| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Shaun Thomas <sthomas(at)optionshouse(dot)com> |
| Cc: | Scott Marlowe <scott(dot)marlowe(at)gmail(dot)com>, PostgreSQL General <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: .pgpass and root: a problem |
| Date: | 2013-02-05 22:05:37 |
| Message-ID: | 20130205220537.GR16126@tamriel.snowman.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
* Shaun Thomas (sthomas(at)optionshouse(dot)com) wrote:
> On 02/05/2013 03:40 PM, Stephen Frost wrote:
> >You need to register the server w/ AD by creating a principal for it and
> >then exporting the princ (shared secret between the KDC and the server)
> >and then loading it on the server.
>
> That looks like something our Windows admins will have to do since
> they administer the AD setup and there's no service delegation so
> far as I know.
Yes, they would need to handle it. If you're running PG on Linux/Unix
and/or have multiple Unix systems, I'd recommend that you strongly
consider decoupling the Kerberos-on-Unix setup from the Windows-AD
administration by having a Unix KDC and a cross-realm trust between the
two environments. If you have a Unix admin group, you might discuss it
with them..
> >Funny, as it's what makes AD work.
>
> You might think that, but so far as I've been concerned thus far, AD
> = LDAP. I'm just a DBA, after all. :)
Yeah, AD is actually LDAP+Kerberos. When you log in to your desktop
system (assuming it's a Windows system which is joined to your active
directory domain), you're actually authenticating via Kerberos.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Ben Madin | 2013-02-06 04:24:31 | ERROR: invalid input syntax for integer: "" |
| Previous Message | Shaun Thomas | 2013-02-05 21:58:59 | Re: .pgpass and root: a problem |