1.3 KiB
wouldn't that be Pg authing against the OS (pam) which in turn is forwarding to krb5? which seems like an extra added step
sfrost [11:11 AM] it's basically this: ktpass -out postgres.keytab -princ POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN -mapUser enterprisedb -pass XXXXXX -crypto DES-CBC-MD5 (except adjusted a bit to make it not use a shitty crypto) you use ktpass to create your keytab file copy the keytab file to the Linux box
arossouw [11:12 AM] Seems like effort, i'll just play dumb on that one
sfrost [11:12 AM] oh, gotta fix the princ too or whatever but it's not that hard and you might have to configure the realms, but not necessairly (that info is often in DNS already) then you just tell PG where the keytab file is, set gssapi in PG's hba.conf, and create your users using their princ names, like 'sfrost@SNOWMAN.NET'
dtseiler [11:13 AM] I’m with @hunleyd, I’d love to see a great howto post on that.
arossouw [11:14 AM] I suppose the question is what is the advantage of using kerberos, and then deciding if its worth spending time on
sfrost [11:14 AM] I just wrote it ^^^ see above also wrote the advantage...
hunleyd [11:14 AM] maybe i'll try this as a 10% project some day