Eric, * Eric.Kamradt (Eric.Kamradt@xxxxxxxxxxxxxxxxxxxxx) wrote: > Can postgres be configure for GSS/Kerberos authentication without a keyfile? I'd say 'probably not'. You have to have a princ for postgres and that princ needs to exist in a keytab file on the PostgreSQL server. By default, the Kerberos libraries should look in /etc/krb5.keytab for that princ, but if you've configured your system correctly, that file is owned by root and only readable by root. Services that run as root can still load the file (eg: ssh), but PostgreSQL doesn't run as root (and shouldn't), so it can't and it won't be able to find the princ. My suggestion for how to do this 'correctly' is to create a keytab just for the PostgreSQL server with only the postgres/my.host.name@REALM princ in that file. Then put that file somewhere that the PostgreSQL server can get at it, make it owned by the postgres user, and readable by ONLY the postgres user. Then update your postgresql.conf by setting the krb_server_keyfile to that keytab file. Here's what that looks like on one of our systems: ===# l /etc/postgresql-common/krb5.keytab -rw------- 1 postgres root 273 2011-08-16 07:01 /etc/postgresql-common/krb5.keytab ===# klist -k /etc/postgresql-common/krb5.keytab Keytab name: FILE:/etc/postgresql-common/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 3 postgres/host.fqdn.org@xxxxxxxxxxxxx ===# grep krb_server /etc/postgresql/9.1/main/postgresql.conf krb_server_keyfile = '/etc/postgresql-common/krb5.keytab' Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
