Re: GSSAPI authentication on Redhat8 and PostgreSQL15/16

Hi Stephen,

For item 5, I would like to confirm whether I need to apply both TLS/SSL
and GSSAPI authentication or if applying GSSAPI authentication alone is
sufficient.

According to your post, do I only need to create one user 'pg1postgres' and
generate one keytab file with this user. After that, should I map all the
Windows users ( we have 200+ users) with 'pg1postgres' inside
pg_ident.conf?

https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication

Thank you for your help and time.
Regards,
Yee Yee

On Mon, Nov 20, 2023 at 10:18 AM Yee Yee ( 舒兰） <sweety(dot)soul7(at)gmail(dot)com>
wrote:

> Hi Stephen,
>
> I will follow your advice and the post. I'll ask for help again if there
> are any errors.
> Thank you for your valuable advice and time.
>
> Regards,
> Yee Yee
>
> On Sun, Nov 19, 2023 at 1:39 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:
>
>> Greetings,
>>
>> * Yee Yee ( 舒兰） (sweety(dot)soul7(at)gmail(dot)com) wrote:
>> > I am attempting to configure Windows authentication on the Red Hat Linux
>> > server to connect to Windows AD. I chose the GSSAPI authentication
>> method,
>> > but unfortunately, it is not working. May I ask a few questions:
>> >
>> > 1. What is the recommended authentication method from PostgreSQL if
>> we
>> > want to use Windows authentication from Linux?
>>
>> gssapi is what's recommended
>>
>> > 2. Do I need to generate a keytab file for every user or do I need to
>> > modify the /etc/krb5.keytab file one time only?
>>
>> The keytab on the server is only needed for the postgres kerberos
>> principal. You do *not* need one for every user. Note that the keytab
>> does need to be able to be read by the PG server and so you might want
>> to use a different keytab than /etc/krb5.keytab. You can tell PG where
>> the keytab is in postgresql.conf with krb_server_keyfile.
>>
>> > 3. Do I need to remote to Windows AD and generate the keytab file or
>> > generate from Postgres Linux server itself?
>>
>> I've typically done it from the AD but the 'realm' command can be used
>> to join systems to AD too. For directions on the former, you might find
>> this blog post to be helpful:
>>
>>
>> https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
>>
>> > 4. Do I need to set up the Linux server domain name the same as the
>> > username domain name, e.g., [serverName(at)domainname(dot)com] and
>> > domainname/username?
>>
>> Not sure I'm entirely following this question but the domain name
>> typically matches the realm name and is generally the same for all users
>> and services inside of smaller AD environments. Once you get to larger
>> ones, you may have multiple realms (you start to have a 'forest' instead
>> of just a single 'tree') with cross-realm trusts and such. You can also
>> technically have multiple domains inside of a given realm but you have
>> to set up appropriate DNS or configuration for the systems to know which
>> realm they're a part of.
>>
>> > 5. According to PostgreSQL 15 (hostgssenc - This record matches
>> > connection attempts made using TCP/IP but only when the connection
>> is made
>> > with GSSAPI encryption. To make use of this option, the server must
>> be
>> > built with GSSAPI support. Otherwise, the hostgssenc record is
>> ignored,
>> > except for logging a warning that it cannot match any connections.)
>> - which
>> > kind of components should Linux OS install to use GSSAPI
>> authentication?".
>> > Recently my Linux OS only can find cyrus-sasl-gssapi.x86_64
>> > rsyslog-gssapi.x86_64.
>>
>> MIT Kerberos provides the GSSAPI authentication and encryption.
>>
>> Note that GSSAPI encryption is only available with PostgreSQL today when
>> both sides are using the MIT Kerberos GSSAPI library. Kerberos on
>> Windows typically uses the SSPI functionality provided as part of the
>> Windows OS. PostgreSQL doesn't yet support SSPI encryption of the
>> connection, though that's certainly something we'd like to support in
>> the future and if you're interested in that work, that would be good to
>> know. In the meantime, TLS/SSL can be used to provide encryption and
>> can be used with GSSAPI authentication, which works between Windows and
>> Linux systems just fine.
>>
>> Thanks,
>>
>> Stephen
>>
>