* greigwise@xxxxxxxxxxx (greigwise@xxxxxxxxxxx) wrote: > 2) Setup a new account in AD and used ktpass to create a keytab file for the SPN. Did you make sure to use the right service name when creating the keytab? Can you do a klist -k on the keytab file and send the output? Does hostname --fqdn return the correct answer on the server? If not, you might need to adjust what PG thinks your FQDN is (there's an option in postgresql.conf for that too, but I'd recommend trying to fix your server to return the right answer instead of forcing it). > 3) Copied the keytab file onto my postgres server and updated my postgresql.conf file appropriately (set the krb_server_keyfile to point to the file I just created.) You'll probably also need to change the default service name to POSTGRES instead of postgres, in postgresql.conf too, klist -k should help figure that out. > Then I wrote a little test Perl program to connect to my postgres database. Can you test with psql locally first? Make sure that when you *try* to connect, it acquires the service princ from the KDC (check using klist) and then see if it is actually *able* to authenticate to the server. You'll need to set the appropriate environment variables on both Linux and Windows tho for libpq to know what the right service name is (again, POSTGRES instead of postgres, probably). You may also need to make sure that your default realm is set correctly and that your reverse DNS is working. Also, can you look in the PG server-side logs and see what errors are being reported there? There may be some during startup or when the client tries to connect that would be useful. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
