I can happily report that the PostgreSQL OLEDB driver works perfectly with Kerberos integrated login with Active Directory! Didn't even need any hackings at all.
Yay!
During my PostgreSQL coding last weekend I found a fairly horrible DOS in a library that PostgreSQL can be compiled with. It's totally exploitable to a DOS (double-free) in a PostgreSQL environment, and the user doesn't need to be authenticated to do it. The crashed backend will cause the postmaster to kick out all other backends and restart then - not good!
The good news is that it's not compiled-in by default, and even if you compile it in, you also have to explicitly enable it to become vulnerable.
Also, the guys with the library responded really fast (hours) and I expect a complete advisory along with a patched version to be out sometime the end of this week or beginning of next. At which times full details will be available...
In summary, there is nothing wrong with PostgreSQL here - it's just a vector to exploit the vulnerability in the library. So there will be no PostgreSQL security patch...
I just returned from yet another really bad experience with RPM. Scenario: RedHat AS 3.0, freshly installed this morning. Not a single package installed from anywhere other than the RHAS CDs. Needed to change the smarthost in sendmail. This required some 10-15 new RPMs to be installed. One of which was "glibc-2.3.2-95.30-i386". So I install it, and bang, RPM stops working with broken libraries. Turns out I should have installed the -i686 version, even though the system told me to install -i386.
The solution? Copy the i686 version over to a slackware machine, run rpm2tgz, copy it back and just untar it in the root. System back alive. Then run some rpm -i --force to make it understand it was there, and now pray it keeps working. It seems good.
No offense to the pg RPM people, but I would never risk using RPM to install my database. PostgreSQL goes in from source every time. (On Unix that is - on Win32 I use the installer. Because frankly, I've never seen this level of problems on a Windows machine as long as you don't install "weird software")
Now, I wouldn't run RedHat on the box if it was my choice either - slackware is my distro of choice for servers. But for some reason people who say "we support Linux" really only mean "we support RedHat". Which sucks really bad, but that's a different story...
Oh, and in about 1 hour of doing simple "rpm -i" on all the required packages, the RPM database was corrupted four times. Perhaps it's time for these people to put their data in a PostgreSQL database...
Finally, thanks to Devrim for attempting to help me solve this in a less hackish way.
So people keep telling me that you can't get good support for open source. At least, you can't get it unless you pay for it. At least not if you need actual code changes. At least not.. etc etc.
Yesterday I opened a bug with Mono, because it crashed (segfault) whenever I tried to execute anything on the Graphics class. In about 30 minutes I had my first response, asking for some more information. Another 20 minutes later and I had a solution - I was missing a scalable sserif font on my system (it's a server after all). And 5 more minutes confirming that a better error message will appear in a later version.
This is the second time I had to file a bug with Mono. The first time, it was XML-related, and an actual code bug. In this case I had a patch to apply to my installation within 48 hours, and it was included in the next release (in the meantime, I had a workaround).
In contrast, I've had an ipsec issue open with Microsoft since last week, without an actual solution in sight. Granted, this is a more complex issue than the ones above. And don't get me wrong, the guy(s?) working on it from the MS are doing a good job. But it generally takes more time. And more than once I've had cases closed with "no resolution, issue will not be fixed".
There are of course cases when things aren't fixed, but a (good or bad) workaround is provided in the open source world as well. But the argument that support is worse there just doesn't stand. In my experience, it's usually about as good.
Unless you are in a position where you can hire someone (or have someoen on your staff) that can actually fix the broken code. In this case, open source is a winner because that is possible to do this. That's just not possible in closed source - I can have an army of good coders, they still can't fix a bug in Windows.
Seems at least somebody think we did a good job with the MSI installer for PostgreSQL on Win32 (and the db, but the installer was the focus). PostgreSQL vs MySQL vs Oracle on Win32, and PostgreSQL won the total score. And in the point specific about the installer, it was 10/10 for PostgreSQL, 5/10 for MySQL and 7/10 for Oracle.
Oh. The article.
My project to integrate PostgreSQL with Active Directory is progressing nicely.
(Yes, this is a good thing. MS SQL Server has "Integrated Security" which means it leverages the exsting Windows login to automatically access the database without a separate password. In a domain environment (read corporate environment), this is usually a very good thing. Having similar functionality in PostgreSQL helps make migration easier.)
Once the patches that were included in 8.0.2 got in, the remaining job wasn't very hard. Getting basic kerberos interoperability working was a lot easier now than last time I tried it, lots of progress made on the kerberos distributions there.
So far it only works if your server runs on Linux (or any unix should work - the point is that the win32 native server currently does not work). The clients can run either Windows or Unix. It requires the clients to use libpq (which means perhaps it works with the OLE DB driver since it's based on libpq - I need to test that).
It also requires the server and libpq to be recompiled with a different compile option. I'm going to be working on a patch for 8.1 to solve that.
A HOWTO document will be written once I've ironed out the last parts of the process. What I have now is enough for me to deploy to a set of about 30 users for 10dbs, but the build instructions are not exactly clear ATM.
Oh, and big thanks to Dave and the pgAdmin team for putting out 1.2.1 so quickly which had a fix required for Kerberos authentication to work.
Hit something really weird in the windows vs linux interop department yesterday. Consider this:
Format a disk FAT32 in Windows. Mount it in linux, copy some files, reboot into Windows XP setup and proceed to install Windows. Works just fine.
Format a disk FAT32 in Linux. Mount in linux, copy some files. Reboot into Windows XP setup and proceed to install Windows. Works just fine - up to a point. After reboot (after Windows Setup has copied all files from the network to the local disk), the machine no longer boots - reports "Disk error" in the boot sector.
So much for interop. Solution? Do a disk image of a FAT32 partition formatted in Windows (empty - the image ends up around 10K for a 3Gb partition), and then restore that disk image from linux. Then it works. Hmmmm..
To make this post a little more PostgreSQL related, I got the new bittorrent stuff pushed out for www.postgresql.org yesterday. Now torrent downloads are automated, and they are automatically listed in the ftp browser. Should make it easier to find the torrents, and easier to make them track reality around new releases.
So I guess Devrim talked me into starting one of these as well - I think he wants to create an army or something. We'll see where it ends. There should certainly be some PostgreSQL stuff I can rant about...