* Shaun Thomas (sthomas@optionshouse.com) wrote:
> On 02/05/2013 03:40 PM, Stephen Frost wrote:
> >You need to register the server w/ AD by creating a principal for it and
> >then exporting the princ (shared secret between the KDC and the server)
> >and then loading it on the server.
>=20
> That looks like something our Windows admins will have to do since
> they administer the AD setup and there's no service delegation so
> far as I know.
Yes, they would need to handle it. If you're running PG on Linux/Unix
and/or have multiple Unix systems, I'd recommend that you strongly
consider decoupling the Kerberos-on-Unix setup from the Windows-AD
administration by having a Unix KDC and a cross-realm trust between the
two environments. If you have a Unix admin group, you might discuss it
with them..
> >Funny, as it's what makes AD work.
>=20
> You might think that, but so far as I've been concerned thus far, AD
> =3D LDAP. I'm just a DBA, after all. :)
Yeah, AD is actually LDAP+Kerberos. When you log in to your desktop
system (assuming it's a Windows system which is joined to your active
directory domain), you're actually authenticating via Kerberos.
Thanks,
Stephen