notes/postgres/AD convo.md
Paul Trowbridge 2a6f1c5dcf redis
2020-01-12 21:28:28 -05:00

37 lines
1.3 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

[mailing_list](https://www.postgresql.org/message-id/flat/CAHq%2BKHJOvZT8M-o_sE%2BQzqqBGnUjNubWo_rRmpHZyw5ZUuaseg%40mail.gmail.com)
wouldn't that be Pg authing against the OS (pam) which in turn is forwarding to krb5? which seems like an extra added step
sfrost [11:11 AM]
it's basically this:
ktpass -out postgres.keytab -princ
POSTGRES/centos(at)MY(dot)TESTDOMAIN(dot)LAN -mapUser enterprisedb -pass XXXXXX
-crypto DES-CBC-MD5
(except adjusted a bit to make it not use a shitty crypto)
you use ktpass to create your keytab file
copy the keytab file to the Linux box
arossouw [11:12 AM]
Seems like effort, i'll just play dumb on that one
sfrost [11:12 AM]
oh, gotta fix the princ too or whatever
but it's not that hard
and you might have to configure the realms, but not necessairly (that info is often in DNS already)
then you just tell PG where the keytab file is, set gssapi in PG's hba.conf, and create your users using their princ names, like 'sfrost@SNOWMAN.NET'
dtseiler [11:13 AM]
Im with @hunleyd, Id love to see a great howto post on that.
arossouw [11:14 AM]
I suppose the question is what is the advantage of using kerberos, and then deciding if its worth spending time on
sfrost [11:14 AM]
I just wrote it
^^^ see above
also wrote the advantage...
hunleyd [11:14 AM]
maybe i'll try this as a 10% project some day