[pgpool-hackers: 3839] Re: Dealing with GSSAPI

Tatsuo Ishii ishii at sraoss.co.jp
Fri Oct 2 06:31:56 JST 2020 

Hi Umar,

I actually expected that psql connects to Pgpool-II without GSSAPI
auth (i.e. fallback to non-GSSAPI auth). In my understanding the
default behavior of psql does so because of gssencmode=prefer.  Can
you please enable pgpool debug log by log_min_messages=debug1 and show
the log?

> Thank you!
> 
>> Hi Ishii,
>> 
>> I tested your patch and was not able to apply it, so I rebased it. I tested
>> it on Pgpool 4.1 and it is working as expected.
>> 
>> - GSSAPI Authentication direct to PG13
>> [umarhayat at localhost pgpool2]# psql -U
>> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres -p
>> 5432
>> psql (13.0)
>> GSSAPI-encrypted connection
>> Type "help" for help.
>> 
>> - GSSAPI Authentication via Pgpool direct to PG13 (before patch)
>> postgres=# \q
>> [umarhayat at localhost pgpool2]# psql -U
>> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres -p
>> 9999
>> psql: error: could not connect to server: server closed the connection
>> unexpectedly
>> This probably means the server terminated abnormally
>> before or while processing the request.
>> 
>> - GSSAPI Authentication via Pgpool direct to PG13 (after patch)
>> [umarhayat at localhost pgpool2]# psql -U
>> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres -p
>> 9999
>> psql: error: could not connect to server: ERROR:  failed to authenticate
>> with backend
>> DETAIL:  unsupported auth kind received from backend: authkind:7
>> 
>> Regards
>> Umar Hayat
>> 
>> On Wed, Sep 23, 2020 at 8:15 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
>> 
>>> As you might already know, Pgpool-II currently does not support
>>> GSSAPI.  Until we support it, I think we need to tell frontend that
>>> Pgpool-II does not support GSSAPI when frontend requests it. Otherwise
>>> frontend will have a confusing message from Pgpool-II.
>>>
>>> https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html
>>>
>>> Attached patch should do it. I don't have GSSAPI enabled frontend and
>>> I cannot test it. I would appreciate if someone tests it out.
>>>
>>> Best regards,
>>> --
>>> Tatsuo Ishii
>>> SRA OSS, Inc. Japan
>>> English: http://www.sraoss.co.jp/index_en.php
>>> Japanese:http://www.sraoss.co.jp
>>> _______________________________________________
>>> pgpool-hackers mailing list
>>> pgpool-hackers at pgpool.net
>>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>>>
> _______________________________________________
> pgpool-hackers mailing list
> pgpool-hackers at pgpool.net
> http://www.pgpool.net/mailman/listinfo/pgpool-hackers

More information about the pgpool-hackers mailing list