Greetings,
We prefer that you don't top-post on the PG mailing lists, thanks.
* Gabriel Guillem Barceló Soteras (gbarcelo@parlamentib.es) wrote:
> Still, in Windows environments, PostgreSQL uses a separated keytab in filesystem.
> This is *nix-fashioned way to give an identity to the process.
>
> Windows native way would be service with MSA/gMSA identoty configured (or computter account i.e. NETWORK SERVICE) ,
butI think that is not possible...
There's a detailed explanation of how to do this here:
https://www.crunchydata.com/blog/windows-active-directory-postgresql-gssapi-kerberos-authentication
> pg_hba.conf
> hostgssenc all pg_user@dom.internal<mailto:pg_user@dom.internal> 10.20.200.0/16 gss include_realm=1
krb_realm=DOM.INTERNAL
> Then, on postgres.conf (*NIX or Windows)
This might be what is tripping you up- we don't yet support
GSSAPI/Kerberos encrypted connections when using SSPI (which is what
you're using on Windows). I hope to propose a patch to implement that
but it's not yet in PG.
Try instead:
host all all 10.20.200.0/16 gss include_realm=1 krb_realm=DOM.INTERNAL
> Note that I have not touched pg_ident.conf, and created a login instead...
Yes, you'll need to create the user in PostgreSQL.
Thanks,
Stephen