Explicitly require MIT Kerberos for GSSAPI

WHen building with GSSAPI support, explicitly require MIT Kerberos and check for gssapi_ext.h in configure.ac and meson.build. Also add documentation explicitly stating that we now require MIT Kerberos when building with GSSAPI support. Reveiwed by: Johnathan Katz Discussion: https://postgr.es/m/abcc73d0-acf7-6896-e0dc-f5bc12a61bb1@postgresql.org
2025-09-02 04:21:28 +03:00 · 2023-04-13 08:55:13 -04:00
parent 6633cfb216
commit f7431bca8b
7 changed files with 57 additions and 15 deletions
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1426,7 +1426,7 @@ omicron         bryanh                  guest1
    The keytab file is generated using the Kerberos software; see the
    Kerberos documentation for details. The following example shows
    doing this using the <application>kadmin</application> tool of
-    MIT-compatible Kerberos 5 implementations:
+    MIT Kerberos:
 <screen>
 <prompt>kadmin% </prompt><userinput>addprinc -randkey postgres/server.my.domain.org</userinput>
 <prompt>kadmin% </prompt><userinput>ktadd -k krb5.keytab postgres/server.my.domain.org</userinput>
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -252,9 +252,9 @@ documentation.  See standalone-profile.xsl for details.

    <listitem>
     <para>
-      You need <application>Kerberos</application>, <productname>OpenLDAP</productname>,
-      and/or <application>PAM</application>, if you want to support authentication
-      using those services.
+      You need <application>MIT Kerberos</application> (for GSSAPI),
+      <productname>OpenLDAP</productname>, and/or <application>PAM</application>,
+      if you want to support authentication using those services.
     </para>
    </listitem>

@@ -1048,9 +1048,9 @@ build-postgresql:
       <term><option>--with-gssapi</option></term>
       <listitem>
        <para>
-         Build with support for GSSAPI authentication. On many systems, the
-         GSSAPI system (usually a part of the Kerberos installation) is not
-         installed in a location
+         Build with support for GSSAPI authentication. MIT Kerberos is required
+         to be installed for GSSAPI.  On many systems, the GSSAPI system (a part
+         of the MIT Kerberos installation) is not installed in a location
         that is searched by default (e.g., <filename>/usr/include</filename>,
         <filename>/usr/lib</filename>), so you must use the options
         <option>--with-includes</option> and <option>--with-libraries</option> in
@@ -2497,10 +2497,11 @@ ninja install
      <term><option>-Dgssapi={ auto | enabled | disabled }</option></term>
      <listitem>
       <para>
-        Build with support for GSSAPI authentication. On many systems, the
-        GSSAPI system (usually a part of the Kerberos installation) is not
-        installed in a location that is searched by default (e.g.,
-        <filename>/usr/include</filename>, <filename>/usr/lib</filename>).  In
+        Build with support for GSSAPI authentication. MIT Kerberos is required
+        to be installed for GSSAPI.  On many systems, the GSSAPI system (a part
+        of the MIT Kerberos installation) is not installed in a location
+        that is searched by default (e.g., <filename>/usr/include</filename>,
+        <filename>/usr/lib</filename>).  In
        those cases, PostgreSQL will query <command>pkg-config</command> to
        detect the required compiler and linker options.  Defaults to auto.
        <filename>meson configure</filename> will check for the required