diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml index 93040bd31d1..c209dd39e9d 100644 --- a/doc/src/sgml/runtime.sgml +++ b/doc/src/sgml/runtime.sgml @@ -1,5 +1,5 @@ @@ -969,24 +969,44 @@ SET ENABLE_SEQSCAN TO OFF; Sets the Kerberos service name. See - for details. This parameter can only be set at server start. + for details. This parameter can only be set at server start. - - krb_caseins_users (boolean) - - krb_caseins_users configuration parameter + + krb_caseins_users (boolean) + + krb_caseins_users configuration parameter - - - Sets if Kerberos usernames should be treated case-insensitive. - The default is off (case sensitive). This parameter can only be - set at server start. + + + Sets if Kerberos usernames should be treated case-insensitive. + The default is off (case sensitive). This parameter can only be + set at server start. - - + + + + + krb_server_hostname (string) + + krb_server_hostname configuration parameter + + + + Sets the hostname part of the service principal. + This, combined with krb_srvname, is used to generate + the complete service principal, i.e. + krb_server_hostname/krb_server_hostname@REALM. + + + If not set, the default is to allow any service principal matching an entry + in the keytab. See for details. + This parameter can only be set at server start. + + + db_user_namespace (boolean) diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c index 7970f817561..a50227068ba 100644 --- a/src/backend/libpq/auth.c +++ b/src/backend/libpq/auth.c @@ -8,7 +8,7 @@ * * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -43,6 +43,7 @@ static int recv_and_check_password_packet(Port *port); char *pg_krb_server_keyfile; char *pg_krb_srvnam; bool pg_krb_caseins_users; +char *pg_krb_server_hostname = NULL; #ifdef USE_PAM #ifdef HAVE_PAM_PAM_APPL_H @@ -221,20 +222,25 @@ pg_krb5_init(void) return STATUS_ERROR; } - retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam, - KRB5_NT_SRV_HST, &pg_krb5_server); - if (retval) + if (pg_krb_server_hostname) { - ereport(LOG, - (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d", - pg_krb_srvnam, retval))); - com_err("postgres", retval, - "while getting server principal for service \"%s\"", - pg_krb_srvnam); - krb5_kt_close(pg_krb5_context, pg_krb5_keytab); - krb5_free_context(pg_krb5_context); - return STATUS_ERROR; - } + retval = krb5_sname_to_principal(pg_krb5_context, + pg_krb_server_hostname, pg_krb_srvnam, + KRB5_NT_SRV_HST, &pg_krb5_server); + if (retval) + { + ereport(LOG, + (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d", + pg_krb_srvnam, retval))); + com_err("postgres", retval, + "while getting server principal for service \"%s\"", + pg_krb_srvnam); + krb5_kt_close(pg_krb5_context, pg_krb5_keytab); + krb5_free_context(pg_krb5_context); + return STATUS_ERROR; + } + } else + pg_krb5_server = NULL; pg_krb5_initialised = 1; return STATUS_OK; diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c index 3d57509548f..073aae2a235 100644 --- a/src/backend/utils/misc/guc.c +++ b/src/backend/utils/misc/guc.c @@ -10,7 +10,7 @@ * Written by Peter Eisentraut . * * IDENTIFICATION - * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $ + * $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.265 2005/06/14 17:43:13 momjian Exp $ * *-------------------------------------------------------------------- */ @@ -1593,6 +1593,15 @@ static struct config_string ConfigureNamesString[] = PG_KRB_SRVNAM, NULL, NULL }, + { + {"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY, + gettext_noop("Sets the hostname of the Kerberos server."), + NULL + }, + &pg_krb_server_hostname, + NULL, NULL, NULL + }, + { {"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS, gettext_noop("Sets the Bonjour broadcast service name."), diff --git a/src/bin/psql/tab-complete.c b/src/bin/psql/tab-complete.c index 3d1ce4ca122..2b215d97286 100644 --- a/src/bin/psql/tab-complete.c +++ b/src/bin/psql/tab-complete.c @@ -3,7 +3,7 @@ * * Copyright (c) 2000-2005, PostgreSQL Global Development Group * - * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.130 2005/05/25 22:12:05 momjian Exp $ + * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.131 2005/06/14 17:43:14 momjian Exp $ */ /*---------------------------------------------------------------------- @@ -559,7 +559,6 @@ psql_completion(char *text, int start, int end) "geqo_selection_bias", "geqo_threshold", "join_collapse_limit", - "krb_server_keyfile", "lc_messages", "lc_monetary", "lc_numeric", diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h index b8fd25eb64f..94b0976e113 100644 --- a/src/include/libpq/auth.h +++ b/src/include/libpq/auth.h @@ -7,7 +7,7 @@ * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group * Portions Copyright (c) 1994, Regents of the University of California * - * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.27 2005/06/04 20:42:42 momjian Exp $ + * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.28 2005/06/14 17:43:14 momjian Exp $ * *------------------------------------------------------------------------- */ @@ -29,5 +29,6 @@ extern void ClientAuthentication(Port *port); extern char *pg_krb_server_keyfile; extern char *pg_krb_srvnam; extern bool pg_krb_caseins_users; +extern char *pg_krb_server_hostname; #endif /* AUTH_H */