Bryan,
* Bryan Montgomery (mo...@english.net) wrote:
> After that I spent a bit of time on my windows client fiddling trying to get
> it to work. I had set PGSRVKRBNAME, tried setting PGGSSAPI however, I wasn't
> using the FQDN of my database server. When I went from dbhost to
> dbhost.lab2k.net,
-
> From: "Greig Wise"
> To: "Bryan Montgomery"
> Cc: "pgsql-general"
> Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern
> Subject: Re: [GENERAL] GSS Authentication
>
> Nope. I get this:
>
> kinit(v5): Client not found in
To: "Bryan Montgomery"
> Cc: greigw...@comcast.net, pgsql-general@postgresql.org
> Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern
> Subject: Re: [GENERAL] GSS Authentication
>
> * Bryan Montgomery (mo...@english.net) wrote:
> > I've been try
Yeah, the interesting thing is we're supposed to move to AES, but on the
current AD it isn't available :) Will be a bit ironic if it is all down to
using DES!
On Wed, Jun 16, 2010 at 11:05 AM, Stephen Frost wrote:
> Greig,
>
> * greigw...@comcast.net (greigw...@comcast.net) wrote:
> > I finally
* greigw...@comcast.net (greigw...@comcast.net) wrote:
> 2008
I'd expect AES256-SHA1 to work then.
Thanks,
Stephen
signature.asc
Description: Digital signature
l trying to get this to work I'd be happy to help if I
can.
Thanks all for the help.
Greig
- Original Message -
From: "Greig Wise"
To: "Bryan Montgomery"
Cc: "pgsql-general"
Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern
* greigw...@comcast.net (greigw...@comcast.net) wrote:
> So for the -crypto option, what would be your recommendation for what I
> should use and would this require changes on the DB server side?
What OS are you running on your AD..? 2003? 2008?
Stephen
signature.asc
Description: Di
: "Stephen Frost"
To: greigw...@comcast.net
Cc: "Bryan Montgomery" , "pgsql-general"
Sent: Wednesday, June 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
Greig,
* greigw...@comcast.net (greigw...@comcast.net) wro
une 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
Greig,
* greigw...@comcast.net (greigw...@comcast.net) wrote:
> I finally got it working. Problem was that on the windows side on the service
> account within the account options, we needed to
2008
- Original Message -
From: "Stephen Frost"
To: greigw...@comcast.net
Cc: "Bryan Montgomery" , "pgsql-general"
Sent: Wednesday, June 16, 2010 11:32:05 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* greigw...@comc
general"
Sent: Wednesday, June 16, 2010 10:17:10 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
OMG!!!
I finally got it working. Problem was that on the windows side on the service
account within the account options, we needed to check "Use DES encryption
t
Greig,
* greigw...@comcast.net (greigw...@comcast.net) wrote:
> I finally got it working. Problem was that on the windows side on the service
> account within the account options, we needed to check "Use DES encryption
> types for this account". I had that changed on the AD side and that fixed t
1/69? That can't be
> right, can it?
>
>
> Thanks again.
>
> Greig
>
> - Original Message -
> From: "Stephen Frost"
> To: "Bryan Montgomery"
> Cc: greigw...@comcast.net, pgsql-general@postgresql.org
> Sent: Saturday, June 12,
To: greigw...@comcast.net
Cc: pgsql-general@postgresql.org, "Bryan Montgomery"
Sent: Tuesday, June 15, 2010 4:25:55 PM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* greigw...@comcast.net (greigw...@comcast.net) wrote:
> kinit -S POSTGRES/host.domain.co
- Original Message -
From: "Stephen Frost"
To: greigw...@comcast.net
Cc: pgsql-general@postgresql.org, "Bryan Montgomery"
Sent: Tuesday, June 15, 2010 4:25:55 PM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL
* greigw...@comcast.net (greigw...@comcast.net) wrote:
> kinit -S POSTGRES/host.domain.com user
>
> (where user is my account name in AD). That then asked for my password and
> when I entered it, it seemed to work. And now klist shows that I have a
> ticket. Doing it this way though, the keytab
gresql.org
Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* Bryan Montgomery (mo...@english.net) wrote:
> I've been trying this as well off and on. In my case I'm not convinced the
> AD configuration is correct (An
nday, June 14, 2010 3:22:36 PM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
Thanks for the help.
In response to your questions, I did make sure the service name was right.
klist -k on the keytab file gives:
KVNO
cuting archive command "cp
pg_xlog/0001000100BD /postgresdb/log_arch/0001000100BD
To: greigw...@comcast.net
Cc: pgsql-general@postgresql.org
Sent: Saturday, June 12, 2010 12:58:03 AM GMT -05:00 US/Canada Eastern
Subject: Re: [GENERAL] GSS Authentication
* greig
Hi Steven,
Thanks for the info here. In particular,
On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost wrote:
> You may also need to make sure that your default realm is set correctly
> and that your reverse DNS is working. Also, can you look in the PG
> server-side logs and see what errors are be
* Bryan Montgomery (mo...@english.net) wrote:
> I've been trying this as well off and on. In my case I'm not convinced the
> AD configuration is correct (And someone else manages that).
Yeah, that can be a challenge.. but it's *definitely* possible to get
it set up and working correctly.
> Can y
Bryan,
* Bryan Montgomery (mo...@english.net) wrote:
> On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost wrote:
> Can you elaborate on the DNS requirements? How would I check the reverse
> DNS? I assume just pinging both server by hostname?
Kerberos depends on reverse DNS. Reverse DNS is IP Addre
I've been trying this as well off and on. In my case I'm not convinced the
AD configuration is correct (And someone else manages that).
Can you use kinit with the key tab options to get a good response from the
server? I think I should be able to do this ..
$ kinit -V -k -t poe3b.keytab HTTP/poe3b
* greigw...@comcast.net (greigw...@comcast.net) wrote:
> 2) Setup a new account in AD and used ktpass to create a keytab file for the
> SPN.
Did you make sure to use the right service name when creating the
keytab? Can you do a klist -k on the keytab file and send the output?
Does hostname --fq
I'm trying to get my PostgreSQL server on Linux configured so that I can
connect from a Windows client using GSS Authentication against Active
Directory. I found some helpful references on how to do this, but I'm still
coming up short. To summarize what I've done so far by way of configuration:
25 matches
Mail list logo