2020-01-12 21:28:28 -05:00
|
|
|
|
[mailing_list](https://www.postgresql.org/message-id/flat/CAHq%2BKHJOvZT8M-o_sE%2BQzqqBGnUjNubWo_rRmpHZyw5ZUuaseg%40mail.gmail.com)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
wouldn't that be Pg authing against the OS (pam) which in turn is forwarding to krb5? which seems like an extra added step
|
|
|
|
|
|
|
|
|
|
sfrost [11:11 AM]
|
|
|
|
|
it's basically this:
|
|
|
|
|
ktpass -out postgres.keytab -princ
|
|
|
|
|
POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN -mapUser enterprisedb -pass XXXXXX
|
|
|
|
|
-crypto DES-CBC-MD5
|
|
|
|
|
(except adjusted a bit to make it not use a shitty crypto)
|
|
|
|
|
you use ktpass to create your keytab file
|
|
|
|
|
copy the keytab file to the Linux box
|
|
|
|
|
|
|
|
|
|
arossouw [11:12 AM]
|
|
|
|
|
Seems like effort, i'll just play dumb on that one
|
|
|
|
|
|
|
|
|
|
sfrost [11:12 AM]
|
|
|
|
|
oh, gotta fix the princ too or whatever
|
|
|
|
|
but it's not that hard
|
|
|
|
|
and you might have to configure the realms, but not necessairly (that info is often in DNS already)
|
|
|
|
|
then you just tell PG where the keytab file is, set gssapi in PG's hba.conf, and create your users using their princ names, like 'sfrost@SNOWMAN.NET'
|
|
|
|
|
|
|
|
|
|
dtseiler [11:13 AM]
|
|
|
|
|
I’m with @hunleyd, I’d love to see a great howto post on that.
|
|
|
|
|
|
|
|
|
|
arossouw [11:14 AM]
|
|
|
|
|
I suppose the question is what is the advantage of using kerberos, and then deciding if its worth spending time on
|
|
|
|
|
|
|
|
|
|
sfrost [11:14 AM]
|
|
|
|
|
I just wrote it
|
|
|
|
|
^^^ see above
|
|
|
|
|
also wrote the advantage...
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
hunleyd [11:14 AM]
|
2018-08-23 13:34:03 -04:00
|
|
|
|
maybe i'll try this as a 10% project some day
|