notes/postgres/AD convo.md
Paul Trowbridge 2a6f1c5dcf redis
2020-01-12 21:28:28 -05:00

1.3 KiB
Raw Permalink Blame History

mailing_list

wouldn't that be Pg authing against the OS (pam) which in turn is forwarding to krb5? which seems like an extra added step

sfrost [11:11 AM] it's basically this: ktpass -out postgres.keytab -princ POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN -mapUser enterprisedb -pass XXXXXX -crypto DES-CBC-MD5 (except adjusted a bit to make it not use a shitty crypto) you use ktpass to create your keytab file copy the keytab file to the Linux box

arossouw [11:12 AM] Seems like effort, i'll just play dumb on that one

sfrost [11:12 AM] oh, gotta fix the princ too or whatever but it's not that hard and you might have to configure the realms, but not necessairly (that info is often in DNS already) then you just tell PG where the keytab file is, set gssapi in PG's hba.conf, and create your users using their princ names, like 'sfrost@SNOWMAN.NET'

dtseiler [11:13 AM] Im with @hunleyd, Id love to see a great howto post on that.

arossouw [11:14 AM] I suppose the question is what is the advantage of using kerberos, and then deciding if its worth spending time on

sfrost [11:14 AM] I just wrote it ^^^ see above also wrote the advantage...

hunleyd [11:14 AM] maybe i'll try this as a 10% project some day