From 0294023a6b1c5df7683707a77238ab634d4ea8c1 Mon Sep 17 00:00:00 2001
From: Magnus Hagander <magnus@hagander.net>
Date: Sun, 16 Mar 2014 15:18:52 +0100
Subject: Cleanups from the remove-native-krb5 patch

krb_srvname is actually not available anymore as a parameter server-side, since
with gssapi we accept all principals in our keytab. It's still used in libpq for
client side specification.

In passing remove declaration of krb_server_hostname, where all the functionality
was already removed.

Noted by Stephen Frost, though a different solution than his suggestion
---
 doc/src/sgml/client-auth.sgml | 15 ++++++++-------
 doc/src/sgml/config.sgml      | 14 --------------
 2 files changed, 8 insertions(+), 21 deletions(-)

(limited to 'doc/src')

diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 9b26d010616..bf71ea6b882 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -923,17 +923,15 @@ omicron         bryanh                  guest1
     <productname>Kerberos</productname>, it uses a standard principal
     in the format
     <literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
-    <replaceable>servicename</> can be set on the server side using the
-    <xref linkend="guc-krb-srvname"> configuration parameter, and on the
-    client side using the <literal>krbsrvname</> connection parameter. (See
+    The PostgreSQL server will accept any principal that is included in the keytab used by
+    the server, but care needs to be taken to specify the correct principal details when
+    making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
     also <xref linkend="libpq-paramkeywords">.) The installation default can be
     changed from the default <literal>postgres</literal> at build time using
     <literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
     In most environments,
-    this parameter never needs to be changed. However, it is necessary
-    when supporting multiple <productname>PostgreSQL</> installations
-    on the same host.
-    Some Kerberos implementations might also require a different service name,
+    this parameter never needs to be changed.
+    Some Kerberos implementations might require a different service name,
     such as Microsoft Active Directory which requires the service name
     to be in upper case (<literal>POSTGRES</literal>).
    </para>
@@ -964,6 +962,9 @@ omicron         bryanh                  guest1
     parameter. The default is
     <filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
     directory was specified as <varname>sysconfdir</> at build time).
+    For security reasons, it is recommended to use a separate keytab
+    just for the <productname>PostgreSQL</productname> server rather
+    than opening up permissions on the system keytab file.
    </para>
    <para>
     The keytab file is generated by the Kerberos software; see the
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 2811f1148ca..4eff91ebdcd 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1033,20 +1033,6 @@ include 'filename'
       </listitem>
      </varlistentry>
 
-     <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
-      <term><varname>krb_srvname</varname> (<type>string</type>)</term>
-      <indexterm>
-       <primary><varname>krb_srvname</> configuration parameter</primary>
-      </indexterm>
-      <listitem>
-       <para>
-        Sets the Kerberos service name. See <xref linkend="gssapi-auth">
-        for details. This parameter can only be set in the
-        <filename>postgresql.conf</> file or on the server command line.
-       </para>
-      </listitem>
-     </varlistentry>
-
      <varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
       <term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
       <indexterm>
-- 
cgit v1.2.3