Re: Is it okay to run Postgres service account as a domain account (on Linux)?

If your running postgres on Linux, you have to have a Linux account on the
server to run postgres[1]. It would be possible to have the linux server
configured to use AD/Kerberos for authentication and that might be
justified in some environments e.g. where you have a Windows based identity
and access management system, but you will still need an account on the
Linux system. The downside of doing this is that your just adding another
possible failure point.

You are probably better off just going with 'standard' practices and have
the normal postgres user, but restrict access to the server. You can then
have a separate administrator account which uses AD/Kerberos and do all
your administration using that account (or a number of accounts with
minimum access levels needed depending on your requirements, such as one
per database).

1. There are 'clever' things you can do to enable those with AD accounts to
login to a Linux system which does not require running 'adduser' on the
Linux host, but these solutions tend not to work well when you want to run
'services' on that host using one of those accounts. For example, you have
to add 'clevel' boot facilities to ensure the AD/Kerberos infrastructure is
running before the postgres server and if it isn't, deal with things
gracefully etc. Things quickly become very complicated.

On 27 February 2018 at 03:22, David <dbwagoner(at)gmail(dot)com> wrote:

> Just wondering if it is recommended, or not, to run Postgres as a domain
> account on Linux. If not, then why not?
>
> Thank you,
>
> David
>

--
regards,

Tim

--
Tim Cross