Kerberos authentication, Active Directory, and PostgreSQL
| От | Turner, Ian |
|---|---|
| Тема | Kerberos authentication, Active Directory, and PostgreSQL |
| Дата | |
| Msg-id | 28A4DB436106924BADF219EA31CE80AEF4BAB0@mailnyc2.nyc.deshaw.com обсуждение исходный текст |
| Ответы |
Re: Kerberos authentication, Active Directory, and PostgreSQL
Re: Kerberos authentication, Active Directory, and PostgreSQL |
| Список | pgsql-bugs |
Hello pgsql-bugs,
While trying to connect our PostgreSQL database to our Kerberos realm, we e=
ncountered the obscure message "Invalid message length". Tracking this down=
, we discovered that it was emitted by src/backend/libpq/pqcomm.c in respon=
se to a rather large Kerberos message. The root cause is as follows, and a =
patch is below.
The code in src/backend/libpq/auth.c contains a hard-coded limit on the siz=
e of GSS messages, and in particular on the message containing the client's=
Kerberos ticket for the postgres server. The limit was 2,000 bytes, which =
is normally adequate for tickets based on TGTs issued by Unix KDCs. However=
, TGTs issued by Windows domain controllers contain an authorization field =
known as the PAC (privilege attribute certificate), which contains the user=
's Windows permissions (group memberships etc.). The PAC is copied into all=
tickets obtained on the basis of this TGT (even those issued by Unix realm=
s which the Windows realm trusts), and can be several K in size. Thus, GSS =
authentication was failing with a "invalid message length" error. We simply=
upped the limit to 32k, which ought to be sufficient.
The patch is quite brief:
--- postgresql-8.4-8.4.1/src/backend/libpq/auth.c=A0=A0=A0=A0=A0=A0 2009-06=
-25 12:30:08.000000000 +0100
+++ postgresql-8.4-8.4.1-fixed/src/backend/libpq/auth.c 2009-09-15 20:27:01=
.000000000 +0100
@@ -166,6 +166,8 @@
=A0#endif
=A0static int=A0=A0=A0=A0 pg_GSS_recvauth(Port *port);
+
+#define GSS_MAX_TOKEN_LENGTH (32767)
=A0#endif=A0=A0 /* ENABLE_GSS */
@@ -937,7 +939,7 @@
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 /* Get the actual GSS token */
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 initStringInfo(&buf);
-=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 if (pq_getmessage(&buf, 2000))
+=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 if (pq_getmessage(&buf, GSS_MAX=
_TOKEN_LENGTH))
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 {
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 /* EO=
F - pq_getmessage already logged error */
=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 pfree=
(buf.data);
Please let me know if anything additional is required in order to get this =
fix into the next release.
Best regards,
--Ian Turner
Sr. UNIX Systems Engineer
D. E. Shaw & Co.
В списке pgsql-bugs по дате отправления: