* Shaun Thomas ([email protected]) wrote: > On 02/05/2013 03:40 PM, Stephen Frost wrote: > >You need to register the server w/ AD by creating a principal for it and > >then exporting the princ (shared secret between the KDC and the server) > >and then loading it on the server. > > That looks like something our Windows admins will have to do since > they administer the AD setup and there's no service delegation so > far as I know.
Yes, they would need to handle it. If you're running PG on Linux/Unix
and/or have multiple Unix systems, I'd recommend that you strongly
consider decoupling the Kerberos-on-Unix setup from the Windows-AD
administration by having a Unix KDC and a cross-realm trust between the
two environments. If you have a Unix admin group, you might discuss it
with them..
> >Funny, as it's what makes AD work.
>
> You might think that, but so far as I've been concerned thus far, AD
> = LDAP. I'm just a DBA, after all. :)
Yeah, AD is actually LDAP+Kerberos. When you log in to your desktop
system (assuming it's a Windows system which is joined to your active
directory domain), you're actually authenticating via Kerberos.
Thanks,
Stephen
signature.asc
Description: Digital signature
