<productname>Kerberos</productname>, it uses a standard principal

in the format

<literal><replaceable>servicename</>/<replaceable>hostname</>@<replaceable>realm</></literal>.

<replaceable>servicename</> can be set on the server side usingthe

<xref linkend="guc-krb-srvname"> configuration parameter, and onthe

client side using the <literal>krbsrvname</> connection parameter. (See

The PostgreSQL server will accept any principal that is included inthe keytab used by

the server, but care needs to be taken to specifythe correct principal details when

making the connection from the client using the <literal>krbsrvname</> connection parameter. (See

also <xref linkend="libpq-paramkeywords">.) The installation default can be

changed from the default <literal>postgres</literal> at build time using

<literal>./configure --with-krb-srvnam=</><replaceable>whatever</>.

In most environments,

this parameter never needs to be changed. However, it is necessary

when supporting multiple <productname>PostgreSQL</> installations

on the same host.

Some Kerberos implementations might also require a different service name,

this parameter never needs to be changed.

Some Kerberos implementations might require a different service name,

such as Microsoft Active Directory which requires the service name

to be in upper case (<literal>POSTGRES</literal>).

</para>

parameter. The default is

<filename>/usr/local/pgsql/etc/krb5.keytab</> (or whatever

directory was specified as <varname>sysconfdir</> at build time).

For security reasons, it is recommended to use a separate keytab

just for the <productname>PostgreSQL</productname> server rather

than opening up permissions on the system keytab file.

</para>

<para>

The keytab file is generated by the Kerberos software; see the

</listitem>

</varlistentry>

<varlistentry id="guc-krb-srvname" xreflabel="krb_srvname">

<term><varname>krb_srvname</varname> (<type>string</type>)</term>

<indexterm>

<primary><varname>krb_srvname</> configuration parameter</primary>

</indexterm>

<listitem>

<para>

Sets the Kerberos service name. See <xref linkend="gssapi-auth">

for details. This parameter can only be set in the

<filename>postgresql.conf</> file or on the server command line.

</para>

</listitem>

</varlistentry>

<varlistentry id="guc-krb-caseins-users" xreflabel="krb_caseins_users">

<term><varname>krb_caseins_users</varname> (<type>boolean</type>)</term>

<indexterm>

char*pg_krb_server_keyfile;

char*pg_krb_srvnam;

boolpg_krb_caseins_users;

#definePG_KRB_SRVTAB ""

#definePG_KRB_SRVNAM ""

#defineCONFIG_FILENAME "postgresql.conf"

#defineHBA_FILENAME"pg_hba.conf"

NULL,NULL,NULL

},

{

{"krb_srvname",PGC_SIGHUP,CONN_AUTH_SECURITY,

gettext_noop("Sets the name of the Kerberos service."),

},

&pg_krb_srvnam,

PG_KRB_SRVNAM,

NULL,NULL,NULL

},

{

{"bonjour_name",PGC_POSTMASTER,CONN_AUTH_SETTINGS,

gettext_noop("Sets the Bonjour service name."),

#password_encryption = on

#db_user_namespace = off

#Kerberos and GSSAPI

#GSSAPI using Kerberos

#krb_server_keyfile = ''

#krb_srvname = 'postgres'# (Kerberos only)

#krb_caseins_users = off

# - TCP Keepalives -

externchar*pg_krb_server_keyfile;

externchar*pg_krb_srvnam;

externboolpg_krb_caseins_users;

externchar*pg_krb_server_hostname;

externchar*pg_krb_realm;

externvoidClientAuthentication(Port*port);

char*ldapprefix;

char*ldapsuffix;

boolclientcert;

char*krb_server_hostname;

char*krb_realm;

boolinclude_realm;

char*radiusserver;