@@ -970,17 +970,18 @@ omicron bryanh guest1
970970 strongly discouraged as it is then impossible to distinguish different users
971971 with the same user name but coming from different realms. To enable this,
972972 set <literal>include_realm</> to 0. For simple single-realm
973- installations, <literal>include_realm</> combined with the
974- <literal>krb_realm</> parameter (which checks that the realm provided
975- matches exactly what is in the <literal>krb_realm</literal> parameter) would be a secure but
976- less capable option compared to specifying an explicit mapping in
973+ installations, doing that combined with setting the
974+ <literal>krb_realm</> parameter (which checks that the principal's realm
975+ matches exactly what is in the <literal>krb_realm</literal> parameter)
976+ is still secure; but this is a
977+ less capable approach compared to specifying an explicit mapping in
977978 <filename>pg_ident.conf</>.
978979 </para>
979980
980981 <para>
981982 Make sure that your server keytab file is readable (and preferably
982- only readable) by the <productname>PostgreSQL</productname> server
983- account. (See also <xref linkend="postgres-user">.) The location
983+ only readable
, not writable ) by the <productname>PostgreSQL</productname>
984+ server account. (See also <xref linkend="postgres-user">.) The location
984985 of the key file is specified by the <xref
985986 linkend="guc-krb-server-keyfile"> configuration
986987 parameter. The default is
@@ -1019,10 +1020,12 @@ omicron bryanh guest1
10191020 If set to 0, the realm name from the authenticated user principal is
10201021 stripped off before being passed through the user name mapping
10211022 (<xref linkend="auth-username-maps">). This is discouraged and is
1022- primarily available for backwards compatibility as it is not secure
1023- in multi-realm environments unless <literal>krb_realm</literal> is also used. Users
1024- are recommended to leave include_realm set to the default (1) and to
1025- provide an explicit mapping in <filename>pg_ident.conf</>.
1023+ primarily available for backwards compatibility, as it is not secure
1024+ in multi-realm environments unless <literal>krb_realm</literal> is
1025+ also used. It is recommended to
1026+ leave <literal>include_realm</literal> set to the default (1) and to
1027+ provide an explicit mapping in <filename>pg_ident.conf</> to convert
1028+ principal names to <productname>PostgreSQL</> user names.
10261029 </para>
10271030 </listitem>
10281031 </varlistentry>
@@ -1098,10 +1101,12 @@ omicron bryanh guest1
10981101 If set to 0, the realm name from the authenticated user principal is
10991102 stripped off before being passed through the user name mapping
11001103 (<xref linkend="auth-username-maps">). This is discouraged and is
1101- primarily available for backwards compatibility as it is not secure
1102- in multi-realm environments unless <literal>krb_realm</literal> is also used. Users
1103- are recommended to leave include_realm set to the default (1) and to
1104- provide an explicit mapping in <filename>pg_ident.conf</>.
1104+ primarily available for backwards compatibility, as it is not secure
1105+ in multi-realm environments unless <literal>krb_realm</literal> is
1106+ also used. It is recommended to
1107+ leave <literal>include_realm</literal> set to the default (1) and to
1108+ provide an explicit mapping in <filename>pg_ident.conf</> to convert
1109+ principal names to <productname>PostgreSQL</> user names.
11051110 </para>
11061111 </listitem>
11071112 </varlistentry>
@@ -1116,7 +1121,7 @@ omicron bryanh guest1
11161121 the Kerberos user principal name is used.
11171122 </para>
11181123 <para>
1119- Do not enable this option unless your server runs under a domain
1124+ Do not disable this option unless your server runs under a domain
11201125 account (this includes virtual service accounts on a domain member
11211126 system) and all clients authenticating through SSPI are also using
11221127 domain accounts, or authentication will fail.
0 commit comments