From 954f6bcffe215cbcb09f06aabf155586e6059172 Mon Sep 17 00:00:00 2001
From: Bruce Momjian <bruce@momjian.us>
Date: Tue, 14 Jun 2005 17:43:14 +0000
Subject: [PATCH] Add GUC krb_server_hostname so the server hostname can be
 specified as part of service principal.  If not set, any service principal
 matching an entry in the keytab can be used.

NEW KERBEROS MATCHING BEHAVIOR FOR 8.1.

Todd Kover
---
 doc/src/sgml/runtime.sgml    | 46 ++++++++++++++++++++++++++----------
 src/backend/libpq/auth.c     | 34 +++++++++++++++-----------
 src/backend/utils/misc/guc.c | 11 ++++++++-
 src/bin/psql/tab-complete.c  |  3 +--
 src/include/libpq/auth.h     |  3 ++-
 5 files changed, 66 insertions(+), 31 deletions(-)

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index 93040bd31d..c209dd39e9 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -1,5 +1,5 @@
 <!--
-$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.325 2005/06/13 02:40:06 neilc Exp $
+$PostgreSQL: pgsql/doc/src/sgml/runtime.sgml,v 1.326 2005/06/14 17:43:12 momjian Exp $
 -->
 
 <chapter Id="runtime">
@@ -969,24 +969,44 @@ SET ENABLE_SEQSCAN TO OFF;
       <listitem>
        <para>
         Sets the Kerberos service name. See <xref linkend="kerberos-auth">
-        for details. This parameter can only be set at server start.
+        for details.  This parameter can only be set at server start.
        </para>
       </listitem>
      </varlistentry>
 
-	 <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
-	  <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
-	  <indexterm>
-	   <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
+     <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
+      <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
+      <indexterm>
+       <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
       </indexterm>
-	  <listitem>
-	   <para>
-	    Sets if Kerberos usernames should be treated case-insensitive.
-		The default is off (case sensitive). This parameter can only be
-		set at server start.
+      <listitem>
+       <para>
+        Sets if Kerberos usernames should be treated case-insensitive.
+        The default is off (case sensitive). This parameter can only be
+        set at server start.
        </para>
-	  </listitem>
-	 </varlistentry>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
+      <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
+      <indexterm>
+       <primary><varname>krb_server_hostname</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Sets the hostname part of the service principal.
+        This, combined with <varname>krb_srvname</>, is used to generate
+        the complete service principal, i.e.
+        <varname>krb_server_hostname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
+       </para>
+       <para>
+        If not set, the default is to allow any service principal matching an entry
+        in the keytab.  See <xref linkend="kerberos-auth"> for details.
+        This parameter can only be set at server start.
+       </para>
+      </listitem>
+     </varlistentry>
 
      <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
       <term><varname>db_user_namespace</varname> (<type>boolean</type>)</term>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 7970f81756..a50227068b 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -8,7 +8,7 @@
  *
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.124 2005/06/04 20:42:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/libpq/auth.c,v 1.125 2005/06/14 17:43:13 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -43,6 +43,7 @@ static int	recv_and_check_password_packet(Port *port);
 char	   *pg_krb_server_keyfile;
 char       *pg_krb_srvnam;
 bool		pg_krb_caseins_users;
+char	   *pg_krb_server_hostname = NULL;
 
 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -221,20 +222,25 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
 
-	retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
-									 KRB5_NT_SRV_HST, &pg_krb5_server);
-	if (retval)
+	if (pg_krb_server_hostname)
 	{
-		ereport(LOG,
-		 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 pg_krb_srvnam, retval)));
-		com_err("postgres", retval,
-				"while getting server principal for service \"%s\"",
-				pg_krb_srvnam);
-		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-		krb5_free_context(pg_krb5_context);
-		return STATUS_ERROR;
-	}
+		retval = krb5_sname_to_principal(pg_krb5_context, 
+					pg_krb_server_hostname, pg_krb_srvnam,
+			 		KRB5_NT_SRV_HST, &pg_krb5_server);
+	 	if (retval)
+		{
+			ereport(LOG,
+		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+				 	pg_krb_srvnam, retval)));
+			com_err("postgres", retval,
+					"while getting server principal for service \"%s\"",
+					pg_krb_srvnam);
+			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+			krb5_free_context(pg_krb5_context);
+			return STATUS_ERROR;
+		}
+	} else
+		pg_krb5_server = NULL;
 
 	pg_krb5_initialised = 1;
 	return STATUS_OK;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 3d57509548..073aae2a23 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -10,7 +10,7 @@
  * Written by Peter Eisentraut <peter_e@gmx.net>.
  *
  * IDENTIFICATION
- *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.264 2005/06/04 20:42:42 momjian Exp $
+ *	  $PostgreSQL: pgsql/src/backend/utils/misc/guc.c,v 1.265 2005/06/14 17:43:13 momjian Exp $
  *
  *--------------------------------------------------------------------
  */
@@ -1593,6 +1593,15 @@ static struct config_string ConfigureNamesString[] =
 		PG_KRB_SRVNAM, NULL, NULL
 	},
 
+	{
+		{"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets the hostname of the Kerberos server."),
+			NULL
+		},
+		&pg_krb_server_hostname,
+		NULL, NULL, NULL
+	},
+
 	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour broadcast service name."),
diff --git a/src/bin/psql/tab-complete.c b/src/bin/psql/tab-complete.c
index 3d1ce4ca12..2b215d9728 100644
--- a/src/bin/psql/tab-complete.c
+++ b/src/bin/psql/tab-complete.c
@@ -3,7 +3,7 @@
  *
  * Copyright (c) 2000-2005, PostgreSQL Global Development Group
  *
- * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.130 2005/05/25 22:12:05 momjian Exp $
+ * $PostgreSQL: pgsql/src/bin/psql/tab-complete.c,v 1.131 2005/06/14 17:43:14 momjian Exp $
  */
 
 /*----------------------------------------------------------------------
@@ -559,7 +559,6 @@ psql_completion(char *text, int start, int end)
 		"geqo_selection_bias",
 		"geqo_threshold",
 		"join_collapse_limit",
-		"krb_server_keyfile",
 		"lc_messages",
 		"lc_monetary",
 		"lc_numeric",
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index b8fd25eb64..94b0976e11 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -7,7 +7,7 @@
  * Portions Copyright (c) 1996-2005, PostgreSQL Global Development Group
  * Portions Copyright (c) 1994, Regents of the University of California
  *
- * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.27 2005/06/04 20:42:42 momjian Exp $
+ * $PostgreSQL: pgsql/src/include/libpq/auth.h,v 1.28 2005/06/14 17:43:14 momjian Exp $
  *
  *-------------------------------------------------------------------------
  */
@@ -29,5 +29,6 @@ extern void ClientAuthentication(Port *port);
 extern char *pg_krb_server_keyfile;
 extern char *pg_krb_srvnam;
 extern bool pg_krb_caseins_users;
+extern char *pg_krb_server_hostname;
 
 #endif   /* AUTH_H */