<div dir="ltr">Hi Ishii,<div>I didn't share the output earlier, where there is some other pg_hba entry available to fallback. It does fallback in that case. Please see psql output and log snippet below.</div><div><br></div><div>[umarhayat@localhost pgpool2]# psql -U "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres -p 9999<br>psql (13.0)<br>Type "help" for help.<br></div><div><br></div><div>2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5680 database: user: <br>2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection<br>2020-10-01 07:33:06: pid 21199: DETAIL: GSSAPI request from client<br>2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet<br>2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5679 database: � 0 user: � 0<br>2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection<br>2020-10-01 07:33:06: pid 21199: DETAIL: SSLRequest from client<br>2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet<br>2020-10-01 07:33:06: pid 21199: DETAIL: application_name: psql<br>2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet<br>2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 3 Minor: 0 database: postgres user: postgres/myrealm.example@MYREALM.EXAMPLE<br>2020-10-01 07:33:06: pid 21199: DEBUG: creating new connection to backend<br>2020-10-01 07:33:06: pid 21199: DETAIL: connecting 0 backend<br>2020-10-01 07:33:06: pid 21199: DEBUG: authentication backend<br>2020-10-01 07:33:06: pid 21199: DETAIL: auth kind:0<br></div><div><br></div><div>Regards</div><div>Umar Hayat</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 2, 2020 at 2:31 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Umar,<br>
<br>
I actually expected that psql connects to Pgpool-II without GSSAPI<br>
auth (i.e. fallback to non-GSSAPI auth). In my understanding the<br>
default behavior of psql does so because of gssencmode=prefer. Can<br>
you please enable pgpool debug log by log_min_messages=debug1 and show<br>
the log?<br>
<br>
> Thank you!<br>
> <br>
>> Hi Ishii,<br>
>> <br>
>> I tested your patch and was not able to apply it, so I rebased it. I tested<br>
>> it on Pgpool 4.1 and it is working as expected.<br>
>> <br>
>> - GSSAPI Authentication direct to PG13<br>
>> [umarhayat@localhost pgpool2]# psql -U<br>
>> "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres -p<br>
>> 5432<br>
>> psql (13.0)<br>
>> GSSAPI-encrypted connection<br>
>> Type "help" for help.<br>
>> <br>
>> - GSSAPI Authentication via Pgpool direct to PG13 (before patch)<br>
>> postgres=# \q<br>
>> [umarhayat@localhost pgpool2]# psql -U<br>
>> "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres -p<br>
>> 9999<br>
>> psql: error: could not connect to server: server closed the connection<br>
>> unexpectedly<br>
>> This probably means the server terminated abnormally<br>
>> before or while processing the request.<br>
>> <br>
>> - GSSAPI Authentication via Pgpool direct to PG13 (after patch)<br>
>> [umarhayat@localhost pgpool2]# psql -U<br>
>> "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres -p<br>
>> 9999<br>
>> psql: error: could not connect to server: ERROR: failed to authenticate<br>
>> with backend<br>
>> DETAIL: unsupported auth kind received from backend: authkind:7<br>
>> <br>
>> Regards<br>
>> Umar Hayat<br>
>> <br>
>> On Wed, Sep 23, 2020 at 8:15 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp" target="_blank">ishii@sraoss.co.jp</a>> wrote:<br>
>> <br>
>>> As you might already know, Pgpool-II currently does not support<br>
>>> GSSAPI. Until we support it, I think we need to tell frontend that<br>
>>> Pgpool-II does not support GSSAPI when frontend requests it. Otherwise<br>
>>> frontend will have a confusing message from Pgpool-II.<br>
>>><br>
>>> <a href="https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html" rel="noreferrer" target="_blank">https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html</a><br>
>>><br>
>>> Attached patch should do it. I don't have GSSAPI enabled frontend and<br>
>>> I cannot test it. I would appreciate if someone tests it out.<br>
>>><br>
>>> Best regards,<br>
>>> --<br>
>>> Tatsuo Ishii<br>
>>> SRA OSS, Inc. Japan<br>
>>> English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
>>> Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
>>> _______________________________________________<br>
>>> pgpool-hackers mailing list<br>
>>> <a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
>>> <a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
>>><br>
> _______________________________________________<br>
> pgpool-hackers mailing list<br>
> <a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
> <a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
</blockquote></div>