Re: Kerberos test suite

On Tue, Mar 06, 2018 at 10:58:54AM -0500, Peter Eisentraut wrote:
> On 3/5/18 16:34, Thomas Munro wrote:
> > On Tue, Mar 6, 2018 at 8:45 AM, Peter Eisentraut
> > <peter.eisentraut@2ndquadrant.com> wrote:
> >> New patch attached.
> > 
> > Passes here.  LGTM.
> 
> committed

This fails on my machine, where /etc/hosts has:

  127.0.0.1        localhost.localdomain localhost
  ::1        localhost6.localdomain6 localhost6

This is CentOS 7, but I may have written that myself.  First failure:

  psql: FATAL:  no pg_hba.conf entry for host "127.0.0.1", user "test1", database "postgres", SSL off
  not ok 3 - succeeds with mapping

Bypassing that, by recognizing localhost.localdomain in pg_hba.conf, unearths:

  psql: GSSAPI continuation error: Unspecified GSS failure.  Minor code may provide more information
  GSSAPI continuation error: Server krbtgt/LOCALDOMAIN@EXAMPLE.COM not found in Kerberos database
  not ok 3 - succeeds with mapping

On the client side, Kerberos is canonicalizing "localhost" to
"localhost.localdomain" as part of constructing the service principal.
"$service_principal = "$ENV{with_krb_srvnam}/localhost.localdomain" was a
quick workaround.  For the long-term fix, let's use hostaddr= and a fictitious
host=, as attached.  This makes us independent of local name resolution and
IPv6 configuration, and it's more like how PostgresNode operates on systems
that use TCP instead of unix_socket_directories (Windows).  I considered
adding dns_canonicalize_hostname to $krb5_config, but that is new as of
krb5-1.12 and does not help the pg_hba.conf side of the problem.