From 18d0ca2d1bf48f4b62cab4df4625b7f230b7c0c1 Mon Sep 17 00:00:00 2001
From: Tom Lane <tgl@sss.pgh.pa.us>
Date: Sat, 8 Oct 2005 19:32:58 +0000
Subject: [PATCH] Fix Kerberos authentication in wake of virtual-hosts changes
 --- need to call krb5_sname_to_principal() always.  Also, use krb_srvname
 rather than the hardwired string 'postgres' as the appl_version string in the
 krb5_sendauth/recvauth calls, to avoid breaking compatibility with PG 8.0. 
 Magnus Hagander

---
 src/backend/libpq/auth.c                      | 47 +++++++++++--------
 src/backend/utils/misc/postgresql.conf.sample |  2 +-
 src/interfaces/libpq/fe-auth.c                |  4 +-
 3 files changed, 30 insertions(+), 23 deletions(-)

diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index affe3c6a68..403285438f 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.127 2005/07/25 04:52:31 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.128 2005/10/08 19:32:57 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -119,6 +119,7 @@ static int
 pg_krb5_init(void)
 {
 	krb5_error_code retval;
+	char *khostname;
 
 	if (pg_krb5_initialised)
 		return STATUS_OK;
@@ -145,25 +146,31 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
 
-	if (pg_krb_server_hostname)
+	/*
+	 * If no hostname was specified, pg_krb_server_hostname is already
+	 * NULL. If it's set to blank, force it to NULL.
+	 */
+	khostname = pg_krb_server_hostname;
+	if (khostname && khostname[0] == '\0')
+		khostname = NULL;
+
+	retval = krb5_sname_to_principal(pg_krb5_context,
+									 khostname,
+									 pg_krb_srvnam,
+									 KRB5_NT_SRV_HST,
+									 &pg_krb5_server);
+	if (retval)
 	{
-		retval = krb5_sname_to_principal(pg_krb5_context, 
-					pg_krb_server_hostname, pg_krb_srvnam,
-			 		KRB5_NT_SRV_HST, &pg_krb5_server);
-	 	if (retval)
-		{
-			ereport(LOG,
-		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 	pg_krb_srvnam, retval)));
-			com_err("postgres", retval,
-					"while getting server principal for service \"%s\"",
-					pg_krb_srvnam);
-			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-			krb5_free_context(pg_krb5_context);
-			return STATUS_ERROR;
-		}
-	} else
-		pg_krb5_server = NULL;
+		ereport(LOG,
+				(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+						pg_krb_srvnam, retval)));
+		com_err("postgres", retval,
+				"while getting server principal for service \"%s\"",
+				pg_krb_srvnam);
+		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+		krb5_free_context(pg_krb5_context);
+		return STATUS_ERROR;
+	}
 
 	pg_krb5_initialised = 1;
 	return STATUS_OK;
@@ -194,7 +201,7 @@ pg_krb5_recvauth(Port *port)
 		return ret;
 
 	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, "postgres",
+						   (krb5_pointer) & port->sock, pg_krb_srvnam,
 						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
 	if (retval)
 	{
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index e004039013..af042740ad 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -70,7 +70,7 @@
 # Kerberos
 #krb_server_keyfile = ''
 #krb_srvname = 'postgres'
-#krb_server_hostname = '(any)'		# if not set, matches any keytab entry
+#krb_server_hostname = ''		# empty string matches any keytab entry
 #krb_caseins_users = off
 
 # - TCP Keepalives -
diff --git a/src/interfaces/libpq/fe-auth.c b/src/interfaces/libpq/fe-auth.c
index c79e38a936..4075aad614 100644
--- a/src/interfaces/libpq/fe-auth.c
+++ b/src/interfaces/libpq/fe-auth.c
@@ -10,7 +10,7 @@
  * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.103 2005/06/30 01:59:20 neilc Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.104 2005/10/08 19:32:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -280,7 +280,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *s
 	}
 
 	retval = krb5_sendauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & sock, "postgres",
+						   (krb5_pointer) & sock, (char *) servicename,
 						   pg_krb5_client, server,
 						   AP_OPTS_MUTUAL_REQUIRED,
 						   NULL, 0,		/* no creds, use ccache instead */