Index: configure.in =================================================================== RCS file: /projects/cvsroot/pgsql/configure.in,v retrieving revision 1.150 diff -u -r1.150 configure.in --- configure.in 2001/10/25 13:02:01 1.150 +++ configure.in 2001/11/12 22:31:47 @@ -446,13 +446,15 @@ # # Kerberos 5 +# Note there are both MIT and Heimdal versions. # -PGAC_ARG_OPTARG(with, krb5, [ --with-krb5[=DIR] build with Kerberos 5 support [/usr/athena]], +PGAC_ARG_OPTARG(with, krb5, [ --with-krb5[=DIR] build with MIT Kerberos 5 support [/usr/athena]], [krb5_prefix=/usr/athena], [krb5_prefix=$withval], [ AC_MSG_RESULT([building with Kerberos 5 support]) AC_DEFINE(KRB5, 1, [Define if you are building with Kerberos 5 support.]) + AC_DEFINE(KRB5_MIT, 1, [Define if you are building with MIT Kerberos 5 support.]) if test -d "$krb5_prefix/include"; then INCLUDES="$INCLUDES -I$krb5_prefix/include" @@ -466,9 +468,36 @@ AC_SUBST(with_krb5) +PGAC_ARG_OPTARG(with, heimdal, [ --with-heimdal[=DIR] build with Heimdal Kerberos 5 support [/usr]], + [krb5_prefix=/usr], + [krb5_prefix=$withval], +[ + AC_MSG_RESULT([building with Kerberos 5 support]) + AC_DEFINE(KRB5, 1, [Define if you are building with Kerberos 5 support.]) + AC_DEFINE(KRB5_HEIMDAL, 1, [Define if you are building with HEIMDAL Kerberos 5 support.]) + if test -d "$krb5_prefix/include/krb5"; then + INCLUDES="$INCLUDES -I$krb5_prefix/include/krb5" + elif test -d "$krb5_prefix/include"; then + INCLUDES="$INCLUDES -I$krb5_prefix/include" + fi + if test -d "$krb5_prefix/lib"; then + LIBDIRS="$LIBDIRS -L$krb5_prefix/lib" + fi + + krb_srvtab="FILE:\$(sysconfdir)/krb5.keytab" +]) + +AC_SUBST(with_heimdal) + + +# Using both MIT and Heimdal Kerberos 5 at the same time isn't going to work. +if test "$with_heimdal" = yes && test "$with_krb5" = yes ; then + AC_MSG_ERROR([MIT and Heimdal Kerberos 5 support cannot be combined]) +fi + # Using both Kerberos 4 and Kerberos 5 at the same time isn't going to work. -if test "$with_krb4" = yes && test "$with_krb5" = yes ; then +if test "$with_krb5" = yes || test "$with_heimdal" = yes && test "$with_krb4" = yes ; then AC_MSG_ERROR([Kerberos 4 and Kerberos 5 support cannot be combined]) fi @@ -734,10 +763,16 @@ if test "$with_krb5" = yes ; then AC_CHECK_LIB(com_err, [com_err], [], [AC_MSG_ERROR([library 'com_err' is required for Kerberos 5])]) AC_CHECK_LIB(crypto, [krb5_encrypt], [], - [AC_CHECK_LIB(k5crypto, [krb5_encrypt], [], [AC_MSG_ERROR([library 'crypto' or 'k5crypto' is required for Kerberos 5])])]) + [AC_CHECK_LIB(k5crypto, [krb5_encrypt], [], [AC_MSG_ERROR([library 'crypto' or 'k5crypto' is required for MIT Kerberos 5])])]) AC_CHECK_LIB(krb5, [krb5_sendauth], [], [AC_MSG_ERROR([library 'krb5' is required for Kerberos 5])]) fi +if test "$with_heimdal" = yes ; then + AC_CHECK_LIB(com_err, [com_err], [], [AC_MSG_ERROR([library 'com_err' is required for Kerberos 5])]) + AC_CHECK_LIB(krb5, [krb5_encrypt], [], [AC_MSG_ERROR([library 'crypto' or 'k5crypto' is required for Kerberos 5])], [-lasn1 -lroken -lcrypto]) + LIBS="-lasn1 -lroken -lcrypto $LIBS" +fi + if test "$with_openssl" = yes ; then dnl Order matters! AC_CHECK_LIB(crypto, [CRYPTO_new_ex_data], [], [AC_MSG_ERROR([library 'crypto' is required for OpenSSL])]) @@ -779,7 +814,7 @@ AC_CHECK_HEADER(krb.h, [], [AC_MSG_ERROR([header file is required for Kerberos 4])]) fi -if test "$with_krb5" = yes ; then +if test "$with_krb5" = yes || test "$with_heimdal" = yes ; then AC_CHECK_HEADER(krb5.h, [], [AC_MSG_ERROR([header file is required for Kerberos 5])]) AC_CHECK_HEADER(com_err.h, [], [AC_MSG_ERROR([header file is required for Kerberos 5])]) fi Index: src/backend/libpq/auth.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/backend/libpq/auth.c,v retrieving revision 1.71 diff -u -r1.71 auth.c --- src/backend/libpq/auth.c 2001/10/28 06:25:44 1.71 +++ src/backend/libpq/auth.c 2001/11/12 22:32:00 @@ -229,7 +229,7 @@ " Kerberos error %d\n", retval); com_err("postgres", retval, "while getting server principal for service %s", - pg_krb_server_keyfile); + PG_KRB_SRVNAM); krb5_kt_close(pg_krb5_context, pg_krb5_keytab); krb5_free_context(pg_krb5_context); return STATUS_ERROR; @@ -283,8 +283,13 @@ * * I have no idea why this is considered necessary. */ +#ifdef KRB5_MIT retval = krb5_unparse_name(pg_krb5_context, ticket->enc_part2->client, &kusername); +#else + retval = krb5_unparse_name(pg_krb5_context, + ticket->client, &kusername); +#endif if (retval) { snprintf(PQerrormsg, PQERRORMSG_LENGTH, Index: src/include/pg_config.h.in =================================================================== RCS file: /projects/cvsroot/pgsql/src/include/pg_config.h.in,v retrieving revision 1.11 diff -u -r1.11 pg_config.h.in --- src/include/pg_config.h.in 2001/10/20 17:57:39 1.11 +++ src/include/pg_config.h.in 2001/11/12 22:32:10 @@ -56,8 +56,15 @@ /* Define to build with Kerberos 4 support (--with-krb4[=DIR]) */ #undef KRB4 -/* Define to build with Kerberos 5 support (--with-krb5[=DIR]) */ +/* Define to build with Kerberos 5 support, either MIT or Heimdal + * (--with-krb5[=DIR]) or (--with-heimdal[=DIR]) */ #undef KRB5 + +/* Define to build with MIT Kerberos 5 support (--with-krb5[=DIR]) */ +#undef KRB5_MIT + +/* Define to build with Heimdal Kerberos 5 support (--with-Heimdal[=DIR]) */ +#undef KRB5_HEIMDAL /* Kerberos name of the Postgres service principal (--with-krb-srvnam=NAME) */ #undef PG_KRB_SRVNAM Index: src/interfaces/libpq/fe-auth.c =================================================================== RCS file: /projects/cvsroot/pgsql/src/interfaces/libpq/fe-auth.c,v retrieving revision 1.62 diff -u -r1.62 fe-auth.c --- src/interfaces/libpq/fe-auth.c 2001/10/25 05:50:13 1.62 +++ src/interfaces/libpq/fe-auth.c 2001/11/12 22:32:21 @@ -403,9 +403,15 @@ { if (retval == KRB5_SENDAUTH_REJECTED && err_ret) { +#ifdef KRB5_MIT snprintf(PQerrormsg, PQERRORMSG_LENGTH, libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), err_ret->text.length, err_ret->text.data); +#else + snprintf(PQerrormsg, PQERRORMSG_LENGTH, + libpq_gettext("Kerberos 5 authentication rejected: %*s\n"), + err_ret->e_data->length, err_ret->e_data->data); +#endif } else {