Re: Patch to add Heimdal kerberos support

Bill Studenmund <wrstuden@netbsd.org> writes:
> Attached please find a patch to make Postgres compile with Heimdal krb5
> support. This patch adds a new option, --with-heimdal. "--with-krb5" now
> implies MIT krb5 support.

Couldn't we do this in a way that doesn't require a user configure switch?

--- src/backend/libpq/auth.c    2001/10/28 06:25:44    1.71
+++ src/backend/libpq/auth.c    2001/11/12 22:32:00
@@ -229,7 +229,7 @@
                  " Kerberos error %d\n", retval);
         com_err("postgres", retval,
                 "while getting server principal for service %s",
-                pg_krb_server_keyfile);
+                PG_KRB_SRVNAM);
         krb5_kt_close(pg_krb5_context, pg_krb5_keytab);

This change seems like a step backwards.


         krb5_free_context(pg_krb5_context);
         return STATUS_ERROR;
@@ -283,8 +283,13 @@
      *
      * I have no idea why this is considered necessary.
      */
+#ifdef KRB5_MIT
     retval = krb5_unparse_name(pg_krb5_context,
                                ticket->enc_part2->client, &kusername);
+#else
+    retval = krb5_unparse_name(pg_krb5_context,
+                               ticket->client, &kusername);
+#endif

If this is the only code change needed, couldn't we dispense with it
somehow?  I notice that the previous authors of this code had grave
doubts about comparing the username at all.  I don't know much about
Kerberos' security model --- is the fact that we got a ticket sufficient
authentication, and if not why not?

            regards, tom lane