diff --git a/doc/src/sgml/client-auth.sgml b/doc/src/sgml/client-auth.sgml
index 9b26d0106166c33bec731fc17fc5fbec88b0ae55..bf71ea6b882e9f3b18c1f9478c57fd8faef779d6 100644
--- a/doc/src/sgml/client-auth.sgml
+++ b/doc/src/sgml/client-auth.sgml
@@ -923,17 +923,15 @@ omicron bryanh guest1
<productname>Kerberos</productname>, it uses a standard principal
in the format
<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
- <replaceable>servicename</> can be set on the server side using the
- <xref linkend="guc-krb-srvname"> configuration parameter, and on the
- client side using the <literal>krbsrvname</> connection parameter. (See
+ The PostgreSQL server will accept any principal that is included in the keytab used by
+ the server, but care needs to be taken to specify the correct principal details when
+ making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
also <xref linkend="libpq-paramkeywords">.) The installation default can be
changed from the default <literal>postgres</literal> at build time using
<literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
In most environments,
- this parameter never needs to be changed. However, it is necessary
- when supporting multiple <productname>PostgreSQL</> installations
- on the same host.
- Some Kerberos implementations might also require a different service name,
+ this parameter never needs to be changed.
+ Some Kerberos implementations might require a different service name,
such as Microsoft Active Directory which requires the service name
to be in upper case (<literal>POSTGRES</literal>).
</para>
@@ -964,6 +962,9 @@ omicron bryanh guest1
parameter. The default is
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
directory was specified as <varname>sysconfdir</> at build time).
+ For security reasons, it is recommended to use a separate keytab
+ just for the <productname>PostgreSQL</productname> server rather
+ than opening up permissions on the system keytab file.
</para>
<para>
The keytab file is generated by the Kerberos software; see the
diff --git a/doc/src/sgml/config.sgml b/doc/src/sgml/config.sgml
index 2811f1148ca0c5a2e136719174799c12a1f436f7..4eff91ebdcde137729d5b0155fc0194e17cffdfc 100644
--- a/doc/src/sgml/config.sgml
+++ b/doc/src/sgml/config.sgml
@@ -1033,20 +1033,6 @@ include 'filename'
</listitem>
</varlistentry>
- <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
- <term><varname>krb_srvname</varname> (<type>string</type>)</term>
- <indexterm>
- <primary><varname>krb_srvname</> configuration parameter</primary>
- </indexterm>
- <listitem>
- <para>
- Sets the Kerberos service name. See <xref linkend="gssapi-auth">
- for details. This parameter can only be set in the
- <filename>postgresql.conf</> file or on the server command line.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm>
diff --git a/src/backend/libpq/auth.c b/src/backend/libpq/auth.c
index f03aa7edc22447571e0408f9d4f1a60de693668a..2a46f7b9130ba29af7968b358cbd405ed97f815f 100644
--- a/src/backend/libpq/auth.c
+++ b/src/backend/libpq/auth.c
@@ -129,7 +129,6 @@ static int CheckCertAuth(Port *port);
*----------------------------------------------------------------
*/
char *pg_krb_server_keyfile;
-char *pg_krb_srvnam;
bool pg_krb_caseins_users;
diff --git a/src/backend/utils/misc/guc.c b/src/backend/utils/misc/guc.c
index c76edb48a9bb0ce4636ca0c701cb746f305f5643..7d7d1dc263f4b5405af6395fe8af90a78f236a55 100644
--- a/src/backend/utils/misc/guc.c
+++ b/src/backend/utils/misc/guc.c
@@ -85,9 +85,6 @@
#ifndef PG_KRB_SRVTAB
#define PG_KRB_SRVTAB ""
#endif
-#ifndef PG_KRB_SRVNAM
-#define PG_KRB_SRVNAM ""
-#endif
#define CONFIG_FILENAME "postgresql.conf"
#define HBA_FILENAME "pg_hba.conf"
@@ -2802,16 +2799,6 @@ static struct config_string ConfigureNamesString[] =
NULL, NULL, NULL
},
- {
- {"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY,
- gettext_noop("Sets the name of the Kerberos service."),
- NULL
- },
- &pg_krb_srvnam,
- PG_KRB_SRVNAM,
- NULL, NULL, NULL
- },
-
{
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour service name."),
diff --git a/src/backend/utils/misc/postgresql.conf.sample b/src/backend/utils/misc/postgresql.conf.sample
index 3629a52c9fe43682852a8e88536f4406c765379d..70e5a5111ec08b23c00955f1408337660a7ba63f 100644
--- a/src/backend/utils/misc/postgresql.conf.sample
+++ b/src/backend/utils/misc/postgresql.conf.sample
@@ -91,9 +91,8 @@
#password_encryption = on
#db_user_namespace = off
-# Kerberos and GSSAPI
+# GSSAPI using Kerberos
#krb_server_keyfile = ''
-#krb_srvname = 'postgres' # (Kerberos only)
#krb_caseins_users = off
# - TCP Keepalives -
diff --git a/src/include/libpq/auth.h b/src/include/libpq/auth.h
index 5ae8114e8b915f11d6282570e34a482c03ff62a3..ace647a7ff1ff7efce886bd9bab28f134cd10ccd 100644
--- a/src/include/libpq/auth.h
+++ b/src/include/libpq/auth.h
@@ -17,9 +17,7 @@
#include "libpq/libpq-be.h"
extern char *pg_krb_server_keyfile;
-extern char *pg_krb_srvnam;
extern bool pg_krb_caseins_users;
-extern char *pg_krb_server_hostname;
extern char *pg_krb_realm;
extern void ClientAuthentication(Port *port);
diff --git a/src/include/libpq/hba.h b/src/include/libpq/hba.h
index 5a103aed195d9188504cb0cae3b0505de9acb1aa..68a953aa628a4534d64c2b4bdb15acb4bc93b701 100644
--- a/src/include/libpq/hba.h
+++ b/src/include/libpq/hba.h
@@ -75,7 +75,6 @@ typedef struct HbaLine
char *ldapprefix;
char *ldapsuffix;
bool clientcert;
- char *krb_server_hostname;
char *krb_realm;
bool include_realm;
char *radiusserver;