Hi Stephen,
For item 5, I would like to confirm whether I need to apply both TLS/SSL and GSSAPI authentication or if applying GSSAPI authentication alone is sufficient.
According to your post, do I only need to create one user 'pg1postgres' and generate one keytab file with this user. After that, should I map all the Windows users ( we have 200+ users) with 'pg1postgres' inside pg_ident.conf?
Thank you for your help and time.
Regards,
Yee Yee
On Mon, Nov 20, 2023 at 10:18 AM Yee Yee ( 舒兰) <sweety.soul7@xxxxxxxxx> wrote:
Hi Stephen,I will follow your advice and the post. I'll ask for help again if there are any errors.Thank you for your valuable advice and time.Regards,Yee YeeOn Sun, Nov 19, 2023 at 1:39 AM Stephen Frost <sfrost@xxxxxxxxxxx> wrote:Greetings,
* Yee Yee ( 舒兰) (sweety.soul7@xxxxxxxxx) wrote:
> I am attempting to configure Windows authentication on the Red Hat Linux
> server to connect to Windows AD. I chose the GSSAPI authentication method,
> but unfortunately, it is not working. May I ask a few questions:
>
> 1. What is the recommended authentication method from PostgreSQL if we
> want to use Windows authentication from Linux?
gssapi is what's recommended
> 2. Do I need to generate a keytab file for every user or do I need to
> modify the /etc/krb5.keytab file one time only?
The keytab on the server is only needed for the postgres kerberos
principal. You do *not* need one for every user. Note that the keytab
does need to be able to be read by the PG server and so you might want
to use a different keytab than /etc/krb5.keytab. You can tell PG where
the keytab is in postgresql.conf with krb_server_keyfile.
> 3. Do I need to remote to Windows AD and generate the keytab file or
> generate from Postgres Linux server itself?
I've typically done it from the AD but the 'realm' command can be used
to join systems to AD too. For directions on the former, you might find
this blog post to be helpful:
https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
> 4. Do I need to set up the Linux server domain name the same as the
> username domain name, e.g., [serverName@xxxxxxxxxxxxxx] and
> domainname/username?
Not sure I'm entirely following this question but the domain name
typically matches the realm name and is generally the same for all users
and services inside of smaller AD environments. Once you get to larger
ones, you may have multiple realms (you start to have a 'forest' instead
of just a single 'tree') with cross-realm trusts and such. You can also
technically have multiple domains inside of a given realm but you have
to set up appropriate DNS or configuration for the systems to know which
realm they're a part of.
> 5. According to PostgreSQL 15 (hostgssenc - This record matches
> connection attempts made using TCP/IP but only when the connection is made
> with GSSAPI encryption. To make use of this option, the server must be
> built with GSSAPI support. Otherwise, the hostgssenc record is ignored,
> except for logging a warning that it cannot match any connections.) - which
> kind of components should Linux OS install to use GSSAPI authentication?".
> Recently my Linux OS only can find cyrus-sasl-gssapi.x86_64
> rsyslog-gssapi.x86_64.
MIT Kerberos provides the GSSAPI authentication and encryption.
Note that GSSAPI encryption is only available with PostgreSQL today when
both sides are using the MIT Kerberos GSSAPI library. Kerberos on
Windows typically uses the SSPI functionality provided as part of the
Windows OS. PostgreSQL doesn't yet support SSPI encryption of the
connection, though that's certainly something we'd like to support in
the future and if you're interested in that work, that would be good to
know. In the meantime, TLS/SSL can be used to provide encryption and
can be used with GSSAPI authentication, which works between Windows and
Linux systems just fine.
Thanks,
Stephen
