Add GUC krb_server_hostname so the server hostname can be specified as

part of service principal.  If not set, any service principal matching
an entry in the keytab can be used.

NEW KERBEROS MATCHING BEHAVIOR FOR 8.1.

Todd Kover

5 files changed, 61 insertions, 26 deletions

diff --git a/doc/src/sgml/runtime.sgml b/doc/src/sgml/runtime.sgml
index a864975888..39743c95c6 100644
--- a/doc/src/sgml/runtime.sgml
+++ b/doc/src/sgml/runtime.sgml
@@ -969,24 +969,44 @@ SET ENABLE_SEQSCAN TO OFF;
       <listitem>
        <para>
         Sets the Kerberos service name. See <xref linkend="kerberos-auth">
-        for details. This parameter can only be set at server start.
+        for details.  This parameter can only be set at server start.
        </para>
       </listitem>
      </varlistentry>
 
-	 <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
-	  <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
-	  <indexterm>
-	   <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
+     <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
+      <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
+      <indexterm>
+       <primary><varname>krb_caseins_users</varname> configuration parameter</primary>
       </indexterm>
-	  <listitem>
-	   <para>
-	    Sets if Kerberos usernames should be treated case-insensitive.
-		The default is off (case sensitive). This parameter can only be
-		set at server start.
+      <listitem>
+       <para>
+        Sets if Kerberos usernames should be treated case-insensitive.
+        The default is off (case sensitive). This parameter can only be
+        set at server start.
        </para>
-	  </listitem>
-	 </varlistentry>
+      </listitem>
+     </varlistentry>
+
+     <varlistentry id="guc-krb-server-hostname" xreflabel="krb_server_hostname">
+      <term><varname>krb_server_hostname</varname> (<type>string</type>)</term>
+      <indexterm>
+       <primary><varname>krb_server_hostname</> configuration parameter</primary>
+      </indexterm>
+      <listitem>
+       <para>
+        Sets the hostname part of the service principal.
+        This, combined with <varname>krb_srvname</>, is used to generate
+        the complete service principal, i.e.
+        <varname>krb_server_hostname</><literal>/</><varname>krb_server_hostname</><literal>@</>REALM.
+       </para>
+       <para>
+        If not set, the default is to allow any service principal matching an entry
+        in the keytab.  See <xref linkend="kerberos-auth"> for details.
+        This parameter can only be set at server start.
+       </para>
+      </listitem>
+     </varlistentry>
 
      <varlistentry id="guc-db-user-namespace" xreflabel="db_user_namespace">
       <term><varname>db_user_namespace</varname> (<type>boolean</type>)</term>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index 88523099a5..b6814615fb 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -43,6 +43,7 @@ static int	recv_and_check_password_packet(Port *port);
 char	   *pg_krb_server_keyfile;
 char       *pg_krb_srvnam;
 bool		pg_krb_caseins_users;
+char	   *pg_krb_server_hostname = NULL;
 
 #ifdef USE_PAM
 #ifdef HAVE_PAM_PAM_APPL_H
@@ -221,20 +222,25 @@ pg_krb5_init(void)
 		return STATUS_ERROR;
 	}
 
-	retval = krb5_sname_to_principal(pg_krb5_context, NULL, pg_krb_srvnam,
-									 KRB5_NT_SRV_HST, &pg_krb5_server);
-	if (retval)
+	if (pg_krb_server_hostname)
 	{
-		ereport(LOG,
-		 (errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
-				 pg_krb_srvnam, retval)));
-		com_err("postgres", retval,
-				"while getting server principal for service \"%s\"",
-				pg_krb_srvnam);
-		krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
-		krb5_free_context(pg_krb5_context);
-		return STATUS_ERROR;
-	}
+		retval = krb5_sname_to_principal(pg_krb5_context, 
+					pg_krb_server_hostname, pg_krb_srvnam,
+			 		KRB5_NT_SRV_HST, &pg_krb5_server);
+	 	if (retval)
+		{
+			ereport(LOG,
+		 	(errmsg("Kerberos sname_to_principal(\"%s\") returned error %d",
+				 	pg_krb_srvnam, retval)));
+			com_err("postgres", retval,
+					"while getting server principal for service \"%s\"",
+					pg_krb_srvnam);
+			krb5_kt_close(pg_krb5_context, pg_krb5_keytab);
+			krb5_free_context(pg_krb5_context);
+			return STATUS_ERROR;
+		}
+	} else
+		pg_krb5_server = NULL;
 
 	pg_krb5_initialised = 1;
 	return STATUS_OK;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index 2f92ed8e76..a1923b0c18 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -1594,6 +1594,15 @@ static struct config_string ConfigureNamesString[] =
 	},
 
 	{
+		{"krb_server_hostname", PGC_POSTMASTER, CONN_AUTH_SECURITY,
+			gettext_noop("Sets the hostname of the Kerberos server."),
+			NULL
+		},
+		&pg_krb_server_hostname,
+		NULL, NULL, NULL
+	},
+
+	{
 		{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
 			gettext_noop("Sets the Bonjour broadcast service name."),
 			NULL
diff --git a/src/bin/psql/tab-complete.c b/src/bin/psql/tab-complete.c
index 16a48ddad4..34d3fa9d32 100644
--- a/src/bin/psql/tab-complete.c
+++ b/src/bin/psql/tab-complete.c
@@ -559,7 +559,6 @@ psql_completion(char *text, int start, int end)
 		"geqo_selection_bias",
 		"geqo_threshold",
 		"join_collapse_limit",
-		"krb_server_keyfile",
 		"lc_messages",
 		"lc_monetary",
 		"lc_numeric",
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 66aa55829a..e68443ef8b 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -29,5 +29,6 @@ extern void ClientAuthentication(Port *port);
 extern char *pg_krb_server_keyfile;
 extern char *pg_krb_srvnam;
 extern bool pg_krb_caseins_users;
+extern char *pg_krb_server_hostname;
 
 #endif   /* AUTH_H */