| From: | Stephen Frost <sfrost(at)snowman(dot)net> |
|---|---|
| To: | Gabriel Guillem Barceló Soteras <gbarcelo(at)parlamentib(dot)es> |
| Cc: | Holger Jakobs <holger(at)jakobs(dot)com>, "pgsql-admin(at)lists(dot)postgresql(dot)org" <pgsql-admin(at)lists(dot)postgresql(dot)org> |
| Subject: | Re: Use AD-account as login into Postgres. |
| Date: | 2024-02-26 18:05:56 |
| Message-ID: | ZdzTBPiWwN8cYSgG@tamriel.snowman.net |
| Views: | Whole Thread | Raw Message | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-admin |
Greetings,
We prefer that you don't top-post on the PG mailing lists, thanks.
* Gabriel Guillem Barceló Soteras (gbarcelo(at)parlamentib(dot)es) wrote:
> Still, in Windows environments, PostgreSQL uses a separated keytab in filesystem.
> This is *nix-fashioned way to give an identity to the process.
>
> Windows native way would be service with MSA/gMSA identoty configured (or computter account i.e. NETWORK SERVICE) , but I think that is not possible...
There's a detailed explanation of how to do this here:
https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
> pg_hba.conf
> hostgssenc all pg_user(at)dom(dot)internal<mailto:pg_user(at)dom(dot)internal> 10.20.200.0/16 gss include_realm=1 krb_realm=DOM.INTERNAL
> Then, on postgres.conf (*NIX or Windows)
This might be what is tripping you up- we don't yet support
GSSAPI/Kerberos encrypted connections when using SSPI (which is what
you're using on Windows). I hope to propose a patch to implement that
but it's not yet in PG.
Try instead:
host all all 10.20.200.0/16 gss include_realm=1 krb_realm=DOM.INTERNAL
> Note that I have not touched pg_ident.conf, and created a login instead...
Yes, you'll need to create the user in PostgreSQL.
Thanks,
Stephen
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2024-02-26 19:24:25 | Re: Would you ever recommend Shared Disk Failover for HA? |
| Previous Message | Ozgur Kulu | 2024-02-26 10:30:35 | Re: Google Cloud Maintenance |