Cleanups from the remove-native-krb5 patch

krb_srvname is actually not available anymore as a parameter server-side, since
with gssapi we accept all principals in our keytab. It's still used in libpq for
client side specification.

In passing remove declaration of krb_server_hostname, where all the functionality
was already removed.

Noted by Stephen Frost, though a different solution than his suggestion

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 9b26d0106166c33bec731fc17fc5fbec88b0ae55..bf71ea6b882e9f3b18c1f9478c57fd8faef779d6 100644 (file)
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -923,17 +923,15 @@ omicron         bryanh                  guest1
     Kerberos, it uses a standard principal
     in the format
     servicename/hostname@realm.
-    servicename can be set on the server side using the
-     configuration parameter, and on the
-    client side using the krbsrvname connection parameter. (See
+    The PostgreSQL server will accept any principal that is included in the keytab used by
+    the server, but care needs to be taken to specify the correct principal details when
+    making the connection from the client using the krbsrvname connection parameter. (See
     also .) The installation default can be
     changed from the default postgres at build time using
     ./configure --with-krb-srvnam=whatever.
     In most environments,
-    this parameter never needs to be changed. However, it is necessary
-    when supporting multiple PostgreSQL installations
-    on the same host.
-    Some Kerberos implementations might also require a different service name,
+    this parameter never needs to be changed.
+    Some Kerberos implementations might require a different service name,
     such as Microsoft Active Directory which requires the service name
     to be in upper case (POSTGRES).
    
@@ -964,6 +962,9 @@ omicron         bryanh                  guest1
     parameter. The default is
     /usr/local/pgsql/etc/krb5.keytab (or whatever
     directory was specified as sysconfdir at build time).
+    For security reasons, it is recommended to use a separate keytab
+    just for the PostgreSQL server rather
+    than opening up permissions on the system keytab file.
    
    
     The keytab file is generated by the Kerberos software; see the

diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 2811f1148ca0c5a2e136719174799c12a1f436f7..4eff91ebdcde137729d5b0155fc0194e17cffdfc 100644 (file)
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1033,20 +1033,6 @@ include 'filename'
       
      
 
-     
-      krb_srvname (string)
-      
-       krb_srvname configuration parameter
-      
-      
-       
-        Sets the Kerberos service name. See 
-        for details. This parameter can only be set in the
-        postgresql.conf file or on the server command line.
-       
-      
-     
-
      
       krb_caseins_users (boolean)
       

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index f03aa7edc22447571e0408f9d4f1a60de693668a..2a46f7b9130ba29af7968b358cbd405ed97f815f 100644 (file)
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -129,7 +129,6 @@ static int  CheckCertAuth(Port *port);
  *----------------------------------------------------------------
  */
 char      *pg_krb_server_keyfile;
-char      *pg_krb_srvnam;
 bool       pg_krb_caseins_users;
 
 

diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index c76edb48a9bb0ce4636ca0c701cb746f305f5643..7d7d1dc263f4b5405af6395fe8af90a78f236a55 100644 (file)
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -85,9 +85,6 @@
 #ifndef PG_KRB_SRVTAB
 #define PG_KRB_SRVTAB ""
 #endif
-#ifndef PG_KRB_SRVNAM
-#define PG_KRB_SRVNAM ""
-#endif
 
 #define CONFIG_FILENAME "postgresql.conf"
 #define HBA_FILENAME   "pg_hba.conf"
@@ -2802,16 +2799,6 @@ static struct config_string ConfigureNamesString[] =
        NULL, NULL, NULL
    },
 
-   {
-       {"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY,
-           gettext_noop("Sets the name of the Kerberos service."),
-           NULL
-       },
-       &pg_krb_srvnam,
-       PG_KRB_SRVNAM,
-       NULL, NULL, NULL
-   },
-
    {
        {"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
            gettext_noop("Sets the Bonjour service name."),

diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 3629a52c9fe43682852a8e88536f4406c765379d..70e5a5111ec08b23c00955f1408337660a7ba63f 100644 (file)
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -91,9 +91,8 @@
 #password_encryption = on
 #db_user_namespace = off
 
-# Kerberos and GSSAPI
+# GSSAPI using Kerberos
 #krb_server_keyfile = ''
-#krb_srvname = 'postgres'      # (Kerberos only)
 #krb_caseins_users = off
 
 # - TCP Keepalives -

diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 5ae8114e8b915f11d6282570e34a482c03ff62a3..ace647a7ff1ff7efce886bd9bab28f134cd10ccd 100644 (file)
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -17,9 +17,7 @@
 #include "libpq/libpq-be.h"
 
 extern char *pg_krb_server_keyfile;
-extern char *pg_krb_srvnam;
 extern bool pg_krb_caseins_users;
-extern char *pg_krb_server_hostname;
 extern char *pg_krb_realm;
 
 extern void ClientAuthentication(Port *port);

diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 5a103aed195d9188504cb0cae3b0505de9acb1aa..68a953aa628a4534d64c2b4bdb15acb4bc93b701 100644 (file)
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -75,7 +75,6 @@ typedef struct HbaLine
    char       *ldapprefix;
    char       *ldapsuffix;
    bool        clientcert;
-   char       *krb_server_hostname;
    char       *krb_realm;
    bool        include_realm;
    char       *radiusserver;