active directory

2018-08-23 13:34:03 -04:00 · 2018-08-23 13:34:03 -04:00 · abd8a2c459
commit abd8a2c459
parent ec201342f8
1 changed files with 37 additions and 0 deletions
--- a/convo.md
+++ b/convo.md
@ -0,0 +1,37 @@
+[mailing_list](https://www.postgresql.org/message-id/flat/CAHq%2BKHJOvZT8M-o_sE%2BQzqqBGnUjNubWo_rRmpHZyw5ZUuaseg%40mail.gmail.com)
+
+
+wouldn't that be Pg authing against the OS (pam) which in turn is forwarding to krb5? which seems like an extra added step
+
+sfrost [11:11 AM]
+it's basically this:
+ktpass -out postgres.keytab -princ
+POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN -mapUser enterprisedb -pass XXXXXX
+-crypto DES-CBC-MD5
+(except adjusted a bit to make it not use a shitty crypto)
+you use ktpass to create your keytab file
+copy the keytab file to the Linux box
+
+arossouw [11:12 AM]
+Seems like effort, i'll just play dumb on that one
+
+sfrost [11:12 AM]
+oh, gotta fix the princ too or whatever
+but it's not that hard
+and you might have to configure the realms, but not necessairly (that info is often in DNS already)
+then you just tell PG where the keytab file is, set gssapi in PG's hba.conf, and create your users using their princ names, like 'sfrost@SNOWMAN.NET'
+
+dtseiler [11:13 AM]
+I’m with @hunleyd, I’d love to see a great howto post on that.
+
+arossouw [11:14 AM]
+I suppose the question is what is the advantage of using kerberos, and then deciding if its worth spending time on
+
+sfrost [11:14 AM]
+I just wrote it
+^^^ see above
+also wrote the advantage...
+
+
+hunleyd [11:14 AM]
+maybe i'll try this as a 10% project some day