I'm trying to set Windows authentication for a postgres server.
The process is not well documented and makes the whole thing, obscure.
I found this doc but it is quite unclear.
In the necessary steps, the doc says that you need to create a domain user. Yet in the screenshot, it says DomainServiceAccount
Once, you've created the domain user and that you set your postgres service with the domain user, you need to create a Service Principle Name to your service account with the following command line in the AD server
setspn -S POSTGRES/[fully.qualified.domain.name] DOMAIN\[service_account_name]
Questions are the following
- Is
service_account_name
=DomaninServiceAccount
=Domain user
? - If my first question is correct, that I create a user called
SuperPostgres
, I set the service as mentioned in the doc with the userSuperPostgres
, that I create a SPN with the command linespn
and set the relevant role as mentionned in the doc, is it certain that Postgres will allow an AD user likeAndyKw
to connect to the postgres db?
Best Answer
Yes
Service_account_name = DomaninServiceAccount = Domain user
A service account is actually a domain user, just with some extra settings like "no interactive login" and "password does not expire". Dunno why they would use "DomaninServiceAccount" too. It's just Service_account_name
Is it certain? Just have to test, but it looks usual for non-Windows applications (Atlassian does the same, and I have other Java apps that have AD authentication too)