If your running postgres on Linux, you have to have a Linux account on the server to run postgres[1]. It would be possible to have the linux server configured to use AD/Kerberos for authentication and that might be justified in some environments e.g. where you have a Windows based identity and access management system, but you will still need an account on the Linux system. The downside of doing this is that your just adding another possible failure point.
You are probably better off just going with 'standard' practices and have the normal postgres user, but restrict access to the server. You can then have a separate administrator account which uses AD/Kerberos and do all your administration using that account (or a number of accounts with minimum access levels needed depending on your requirements, such as one per database).
1. There are 'clever' things you can do to enable those with AD accounts to login to a Linux system which does not require running 'adduser' on the Linux host, but these solutions tend not to work well when you want to run 'services' on that host using one of those accounts. For example, you have to add 'clevel' boot facilities to ensure the AD/Kerberos infrastructure is running before the postgres server and if it isn't, deal with things gracefully etc. Things quickly become very complicated.
On 27 February 2018 at 03:22, David <dbwagoner@xxxxxxxxx> wrote:
Just wondering if it is recommended, or not, to run Postgres as a domain account on Linux. If not, then why not?Thank you,David
regards,
Tim
--
Tim Cross