be
     changed from the default <literal>postgres</literal> at build time using
     <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
     In most environments,
-    this parameter never needs to be changed. However, it is necessary
+    this parameter never needs to be changed.
-    when supporting multiple <productname>PostgreSQL</> installations
+    Some Kerberos implementations might require a different service name,
-    on the same host.
-    Some Kerberos implementations might also require a different service name,
     such as Microsoft Active Directory which requires the service name
     to be in upper case (<literal>POSTGRES</literal>).
    </para>
@@ -964,6 +962,9 @@ omicron         bryanh                  guest1
     parameter. The default is
     <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
     directory was specified as <varname>sysconfdir</> at build time).
+    For security reasons, it is recommended to use a separate keytab
+    just for the <productname>PostgreSQL</productname> server rather
+    than opening up permissions on the system keytab file.
    </para>
    <para>
     The keytab file is generated by the Kerberos software; see the

doc/src/sgml/config.sgml

@@ -1033,20 +1033,6 @@ include 'filename'
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
-      <term><varname>krb_srvname</varname> (<type>string</type>)</term>
-      <indexterm>
-       <primary><varname>krb_srvname</> configuration parameter</primary>
-      </indexterm>
-      <listitem>
-       <para>
-        Sets the Kerberos service name. See <xref linkend="gssapi-auth">
-        for details. This parameter can only be set in the
-        <filename>postgresql.conf</> file or on the server command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
       <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
       <indexterm>

src/backend/libpq/auth.c

@@ -129,7 +129,6 @@ static int	CheckCertAuth(Port *port);
  *----------------------------------------------------------------
  */
 char	   *pg_krb_server_keyfile;
-char	   *pg_krb_srvnam;
 bool		pg_krb_caseins_users;
 
 

src/backend/utils/misc/guc.c

@@ -85,9 +85,6 @@
 #ifndef PG_KRB_SRVTAB
 #define PG_KRB_SRVTAB ""
 #endif
-#ifndef PG_KRB_SRVNAM
-#define PG_KRB_SRVNAM ""
-#endif
 
 #define CONFIG_FILENAME "postgresql.conf"
 #define HBA_FILENAME	"pg_hba.conf"
@@ -2802,16 +2799,6 @@ static struct config_string ConfigureNamesString[] =
 		NULL, NULL, NULL
 	},
 
-	{
-		{"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY,
-			gettext_noop("Sets the name of the Kerberos service."),
-			NULL
-		},
-		&pg_krb_srvnam,
-		PG_KRB_SRVNAM,
-		NULL, NULL, NULL
-	},
-
 	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour service name."),

src/backend/utils/misc/postgresql.conf.sample

@@ -91,9 +91,8 @@
 #password_encryption = on
 #db_user_namespace = off
 
-# Kerberos and GSSAPI
+# GSSAPI using Kerberos
 #krb_server_keyfile = ''
-#krb_srvname = 'postgres'		# (Kerberos only)
 #krb_caseins_users = off
 
 # - TCP Keepalives -

src/include/libpq/auth.h

@@ -17,9 +17,7 @@
 #include "libpq/libpq-be.h"
 
 extern char *pg_krb_server_keyfile;
-extern char *pg_krb_srvnam;
 extern bool pg_krb_caseins_users;
-extern char *pg_krb_server_hostname;
 extern char *pg_krb_realm;
 
 extern void ClientAuthentication(Port *port);

src/include/libpq/hba.h

@@ -75,7 +75,6 @@ typedef struct HbaLine
 	char	   *ldapprefix;
 	char	   *ldapsuffix;
 	bool		clientcert;
-	char	   *krb_server_hostname;
 	char	   *krb_realm;
 	bool		include_realm;
 	char	   *radiusserver;