<div dir="ltr">Hi Ishii,<div>I don't have any SSL setup for the database I am using. Last log I shared for fall back, only trust was used as fall back. I am not sure why we see SSLRequest in log (Could it be a bug?)</div><div><br></div><div>I retested the fallback scenario with scram-sha-256 and the following is log, and it successfully used scram-sha-256 after gss fallback.</div><div><br></div><div>psql- output:</div><div>[umarhayat@myrealm pgpool2]# psql -U "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres -p 9999<br>Password for user postgres/myrealm.example@MYREALM.EXAMPLE: <br>psql (13.0)<br>Type "help" for help.<br></div><div><br></div><div>pgpool log:</div><div>2020-10-02 12:16:34: pid 35644: DEBUG: selecting backend connection<br>2020-10-02 12:16:34: pid 35644: DETAIL: GSSAPI request from client<br>2020-10-02 12:16:34: pid 35644: DEBUG: reading startup packet<br>2020-10-02 12:16:34: pid 35644: DETAIL: Protocol Major: 1234 Minor: 5679 database: � 0 user: � 0<br>2020-10-02 12:16:34: pid 35644: DEBUG: selecting backend connection<br>2020-10-02 12:16:34: pid 35644: DETAIL: SSLRequest from client<br>2020-10-02 12:16:34: pid 35644: DEBUG: reading startup packet<br>2020-10-02 12:16:34: pid 35644: DETAIL: application_name: psql<br>2020-10-02 12:16:34: pid 35644: DEBUG: reading startup packet<br>2020-10-02 12:16:34: pid 35644: DETAIL: Protocol Major: 3 Minor: 0 database: postgres user: postgres/myrealm.example@MYREALM.EXAMPLE<br>2020-10-02 12:16:34: pid 35644: DEBUG: creating new connection to backend<br>2020-10-02 12:16:34: pid 35644: DETAIL: connecting 0 backend<br>2020-10-02 12:16:34: pid 35644: DEBUG: authentication backend<br>2020-10-02 12:16:34: pid 35644: DETAIL: auth kind:10<br>2020-10-02 12:16:34: pid 35644: DEBUG: authentication backend 0<br>2020-10-02 12:16:34: pid 35644: DETAIL: trying SCRAM authentication<br>2020-10-02 12:16:38: pid 35669: DEBUG: I am 35669 accept fd 7<br>2020-10-02 12:16:38: pid 35669: DEBUG: reading startup packet<br>2020-10-02 12:16:38: pid 35669: DETAIL: Protocol Major: 1234 Minor: 5680 database: user: <br>2020-10-02 12:16:38: pid 35669: DEBUG: selecting backend connection<br>2020-10-02 12:16:38: pid 35669: DETAIL: GSSAPI request from client<br>2020-10-02 12:16:38: pid 35669: DEBUG: reading startup packet<br>2020-10-02 12:16:38: pid 35669: DETAIL: Protocol Major: 1234 Minor: 5679 database: � 0 user: � 0<br>2020-10-02 12:16:38: pid 35669: DEBUG: selecting backend connection<br>2020-10-02 12:16:38: pid 35669: DETAIL: SSLRequest from client<br>2020-10-02 12:16:38: pid 35669: DEBUG: reading startup packet<br>2020-10-02 12:16:38: pid 35669: DETAIL: application_name: psql<br>2020-10-02 12:16:38: pid 35669: DEBUG: reading startup packet<br>2020-10-02 12:16:38: pid 35669: DETAIL: Protocol Major: 3 Minor: 0 database: postgres user: postgres/myrealm.example@MYREALM.EXAMPLE<br>2020-10-02 12:16:38: pid 35669: DEBUG: creating new connection to backend<br>2020-10-02 12:16:38: pid 35669: DETAIL: connecting 0 backend<br>2020-10-02 12:16:38: pid 35669: DEBUG: authentication backend<br>2020-10-02 12:16:38: pid 35669: DETAIL: auth kind:10<br>2020-10-02 12:16:38: pid 35669: DEBUG: authentication backend 0<br>2020-10-02 12:16:38: pid 35669: DETAIL: trying SCRAM authentication<br>2020-10-02 12:16:38: pid 35669: DEBUG: SCRAM authentication successful for backend 0<br></div><div><br></div><div>pg_hba:</div><div>host all all <a href="http://127.0.0.1/32">127.0.0.1/32</a> scram-sha-256<br>host all postgres/myrealm.example@MYREALM.EXAMPLE <a href="http://0.0.0.0/0">0.0.0.0/0</a> gss include_realm=1 krb_realm=MYREALM.EXAMPLE<br></div><div><br></div><div><br></div><div>Let me know if more investigation is required.</div><div><br></div><div>Regards</div><div>Umar Hayat</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 2, 2020 at 9:55 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp">ishii@sraoss.co.jp</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Umar,<br>
<br>
> Hi Ishii,<br>
> I didn't share the output earlier, where there is some other pg_hba entry<br>
> available to fallback. It does fallback in that case. Please see psql<br>
> output and log snippet below.<br>
<br>
Oh, ok thanks. It seems the following output fallbacks to SSL<br>
connection. Can you confirm it can also fallback to non-SSL<br>
connection?<br>
<br>
> [umarhayat@localhost pgpool2]# psql -U<br>
> "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres -p<br>
> 9999<br>
> psql (13.0)<br>
> Type "help" for help.<br>
> <br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5680<br>
> database: user:<br>
> 2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection<br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: GSSAPI request from client<br>
