Cc: pgsql-general pgsql-general@postgresql.org
Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
Nope. I get this:
kinit(v5): Client not found in Kerberos database while getting initial
credentials
On Jun 15, 2010, at 10:03 PM
Bryan,
* Bryan Montgomery (mo...@english.net) wrote:
After that I spent a bit of time on my windows client fiddling trying to get
it to work. I had set PGSRVKRBNAME, tried setting PGGSSAPI however, I wasn't
using the FQDN of my database server. When I went from dbhost to
dbhost.lab2k.net, I
Greig,
* greigw...@comcast.net (greigw...@comcast.net) wrote:
I finally got it working. Problem was that on the windows side on the service
account within the account options, we needed to check Use DES encryption
types for this account. I had that changed on the AD side and that fixed the
pgsql-general@postgresql.org
Sent: Wednesday, June 16, 2010 10:17:10 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
OMG!!!
I finally got it working. Problem was that on the windows side on the service
account within the account options, we needed to check Use DES
2008
- Original Message -
From: Stephen Frost sfr...@snowman.net
To: greigw...@comcast.net
Cc: Bryan Montgomery mo...@english.net, pgsql-general
pgsql-general@postgresql.org
Sent: Wednesday, June 16, 2010 11:32:05 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS
: Wednesday, June 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
Greig,
* greigw...@comcast.net (greigw...@comcast.net) wrote:
I finally got it working. Problem was that on the windows side on the service
account within the account options, we needed
Frost sfr...@snowman.net
To: greigw...@comcast.net
Cc: Bryan Montgomery mo...@english.net, pgsql-general
pgsql-general@postgresql.org
Sent: Wednesday, June 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
Greig,
* greigw...@comcast.net (greigw
* greigw...@comcast.net (greigw...@comcast.net) wrote:
So for the -crypto option, what would be your recommendation for what I
should use and would this require changes on the DB server side?
What OS are you running on your AD..? 2003? 2008?
Stephen
signature.asc
Description:
Eastern
Subject: Re: [GENERAL] GSS Authentication
Nope. I get this:
kinit(v5): Client not found in Kerberos database while getting initial
credentials
On Jun 15, 2010, at 10:03 PM, Bryan Montgomery wrote:
I'm not in front of a linux machine, but does
kinit -kt postgres.keytab -S
* greigw...@comcast.net (greigw...@comcast.net) wrote:
2008
I'd expect AES256-SHA1 to work then.
Thanks,
Stephen
signature.asc
Description: Digital signature
Yeah, the interesting thing is we're supposed to move to AES, but on the
current AD it isn't available :) Will be a bit ironic if it is all down to
using DES!
On Wed, Jun 16, 2010 at 11:05 AM, Stephen Frost sfr...@snowman.net wrote:
Greig,
* greigw...@comcast.net (greigw...@comcast.net)
GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* Bryan Montgomery (mo...@english.net) wrote:
I've been trying this as well off and on. In my case I'm not convinced
the
AD configuration is correct (And someone else manages that).
Yeah, that can be a challenge
@postgresql.org
Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* Bryan Montgomery (mo...@english.net) wrote:
I've been trying this as well off and on. In my case I'm not convinced the
AD configuration is correct (And someone else manages
* greigw...@comcast.net (greigw...@comcast.net) wrote:
kinit -S POSTGRES/host.domain.com user
(where user is my account name in AD). That then asked for my password and
when I entered it, it seemed to work. And now klist shows that I have a
ticket. Doing it this way though, the keytab
: [GENERAL] GSS Authentication
* greigw...@comcast.net (greigw...@comcast.net) wrote:
kinit -S POSTGRES/host.domain.com user
(where user is my account name in AD). That then asked for my password and
when I entered it, it seemed to work. And now klist shows that I have a
ticket. Doing
To: greigw...@comcast.net
Cc: pgsql-general@postgresql.org, Bryan Montgomery mo...@english.net
Sent: Tuesday, June 15, 2010 4:25:55 PM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* greigw...@comcast.net (greigw...@comcast.net) wrote:
kinit -S POSTGRES/host.domain.com user
: Stephen Frost sfr...@snowman.net
To: Bryan Montgomery mo...@english.net
Cc: greigw...@comcast.net, pgsql-general@postgresql.org
Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* Bryan Montgomery (mo...@english.net) wrote:
I've been
...@snowman.net
To: greigw...@comcast.net
Cc: pgsql-general@postgresql.org
Sent: Saturday, June 12, 2010 12:58:03 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* greigw...@comcast.net (greigw...@comcast.net) wrote:
2) Setup a new account in AD and used ktpass to create
Sent: Monday, June 14, 2010 3:22:36 PM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
Thanks for the help.
In response to your questions, I did make sure the service name was right.
klist -k on the keytab file gives:
KVNO Principal
I've been trying this as well off and on. In my case I'm not convinced the
AD configuration is correct (And someone else manages that).
Can you use kinit with the key tab options to get a good response from the
server? I think I should be able to do this ..
$ kinit -V -k -t poe3b.keytab
Bryan,
* Bryan Montgomery (mo...@english.net) wrote:
On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost sfr...@snowman.net wrote:
Can you elaborate on the DNS requirements? How would I check the reverse
DNS? I assume just pinging both server by hostname?
Kerberos depends on reverse DNS. Reverse
* Bryan Montgomery (mo...@english.net) wrote:
I've been trying this as well off and on. In my case I'm not convinced the
AD configuration is correct (And someone else manages that).
Yeah, that can be a challenge.. but it's *definitely* possible to get
it set up and working correctly.
Can you
Hi Steven,
Thanks for the info here. In particular,
On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost sfr...@snowman.net wrote:
You may also need to make sure that your default realm is set correctly
and that your reverse DNS is working. Also, can you look in the PG
server-side logs and see
I'm trying to get my PostgreSQL server on Linux configured so that I can
connect from a Windows client using GSS Authentication against Active
Directory. I found some helpful references on how to do this, but I'm still
coming up short. To summarize what I've done so far by way of configuration:
* greigw...@comcast.net (greigw...@comcast.net) wrote:
2) Setup a new account in AD and used ktpass to create a keytab file for the
SPN.
Did you make sure to use the right service name when creating the
keytab? Can you do a klist -k on the keytab file and send the output?
Does hostname
25 matches
Mail list logo