Greetings, * PG Doc comments form (nore...@postgresql.org) wrote: > Page: https://www.postgresql.org/docs/15/sspi-auth.html > Description: > > The [current SSPI > documentation](https://www.postgresql.org/docs/current/sspi-auth.html) > reads: > > "SSPI authentication only works when both server and client are running > Windows, or, on non-Windows platforms, when GSSAPI is available." > > I interpret that phrase like this: > > * there's a case where both server and client are running Windows > * there's a case where both are running non-Windows
Yeah, that phrasing isn't great. > What about mixed cases? When the client is non-Windows, then can it use > SSPI? No, AFAIK not. So I'd suggest to make that phrase above clearer and > completely explicit: SSPI is Windows-specific, yeah. > "SSPI authentication works when both server and client are running > Windows. > > When the server is on a non-Windows platform then the server must use GSSAPI > if it wants to authenticate the client either via Kerberos or via Active > Directory. A client on a Windows platform that connects to a non-Windows > Postgresql server can either use SSPI (strongly encouraged) or GSS (much > more difficult to set up) if it wants to authenticate via Kerberos or Active > Directory. A client from a non-Windows platform must use GSS if it wants to > authenticate via Kerberos or Active Directory." Rather than work in negative, I feel like it might make more sense to work in positives? That is, perhaps this instead: On Windows platforms, SSPI is the default and most commonly used mechanism. Note that an SSPI client can authenticate to a server which is using either SSPI or GSSAPI, and a GSSAPI client can authenticate to a server which is using either SSPI or GSSAPI. Generally speaking, clients and servers on Windows are recommended to use SSPI while clients and servers on Unix (non-Windows) platforms use GSSAPI. Stricltly speaking, this is all independent of if AD is being used as the KDC or not. Thanks, Stephen
signature.asc
Description: PGP signature
