Re: GSSAPI authentication on Redhat8 and PostgreSQL15/16

Hi Stephen,

I will follow your advice and the post. I'll ask for help again if there
are any errors.
Thank you for your valuable advice and time.

Regards,
Yee Yee

On Sun, Nov 19, 2023 at 1:39 AM Stephen Frost <sfrost(at)snowman(dot)net> wrote:

> Greetings,
>
> * Yee Yee ( 舒兰） (sweety(dot)soul7(at)gmail(dot)com) wrote:
> > I am attempting to configure Windows authentication on the Red Hat Linux
> > server to connect to Windows AD. I chose the GSSAPI authentication
> method,
> > but unfortunately, it is not working. May I ask a few questions:
> >
> > 1. What is the recommended authentication method from PostgreSQL if we
> > want to use Windows authentication from Linux?
>
> gssapi is what's recommended
>
> > 2. Do I need to generate a keytab file for every user or do I need to
> > modify the /etc/krb5.keytab file one time only?
>
> The keytab on the server is only needed for the postgres kerberos
> principal. You do *not* need one for every user. Note that the keytab
> does need to be able to be read by the PG server and so you might want
> to use a different keytab than /etc/krb5.keytab. You can tell PG where
> the keytab is in postgresql.conf with krb_server_keyfile.
>
> > 3. Do I need to remote to Windows AD and generate the keytab file or
> > generate from Postgres Linux server itself?
>
> I've typically done it from the AD but the 'realm' command can be used
> to join systems to AD too. For directions on the former, you might find
> this blog post to be helpful:
>
>
> https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
>
> > 4. Do I need to set up the Linux server domain name the same as the
> > username domain name, e.g., [serverName(at)domainname(dot)com] and
> > domainname/username?
>
> Not sure I'm entirely following this question but the domain name
> typically matches the realm name and is generally the same for all users
> and services inside of smaller AD environments. Once you get to larger
> ones, you may have multiple realms (you start to have a 'forest' instead
> of just a single 'tree') with cross-realm trusts and such. You can also
> technically have multiple domains inside of a given realm but you have
> to set up appropriate DNS or configuration for the systems to know which
> realm they're a part of.
>
> > 5. According to PostgreSQL 15 (hostgssenc - This record matches
> > connection attempts made using TCP/IP but only when the connection is
> made
> > with GSSAPI encryption. To make use of this option, the server must be
> > built with GSSAPI support. Otherwise, the hostgssenc record is
> ignored,
> > except for logging a warning that it cannot match any connections.) -
> which
> > kind of components should Linux OS install to use GSSAPI
> authentication?".
> > Recently my Linux OS only can find cyrus-sasl-gssapi.x86_64
> > rsyslog-gssapi.x86_64.
>
> MIT Kerberos provides the GSSAPI authentication and encryption.
>
> Note that GSSAPI encryption is only available with PostgreSQL today when
> both sides are using the MIT Kerberos GSSAPI library. Kerberos on
> Windows typically uses the SSPI functionality provided as part of the
> Windows OS. PostgreSQL doesn't yet support SSPI encryption of the
> connection, though that's certainly something we'd like to support in
> the future and if you're interested in that work, that would be good to
> know. In the meantime, TLS/SSL can be used to provide encryption and
> can be used with GSSAPI authentication, which works between Windows and
> Linux systems just fine.
>
> Thanks,
>
> Stephen
>