Fix Kerberos authentication in wake of virtual-hosts changes --- need

to call krb5_sname_to_principal() always.  Also, use krb_srvname rather
than the hardwired string 'postgres' as the appl_version string in the
krb5_sendauth/recvauth calls, to avoid breaking compatibility with PG
8.0.  Magnus Hagander

src/backend/libpq/auth.c

@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.127 2005/07/25 04:52:31 tgl Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.128 2005/10/08 19:32:57 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -119,6 +119,7 @@ static int
 pg_krb5_init(void)
 {
 	krb5_error_code retval;
+	char *khostname;
 
 	if (pg_krb5_initialised)
 		return STATUS_OK;
@@ -145,25 +146,31 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
 
-	if (pg_krb_server_hostname)
+	/*
+	 * If no hostname was specified, pg_krb_server_hostname is already
+	 * NULL. If it's set to blank, force it to NULL.
+	 */
+	khostname = pg_krb_server_hostname;
+	if (khostname && khostname[0] == '\0')
+		khostname = NULL;
+
+	retval = krb5_sname_to_principal(pg_krb5_context,
+									 khostname,
+									 pg_krb_srvnam,
+									 KRB5_NT_SRV_HST,
+									 &pg_krb5_server);
+	if (retval)
 	{
-		retval = krb5_sname_to_principal(pg_krb5_context, 
+		ereport(LOG,
-					pg_krb_server_hostname, pg_krb_srvnam,
+				(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-			 		KRB5_NT_SRV_HST, &pg_krb5_server);
+						pg_krb_srvnam, retval)));
-	 	if (retval)
+		com_err("postgres", retval,
-		{
+				"while getting server principal for service \"%s\"",
-			ereport(LOG,
+				pg_krb_srvnam);
-		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-				 	pg_krb_srvnam, retval)));
+		krb5_free_context(pg_krb5_context);
-			com_err("postgres", retval,
+		return STATUS_ERROR;
-					"while getting server principal for service \"%s\"",
+	}
-					pg_krb_srvnam);
-			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-			krb5_free_context(pg_krb5_context);
-			return STATUS_ERROR;
-		}
-	} else
-		pg_krb5_server = NULL;
 
 	pg_krb5_initialised = 1;
 	return STATUS_OK;
@@ -194,7 +201,7 @@ pg_krb5_recvauth(Port *port)
 		return ret;
 
 	retval = krb5_recvauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & port->sock, "postgres",
+						   (krb5_pointer) & port->sock, pg_krb_srvnam,
 						   pg_krb5_server, 0, pg_krb5_keytab, &ticket);
 	if (retval)
 	{

src/backend/utils/misc/postgresql.conf.sample

@@ -70,7 +70,7 @@
 # Kerberos
 #krb_server_keyfile = ''
 #krb_srvname = 'postgres'
-#krb_server_hostname = '(any)'		# if not set, matches any keytab entry
+#krb_server_hostname = ''		# empty string matches any keytab entry
 #krb_caseins_users = off
 
 # - TCP Keepalives -

src/interfaces/libpq/fe-auth.c

@@ -10,7 +10,7 @@
  * exceed INITIAL_EXPBUFFER_SIZE (currently 256 bytes).
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.103 2005/06/30 01:59:20 neilc Exp $
+ *	  $PostgreSQL: pgsql/src/interfaces/libpq/fe-auth.c,v 1.104 2005/10/08 19:32:58 tgl Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -280,7 +280,7 @@ pg_krb5_sendauth(char *PQerrormsg, int sock, const char *hostname, const char *s
 	}
 
 	retval = krb5_sendauth(pg_krb5_context, &auth_context,
-						   (krb5_pointer) & sock, "postgres",
+						   (krb5_pointer) & sock, (char *) servicename,
 						   pg_krb5_client, server,
 						   AP_OPTS_MUTUAL_REQUIRED,
 						   NULL, 0,		/* no creds, use ccache instead */