* Shaun Thomas (sthomas@xxxxxxxxxxxxxxxx) wrote: > On 02/05/2013 03:40 PM, Stephen Frost wrote: > >You need to register the server w/ AD by creating a principal for it and > >then exporting the princ (shared secret between the KDC and the server) > >and then loading it on the server. > > That looks like something our Windows admins will have to do since > they administer the AD setup and there's no service delegation so > far as I know. Yes, they would need to handle it. If you're running PG on Linux/Unix and/or have multiple Unix systems, I'd recommend that you strongly consider decoupling the Kerberos-on-Unix setup from the Windows-AD administration by having a Unix KDC and a cross-realm trust between the two environments. If you have a Unix admin group, you might discuss it with them.. > >Funny, as it's what makes AD work. > > You might think that, but so far as I've been concerned thus far, AD > = LDAP. I'm just a DBA, after all. :) Yeah, AD is actually LDAP+Kerberos. When you log in to your desktop system (assuming it's a Windows system which is joined to your active directory domain), you're actually authenticating via Kerberos. Thanks, Stephen
Attachment:
signature.asc
Description: Digital signature
