<productname>Kerberos</productname>, it uses a standard principal
in the format
<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.
- <replaceable>servicename</> can be set on the server side using the
- <xref linkend="guc-krb-srvname"> configuration parameter, and on the
- client side using the <literal>krbsrvname</> connection parameter. (See
+ The PostgreSQL server will accept any principal that is included in the keytab used by
+ the server, but care needs to be taken to specify the correct principal details when
+ making the connection from the client using the <literal>krbsrvname</> connection parameter. (See
also <xref linkend="libpq-paramkeywords">.) The installation default can be
changed from the default <literal>postgres</literal> at build time using
<literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.
In most environments,
- this parameter never needs to be changed. However, it is necessary
- when supporting multiple <productname>PostgreSQL</> installations
- on the same host.
- Some Kerberos implementations might also require a different service name,
+ this parameter never needs to be changed.
+ Some Kerberos implementations might require a different service name,
such as Microsoft Active Directory which requires the service name
to be in upper case (<literal>POSTGRES</literal>).
</para>
parameter. The default is
<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever
directory was specified as <varname>sysconfdir</> at build time).
+ For security reasons, it is recommended to use a separate keytab
+ just for the <productname>PostgreSQL</productname> server rather
+ than opening up permissions on the system keytab file.
</para>
<para>
The keytab file is generated by the Kerberos software; see the
</listitem>
</varlistentry>
- <varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">
- <term><varname>krb_srvname</varname> (<type>string</type>)</term>
- <indexterm>
- <primary><varname>krb_srvname</> configuration parameter</primary>
- </indexterm>
- <listitem>
- <para>
- Sets the Kerberos service name. See <xref linkend="gssapi-auth">
- for details. This parameter can only be set in the
- <filename>postgresql.conf</> file or on the server command line.
- </para>
- </listitem>
- </varlistentry>
-
<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">
<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>
<indexterm>
#ifndef PG_KRB_SRVTAB
#define PG_KRB_SRVTAB ""
#endif
-#ifndef PG_KRB_SRVNAM
-#define PG_KRB_SRVNAM ""
-#endif
#define CONFIG_FILENAME "postgresql.conf"
#define HBA_FILENAME "pg_hba.conf"
NULL, NULL, NULL
},
- {
- {"krb_srvname", PGC_SIGHUP, CONN_AUTH_SECURITY,
- gettext_noop("Sets the name of the Kerberos service."),
- NULL
- },
- &pg_krb_srvnam,
- PG_KRB_SRVNAM,
- NULL, NULL, NULL
- },
-
{
{"bonjour_name", PGC_POSTMASTER, CONN_AUTH_SETTINGS,
gettext_noop("Sets the Bonjour service name."),
#include "libpq/libpq-be.h"
extern char *pg_krb_server_keyfile;
-extern char *pg_krb_srvnam;
extern bool pg_krb_caseins_users;
-extern char *pg_krb_server_hostname;
extern char *pg_krb_realm;
extern void ClientAuthentication(Port *port);
projects / postgresql / commitdiff