Greetings,
* PG Doc comments form (noreply@postgresql.org) wrote:
> Page: https://www.postgresql.org/docs/15/sspi-auth.html
> Description:
>
> The [current SSPI
> documentation](https://www.postgresql.org/docs/current/sspi-auth.html)
> reads:
>
> "SSPI authentication only works when both server and client are running
> Windows, or, on non-Windows platforms, when GSSAPI is available."
>
> I interpret that phrase like this:
>
> * there's a case where both server and client are running Windows
> * there's a case where both are running non-Windows
Yeah, that phrasing isn't great.
> What about mixed cases? When the client is non-Windows, then can it use
> SSPI? No, AFAIK not. So I'd suggest to make that phrase above clearer and
> completely explicit:
SSPI is Windows-specific, yeah.
> "SSPI authentication works when both server and client are running
> Windows.
>
> When the server is on a non-Windows platform then the server must use GSSAPI
> if it wants to authenticate the client either via Kerberos or via Active
> Directory. A client on a Windows platform that connects to a non-Windows
> Postgresql server can either use SSPI (strongly encouraged) or GSS (much
> more difficult to set up) if it wants to authenticate via Kerberos or Active
> Directory. A client from a non-Windows platform must use GSS if it wants to
> authenticate via Kerberos or Active Directory."
Rather than work in negative, I feel like it might make more sense to
work in positives? That is, perhaps this instead:
On Windows platforms, SSPI is the default and most commonly used
mechanism. Note that an SSPI client can authenticate to a server which
is using either SSPI or GSSAPI, and a GSSAPI client can authenticate to
a server which is using either SSPI or GSSAPI. Generally speaking,
clients and servers on Windows are recommended to use SSPI while clients
and servers on Unix (non-Windows) platforms use GSSAPI.
Stricltly speaking, this is all independent of if AD is being used as
the KDC or not.
Thanks,
Stephen