MIME-Version: 1.0
References: <ZvmUe9_0WMfy5o-P@disp.intra.daemon.contact>
In-Reply-To: <ZvmUe9_0WMfy5o-P@disp.intra.daemon.contact>
From: Ron Johnson <ronljohnsonjr@gmail.com>
Date: Sun, 29 Sep 2024 20:27:50 -0400
Message-ID: <CANzqJaD6QOd2MrcG+sxfgJtQcuXcpn0NdGjir3C9q4CnkC=faA@mail.gmail.com>
Subject: Re: Failing GSSAPI TCP when connecting to server
To: "pgsql-generallists.postgresql.org" <pgsql-general@lists.postgresql.org>
Content-Type: multipart/alternative; boundary="00000000000003e1c306234b4729"
Archived-At: <https://www.postgresql.org/message-id/CANzqJaD6QOd2MrcG%2BsxfgJtQcuXcpn0NdGjir3C9q4CnkC%3DfaA%40mail.gmail.com>
Precedence: bulk

--00000000000003e1c306234b4729
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

On Sun, Sep 29, 2024 at 2:00=E2=80=AFPM Peter <pmc@citylink.dinoex.sub.org>=
 wrote:

> My application is trying to connect the database server, and meanwhile
> tries to talk to the KDC server for a service ticket.
> Earlier these TCP connections did run like this, and were successful:
>
> [snip]

>
> A configuration problem on the machine(s) can be ruled out,


Famous last words.


> because both
> old (working) and new (failing) application are installed on the same
> machine at the same time, using the same network, same hardware, same
> OS, same libgssapi and same postgres client software connecting to the
> same database.
>
> There are no errors logged on the KDC server, it appears to have
> orderly processed the requests (at least at first, it starts to
> complain later when the stale sockets get too many).
>
> The error message on the postgres server is
> FATAL:  GSSAPI authentication failed for user "pmc"
>

Is there a way to test pmc authentication via some other tool, like psql?


> The OS is FreeBSD Release 13.4-p1
> The postgres client library libpq.so.5 is Release 15.7
> The application postgres interface is rubyGem pq Release 1.5.4
> The application is Discourse 2.2.0 (working) and 2.3.1 (failing)
>
> What is going on there?
>

If *only *the application changed, then by definition it can't be a
database problem.  *Something* in the application changed; you just haven't
found it.

Specifically, I'd read the Discourse 2.3.0 and 2.3.1 release notes.

--=20
Death to <Redacted>, and butter sauce.
Don't boil me, I'm still alive.
<Redacted> crustacean!

--00000000000003e1c306234b4729
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div dir=3D"ltr">On Sun, Sep 29, 2024 at 2:00=E2=80=AFPM P=
eter &lt;<a href=3D"mailto:pmc@citylink.dinoex.sub.org">pmc@citylink.dinoex=
.sub.org</a>&gt; wrote:<br></div><div class=3D"gmail_quote"><blockquote cla=
ss=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid =
rgb(204,204,204);padding-left:1ex">My application is trying to connect the =
database server, and meanwhile<br>
tries to talk to the KDC server for a service ticket. <br>
Earlier these TCP connections did run like this, and were successful:<br>
<br>
</blockquote><div>[snip]=C2=A0</div><blockquote class=3D"gmail_quote" style=
=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding=
-left:1ex">
<br>
A configuration problem on the machine(s) can be ruled out, </blockquote><d=
iv><br></div><div>Famous last words.</div><div>=C2=A0</div><blockquote clas=
s=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid r=
gb(204,204,204);padding-left:1ex">because both<br>
old (working) and new (failing) application are installed on the same<br>
machine at the same time, using the same network, same hardware, same<br>
OS, same libgssapi and same postgres client software connecting to the<br>
same database.<br>
<br>
There are no errors logged on the KDC server, it appears to have<br>
orderly processed the requests (at least at first, it starts to<br>
complain later when the stale sockets get too many).<br>
<br>
The error message on the postgres server is<br>
FATAL:=C2=A0 GSSAPI authentication failed for user &quot;pmc&quot;<br></blo=
ckquote><div><br></div><div>Is there a way to test pmc authentication via s=
ome other tool, like psql?</div><div>=C2=A0</div><blockquote class=3D"gmail=
_quote" style=3D"margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204=
,204);padding-left:1ex">The OS is FreeBSD Release 13.4-p1<br>
The postgres client library libpq.so.5 is Release 15.7<br>
The application postgres interface is rubyGem pq Release 1.5.4<br>
The application is Discourse 2.2.0 (working) and 2.3.1 (failing)<br>
<br>
What is going on there?<br></blockquote><div><br></div><div>If <b>only </b>=
the application changed, then by definition it can&#39;t be a database prob=
lem.=C2=A0 <b>Something</b>=C2=A0in the application changed; you just haven=
&#39;t found it.<br></div><div>=C2=A0</div><div>Specifically, I&#39;d read =
the Discourse 2.3.0 and 2.3.1 release notes.</div><div><br></div></div><spa=
n class=3D"gmail_signature_prefix">-- </span><br><div dir=3D"ltr" class=3D"=
gmail_signature"><div dir=3D"ltr">Death to &lt;Redacted&gt;, and butter sau=
ce.<div>Don&#39;t boil me, I&#39;m still alive.<br><div><div>&lt;Redacted&g=
t; crustacean!</div></div></div></div></div></div>

--00000000000003e1c306234b4729--