From e3929e4bc1acca8eca0c3c0a05dbe3ca6ff95f81 Mon Sep 17 00:00:00 2001 From: Paul Trowbridge Date: Thu, 7 Apr 2022 13:03:13 -0400 Subject: [PATCH] old file --- postgres/AD convo.md | 37 ------------------------------------- 1 file changed, 37 deletions(-) delete mode 100644 postgres/AD convo.md diff --git a/postgres/AD convo.md b/postgres/AD convo.md deleted file mode 100644 index 76de892..0000000 --- a/postgres/AD convo.md +++ /dev/null @@ -1,37 +0,0 @@ -[mailing_list](https://www.postgresql.org/message-id/flat/CAHq%2BKHJOvZT8M-o_sE%2BQzqqBGnUjNubWo_rRmpHZyw5ZUuaseg%40mail.gmail.com) - - -wouldn't that be Pg authing against the OS (pam) which in turn is forwarding to krb5? which seems like an extra added step - -sfrost [11:11 AM] -it's basically this: -ktpass -out postgres.keytab -princ -POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN -mapUser enterprisedb -pass XXXXXX --crypto DES-CBC-MD5 -(except adjusted a bit to make it not use a shitty crypto) -you use ktpass to create your keytab file -copy the keytab file to the Linux box - -arossouw [11:12 AM] -Seems like effort, i'll just play dumb on that one - -sfrost [11:12 AM] -oh, gotta fix the princ too or whatever -but it's not that hard -and you might have to configure the realms, but not necessairly (that info is often in DNS already) -then you just tell PG where the keytab file is, set gssapi in PG's hba.conf, and create your users using their princ names, like 'sfrost@SNOWMAN.NET' - -dtseiler [11:13 AM] -I’m with @hunleyd, I’d love to see a great howto post on that. - -arossouw [11:14 AM] -I suppose the question is what is the advantage of using kerberos, and then deciding if its worth spending time on - -sfrost [11:14 AM] -I just wrote it -^^^ see above -also wrote the advantage... - - -hunleyd [11:14 AM] -maybe i'll try this as a 10% project some day \ No newline at end of file