Earlier this year, there was a thread about GSSAPI for delegated
credentials and various operating systems ultimately that Heimdal had
atrophied enough that you were comfortable not supporting it anymore as
a GSSAPI library.
Thread:
https://www.postgresql.org/message-id/flat/ZDFTailRZzyGdbXl%40tamriel.snowman.net#7b4b7354bc3ea060fb26d51565f0ad67
In https://www.postgresql.org/message-id/3598083.1680976022%40sss.pgh.pa.us,
Tom Lane said:
> I share your feeling that we could probably blow off Apple's built-in
> GSSAPI. MacPorts offers both Heimdal and kerberos5, and I imagine
> Homebrew has at least one of them, so Mac people could easily get
> hold of newer implementations.
I wanted to follow up on the decision to blow off Apple's built-in
GSSAPI. Years back, for reasons I never found, Apple switched from MIT
to Heimdal and have been maintaining their own version of it. I'm not
clear how well they maintain it but they have enhanced it.
One of the things that Apple put it in was a different centralized
credentials cache system. (named of the form "API:uuid"). This isn't
in Heimdal nor is it in MIT, so typical kerberos tickets issued by the
Apple provide Kerberos libraries are not accessible via other kerberos
versions provided by homebrew/macports/etc. (netbsd pkgsrc on macos can
be told to use the system libraries, which is what I do). Installing a
parallel version makes the client experience awful since it means having
to manage two sets of tickets and ticket caches, and which one gets used
varies depending on what libraries they were linked against.
As you may have surmised, I use a mac as a client and use gssapi pretty
heavily to interact with numerous postgresql databases. This has stopped
me from upgrading my client side to 16. I'm wondering if there's be any
willingness to reconsider heimdal support under some circumstances?
thanks,
-Todd