RE: 9.6.9 Default configuration for a default installation but different with-krb-srvnam

Jean-Philippe Chenel <jp.chenel@xxxxxxx> · Tue, 30 Apr 2019 02:19:35 +0000

Dear Stephen,

You're absolutely right, the mapping work very well.

I've created 2 "service user" on Active Directory (postgres and postgres_dev), and generated the keytab like this:

ktpass -out postgres_pg1.keytab -princ postgres/PGDOMT1.ad.com@xxxxxx -mapUser AD\postgres -pass 'UserPass1' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL

ktpass -out postgres_pg2.keytab -princ postgres/PGDOMT2.ad.com@AD.COM
 -mapUser AD\postgres_dev -pass 'UserPass2' -mapOp add -crypto ALL -ptype KRB5_NT_PRINCIPAL

Thank you very much for your help.

De : Stephen Frost <sfrost@xxxxxxxxxxx>

Envoyé : 29 avril 2019 13:35

À : Jean-Philippe Chenel

Cc : pgsql-general@xxxxxxxxxxxxxxxxxxxx

Objet : Re: 9.6.9 Default configuration for a default installation but different with-krb-srvnam

Greetings,

* Jean-Philippe Chenel (jp.chenel@xxxxxxx) wrote:

> If I understand, the mapping can be done in the pg_ident.conf file ?

No, you do the mapping in AD.

Look at the '/princ' and '/mapuser' options used in the ktpass command

here:

https://info.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication

How to setup Windows Active Directory with PostgreSQL
 GSSAPI Kerberos Authentication - info.crunchydata.com

info.crunchydata.com

PostgreSQL provides a many authentications methods to allow you to pick the one that makes the most sense for your environment. This guide will show you how to use your Windows Active Directory to authenticate to PostgreSQL via GSSAPI Kerberos authentication.

Thanks,

Stephen