diff --git a/configure b/configure
index dbea7eaf5f..08bcf8f43a 100755
--- a/configure
+++ b/configure
@@ -14104,6 +14104,33 @@ done
fi
+done
+
+ for ac_header in gssapi/gssapi_ext.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "gssapi/gssapi_ext.h" "ac_cv_header_gssapi_gssapi_ext_h" "$ac_includes_default"
+if test "x$ac_cv_header_gssapi_gssapi_ext_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_GSSAPI_GSSAPI_EXT_H 1
+_ACEOF
+
+else
+ for ac_header in gssapi_ext.h
+do :
+ ac_fn_c_check_header_mongrel "$LINENO" "gssapi_ext.h" "ac_cv_header_gssapi_ext_h" "$ac_includes_default"
+if test "x$ac_cv_header_gssapi_ext_h" = xyes; then :
+ cat >>confdefs.h <<_ACEOF
+#define HAVE_GSSAPI_EXT_H 1
+_ACEOF
+
+else
+ as_fn_error $? "gssapi_ext.h header file is required for GSSAPI" "$LINENO" 5
+fi
+
+done
+
+fi
+
done
fi
diff --git a/configure.ac b/configure.ac
index dda34304db..c53a9c788e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1562,6 +1562,8 @@ fi
if test "$with_gssapi" = yes ; then
AC_CHECK_HEADERS(gssapi/gssapi.h, [],
[AC_CHECK_HEADERS(gssapi.h, [], [AC_MSG_ERROR([gssapi.h header file is required for GSSAPI])])])
+ AC_CHECK_HEADERS(gssapi/gssapi_ext.h, [],
+ [AC_CHECK_HEADERS(gssapi_ext.h, [], [AC_MSG_ERROR([gssapi_ext.h header file is required for GSSAPI])])])
fi
PGAC_PATH_PROGS(OPENSSL, openssl)
diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index dbba289600..204d09df67 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -1426,7 +1426,7 @@ omicron bryanh guest1
The keytab file is generated using the Kerberos software; see the
Kerberos documentation for details. The following example shows
doing this using the kadmin tool of
- MIT-compatible Kerberos 5 implementations:
+ MIT Kerberos:
kadmin% addprinc -randkey postgres/server.my.domain.orgkadmin% ktadd -k krb5.keytab postgres/server.my.domain.org
diff --git a/doc/src/sgml/installation.sgml b/doc/src/sgml/installation.sgml
index f451204854..3d839d665a 100644
--- a/doc/src/sgml/installation.sgml
+++ b/doc/src/sgml/installation.sgml
@@ -252,9 +252,9 @@ documentation. See standalone-profile.xsl for details.
- You need Kerberos, OpenLDAP,
- and/or PAM, if you want to support authentication
- using those services.
+ You need MIT Kerberos (for GSSAPI),
+ OpenLDAP, and/or PAM,
+ if you want to support authentication using those services.
@@ -1048,9 +1048,9 @@ build-postgresql:
- Build with support for GSSAPI authentication. On many systems, the
- GSSAPI system (usually a part of the Kerberos installation) is not
- installed in a location
+ Build with support for GSSAPI authentication. MIT Kerberos is required
+ to be installed for GSSAPI. On many systems, the GSSAPI system (a part
+ of the MIT Kerberos installation) is not installed in a location
that is searched by default (e.g., /usr/include,
/usr/lib), so you must use the options
and in
@@ -2497,10 +2497,11 @@ ninja install
- Build with support for GSSAPI authentication. On many systems, the
- GSSAPI system (usually a part of the Kerberos installation) is not
- installed in a location that is searched by default (e.g.,
- /usr/include, /usr/lib). In
+ Build with support for GSSAPI authentication. MIT Kerberos is required
+ to be installed for GSSAPI. On many systems, the GSSAPI system (a part
+ of the MIT Kerberos installation) is not installed in a location
+ that is searched by default (e.g., /usr/include,
+ /usr/lib). In
those cases, PostgreSQL will query pkg-config to
detect the required compiler and linker options. Defaults to auto.
meson configure will check for the required
diff --git a/meson.build b/meson.build
index b69aaddb1f..3405cc07ee 100644
--- a/meson.build
+++ b/meson.build
@@ -623,6 +623,16 @@ if not gssapiopt.disabled()
have_gssapi = false
endif
+ if not have_gssapi
+ elif cc.check_header('gssapi/gssapi_ext.h', dependencies: gssapi, required: false,
+ args: test_c_args, include_directories: postgres_inc)
+ cdata.set('HAVE_GSSAPI_GSSAPI_EXT_H', 1)
+ elif cc.check_header('gssapi_ext.h', args: test_c_args, dependencies: gssapi, required: gssapiopt)
+ cdata.set('HAVE_GSSAPI_EXT_H', 1)
+ else
+ have_gssapi = false
+ endif
+
if not have_gssapi
elif cc.has_function('gss_init_sec_context', dependencies: gssapi,
args: test_c_args, include_directories: postgres_inc)
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 00ec9da284..a1a826e37f 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -922,8 +922,9 @@ pg_GSS_recvauth(Port *port)
gss_cred_id_t delegated_creds;
/*
- * Use the configured keytab, if there is one. Unfortunately, Heimdal
- * doesn't support the cred store extensions, so use the env var.
+ * Use the configured keytab, if there is one. As we now require MIT
+ * Kerberos, we might consider using the credential store extensions in
+ * the future instead of the environment variable.
*/
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
{
diff --git a/src/backend/libpq/be-secure-gssapi.c b/src/backend/libpq/be-secure-gssapi.c
index 73f8ce8554..6212f225fd 100644
--- a/src/backend/libpq/be-secure-gssapi.c
+++ b/src/backend/libpq/be-secure-gssapi.c
@@ -526,8 +526,9 @@ secure_open_gssapi(Port *port)
PqGSSRecvLength = PqGSSResultLength = PqGSSResultNext = 0;
/*
- * Use the configured keytab, if there is one. Unfortunately, Heimdal
- * doesn't support the cred store extensions, so use the env var.
+ * Use the configured keytab, if there is one. As we now require MIT
+ * Kerberos, we might consider using the credential store extensions in the
+ * future instead of the environment variable.
*/
if (pg_krb_server_keyfile != NULL && pg_krb_server_keyfile[0] != '\0')
{