Thread: krb5-pkinit

krb5-pkinit

From

Poul Kristensen

Date:

19 September 2016, 13:49:05

Hi !

It seems that the only way to authenticate against a kdc server is having preconfigured --with-krb_realm during building PostgreSQL 9.5 from source, which seems to mean that the Kerberos may is not in the RPM packages.

How can I list if --with-krb_realm is already compiled into the the PG packages?

sssd.conf is used instead of krb5.conf but the "kerberos" way of authentication method is needed.

Thanks.

Poul

Re: krb5-pkinit

From

Magnus Hagander

Date:

19 September 2016, 17:49:21

On Mon, Sep 19, 2016 at 5:48 AM, Poul Kristensen <bcc5226@gmail.com> wrote:

Hi !

It seems that the only way to authenticate against a kdc server is having preconfigured --with-krb_realm during building PostgreSQL 9.5 from source, which seems to mean that the Kerberos may is not in the RPM packages.
How can I list if --with-krb_realm is already compiled into the the PG packages?
sssd.conf is used instead of krb5.conf but the "kerberos" way of authentication method is needed.

It's --with-gssapi that controls the inclusion of kerberos support (the old pure krb5 support is no longer included, as it's been obsoleted by the gssapi support). The realm parameter only controls the default realm, and you can override that with configuration files and connection strings.

You can check if it was included by checking the output of "pg_config --configure". But if you are using any of the community RPM packages off yum.postgresql.org, it is included.

However, you will need to set up the Kerberos configuration using krb5.conf, as PostgreSQL uses the standard gssapi/krb libraries and does not have specific support for sssd. sssd is a completely separate thing from the basic kerberos support.

Magnus Hagander
Me: http://www.hagander.net/
Work: http://www.redpill-linpro.com/