[pgpool-hackers: 3840] Re: Dealing with GSSAPI
Umar Hayat
m.umarkiani at gmail.com
Fri Oct 2 13:48:30 JST 2020
Hi Ishii,
I didn't share the output earlier, where there is some other pg_hba entry
available to fallback. It does fallback in that case. Please see psql
output and log snippet below.
[umarhayat at localhost pgpool2]# psql -U
"postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres -p
9999
psql (13.0)
Type "help" for help.
2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5680
database: user:
2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection
2020-10-01 07:33:06: pid 21199: DETAIL: GSSAPI request from client
2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet
2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5679
database: � 0 user: � 0
2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection
2020-10-01 07:33:06: pid 21199: DETAIL: SSLRequest from client
2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet
2020-10-01 07:33:06: pid 21199: DETAIL: application_name: psql
2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet
2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 3 Minor: 0
database: postgres user: postgres/myrealm.example at MYREALM.EXAMPLE
2020-10-01 07:33:06: pid 21199: DEBUG: creating new connection to backend
2020-10-01 07:33:06: pid 21199: DETAIL: connecting 0 backend
2020-10-01 07:33:06: pid 21199: DEBUG: authentication backend
2020-10-01 07:33:06: pid 21199: DETAIL: auth kind:0
Regards
Umar Hayat
On Fri, Oct 2, 2020 at 2:31 AM Tatsuo Ishii <ishii at sraoss.co.jp> wrote:
> Hi Umar,
>
> I actually expected that psql connects to Pgpool-II without GSSAPI
> auth (i.e. fallback to non-GSSAPI auth). In my understanding the
> default behavior of psql does so because of gssencmode=prefer. Can
> you please enable pgpool debug log by log_min_messages=debug1 and show
> the log?
>
> > Thank you!
> >
> >> Hi Ishii,
> >>
> >> I tested your patch and was not able to apply it, so I rebased it. I
> tested
> >> it on Pgpool 4.1 and it is working as expected.
> >>
> >> - GSSAPI Authentication direct to PG13
> >> [umarhayat at localhost pgpool2]# psql -U
> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
> -p
> >> 5432
> >> psql (13.0)
> >> GSSAPI-encrypted connection
> >> Type "help" for help.
> >>
> >> - GSSAPI Authentication via Pgpool direct to PG13 (before patch)
> >> postgres=# \q
> >> [umarhayat at localhost pgpool2]# psql -U
> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
> -p
> >> 9999
> >> psql: error: could not connect to server: server closed the connection
> >> unexpectedly
> >> This probably means the server terminated abnormally
> >> before or while processing the request.
> >>
> >> - GSSAPI Authentication via Pgpool direct to PG13 (after patch)
> >> [umarhayat at localhost pgpool2]# psql -U
> >> "postgres/myrealm.example at MYREALM.EXAMPLE" -h myrealm.example postgres
> -p
> >> 9999
> >> psql: error: could not connect to server: ERROR: failed to authenticate
> >> with backend
> >> DETAIL: unsupported auth kind received from backend: authkind:7
> >>
> >> Regards
> >> Umar Hayat
> >>
> >> On Wed, Sep 23, 2020 at 8:15 AM Tatsuo Ishii <ishii at sraoss.co.jp>
> wrote:
> >>
> >>> As you might already know, Pgpool-II currently does not support
> >>> GSSAPI. Until we support it, I think we need to tell frontend that
> >>> Pgpool-II does not support GSSAPI when frontend requests it. Otherwise
> >>> frontend will have a confusing message from Pgpool-II.
> >>>
> >>>
> https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html
> >>>
> >>> Attached patch should do it. I don't have GSSAPI enabled frontend and
> >>> I cannot test it. I would appreciate if someone tests it out.
> >>>
> >>> Best regards,
> >>> --
> >>> Tatsuo Ishii
> >>> SRA OSS, Inc. Japan
> >>> English: http://www.sraoss.co.jp/index_en.php
> >>> Japanese:http://www.sraoss.co.jp
> >>> _______________________________________________
> >>> pgpool-hackers mailing list
> >>> pgpool-hackers at pgpool.net
> >>> http://www.pgpool.net/mailman/listinfo/pgpool-hackers
> >>>
> > _______________________________________________
> > pgpool-hackers mailing list
> > pgpool-hackers at pgpool.net
> > http://www.pgpool.net/mailman/listinfo/pgpool-hackers
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.sraoss.jp/pipermail/pgpool-hackers/attachments/20201002/b1da9de7/attachment.html>
More information about the pgpool-hackers
mailing list