> 2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet<br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 1234 Minor: 5679<br>
> database: � 0 user: � 0<br>
> 2020-10-01 07:33:06: pid 21199: DEBUG: selecting backend connection<br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: SSLRequest from client<br>
> 2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet<br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: application_name: psql<br>
> 2020-10-01 07:33:06: pid 21199: DEBUG: reading startup packet<br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: Protocol Major: 3 Minor: 0<br>
> database: postgres user: postgres/myrealm.example@MYREALM.EXAMPLE<br>
> 2020-10-01 07:33:06: pid 21199: DEBUG: creating new connection to backend<br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: connecting 0 backend<br>
> 2020-10-01 07:33:06: pid 21199: DEBUG: authentication backend<br>
> 2020-10-01 07:33:06: pid 21199: DETAIL: auth kind:0<br>
> <br>
> Regards<br>
> Umar Hayat<br>
> <br>
> <br>
> On Fri, Oct 2, 2020 at 2:31 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp" target="_blank">ishii@sraoss.co.jp</a>> wrote:<br>
> <br>
>> Hi Umar,<br>
>><br>
>> I actually expected that psql connects to Pgpool-II without GSSAPI<br>
>> auth (i.e. fallback to non-GSSAPI auth). In my understanding the<br>
>> default behavior of psql does so because of gssencmode=prefer. Can<br>
>> you please enable pgpool debug log by log_min_messages=debug1 and show<br>
>> the log?<br>
>><br>
>> > Thank you!<br>
>> ><br>
>> >> Hi Ishii,<br>
>> >><br>
>> >> I tested your patch and was not able to apply it, so I rebased it. I<br>
>> tested<br>
>> >> it on Pgpool 4.1 and it is working as expected.<br>
>> >><br>
>> >> - GSSAPI Authentication direct to PG13<br>
>> >> [umarhayat@localhost pgpool2]# psql -U<br>
>> >> "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres<br>
>> -p<br>
>> >> 5432<br>
>> >> psql (13.0)<br>
>> >> GSSAPI-encrypted connection<br>
>> >> Type "help" for help.<br>
>> >><br>
>> >> - GSSAPI Authentication via Pgpool direct to PG13 (before patch)<br>
>> >> postgres=# \q<br>
>> >> [umarhayat@localhost pgpool2]# psql -U<br>
>> >> "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres<br>
>> -p<br>
>> >> 9999<br>
>> >> psql: error: could not connect to server: server closed the connection<br>
>> >> unexpectedly<br>
>> >> This probably means the server terminated abnormally<br>
>> >> before or while processing the request.<br>
>> >><br>
>> >> - GSSAPI Authentication via Pgpool direct to PG13 (after patch)<br>
>> >> [umarhayat@localhost pgpool2]# psql -U<br>
>> >> "postgres/myrealm.example@MYREALM.EXAMPLE" -h myrealm.example postgres<br>
>> -p<br>
>> >> 9999<br>
>> >> psql: error: could not connect to server: ERROR: failed to authenticate<br>
>> >> with backend<br>
>> >> DETAIL: unsupported auth kind received from backend: authkind:7<br>
>> >><br>
>> >> Regards<br>
>> >> Umar Hayat<br>
>> >><br>
>> >> On Wed, Sep 23, 2020 at 8:15 AM Tatsuo Ishii <<a href="mailto:ishii@sraoss.co.jp" target="_blank">ishii@sraoss.co.jp</a>><br>
>> wrote:<br>
>> >><br>
>> >>> As you might already know, Pgpool-II currently does not support<br>
>> >>> GSSAPI. Until we support it, I think we need to tell frontend that<br>
>> >>> Pgpool-II does not support GSSAPI when frontend requests it. Otherwise<br>
>> >>> frontend will have a confusing message from Pgpool-II.<br>
>> >>><br>
>> >>><br>
>> <a href="https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html" rel="noreferrer" target="_blank">https://www.pgpool.net/pipermail/pgpool-general/2020-September/007353.html</a><br>
>> >>><br>
>> >>> Attached patch should do it. I don't have GSSAPI enabled frontend and<br>
>> >>> I cannot test it. I would appreciate if someone tests it out.<br>
>> >>><br>
>> >>> Best regards,<br>
>> >>> --<br>
>> >>> Tatsuo Ishii<br>
>> >>> SRA OSS, Inc. Japan<br>
>> >>> English: <a href="http://www.sraoss.co.jp/index_en.php" rel="noreferrer" target="_blank">http://www.sraoss.co.jp/index_en.php</a><br>
>> >>> Japanese:<a href="http://www.sraoss.co.jp" rel="noreferrer" target="_blank">http://www.sraoss.co.jp</a><br>
>> >>> _______________________________________________<br>
>> >>> pgpool-hackers mailing list<br>
>> >>> <a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
>> >>> <a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
>> >>><br>
>> > _______________________________________________<br>
>> > pgpool-hackers mailing list<br>
>> > <a href="mailto:pgpool-hackers@pgpool.net" target="_blank">pgpool-hackers@pgpool.net</a><br>
>> > <a href="http://www.pgpool.net/mailman/listinfo/pgpool-hackers" rel="noreferrer" target="_blank">http://www.pgpool.net/mailman/listinfo/pgpool-hackers</a><br>
>><br>
</blockquote></div>