Re: [GENERAL] GSS Authentication

Bryan, * Bryan Montgomery (mo...@english.net) wrote: > After that I spent a bit of time on my windows client fiddling trying to get > it to work. I had set PGSRVKRBNAME, tried setting PGGSSAPI however, I wasn't > using the FQDN of my database server. When I went from dbhost to > dbhost.lab2k.net,

Re: [GENERAL] GSS Authentication

- > From: "Greig Wise" > To: "Bryan Montgomery" > Cc: "pgsql-general" > Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern > Subject: Re: [GENERAL] GSS Authentication > > Nope. I get this: > > kinit(v5): Client not found in

Re: [GENERAL] GSS Authentication

To: "Bryan Montgomery" > Cc: greigw...@comcast.net, pgsql-general@postgresql.org > Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern > Subject: Re: [GENERAL] GSS Authentication > > * Bryan Montgomery (mo...@english.net) wrote: > > I've been try

Re: [GENERAL] GSS Authentication

Yeah, the interesting thing is we're supposed to move to AES, but on the current AD it isn't available :) Will be a bit ironic if it is all down to using DES! On Wed, Jun 16, 2010 at 11:05 AM, Stephen Frost wrote: > Greig, > > * greigw...@comcast.net (greigw...@comcast.net) wrote: > > I finally

Re: [GENERAL] GSS Authentication

* greigw...@comcast.net (greigw...@comcast.net) wrote: > 2008 I'd expect AES256-SHA1 to work then. Thanks, Stephen signature.asc Description: Digital signature

Re: [GENERAL] GSS Authentication

l trying to get this to work I'd be happy to help if I can. Thanks all for the help. Greig - Original Message - From: "Greig Wise" To: "Bryan Montgomery" Cc: "pgsql-general" Sent: Wednesday, June 16, 2010 1:09:16 AM GMT -05:00 US/Canada Eastern

Re: [GENERAL] GSS Authentication

* greigw...@comcast.net (greigw...@comcast.net) wrote: > So for the -crypto option, what would be your recommendation for what I > should use and would this require changes on the DB server side? What OS are you running on your AD..? 2003? 2008? Stephen signature.asc Description: Di

Re: [GENERAL] GSS Authentication

: "Stephen Frost" To: greigw...@comcast.net Cc: "Bryan Montgomery" , "pgsql-general" Sent: Wednesday, June 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication Greig, * greigw...@comcast.net (greigw...@comcast.net) wro

Re: [GENERAL] GSS Authentication

une 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication Greig, * greigw...@comcast.net (greigw...@comcast.net) wrote: > I finally got it working. Problem was that on the windows side on the service > account within the account options, we needed to

Re: [GENERAL] GSS Authentication

2008 - Original Message - From: "Stephen Frost" To: greigw...@comcast.net Cc: "Bryan Montgomery" , "pgsql-general" Sent: Wednesday, June 16, 2010 11:32:05 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication * greigw...@comc

Re: [GENERAL] GSS Authentication

general" Sent: Wednesday, June 16, 2010 10:17:10 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication OMG!!! I finally got it working. Problem was that on the windows side on the service account within the account options, we needed to check "Use DES encryption t

Re: [GENERAL] GSS Authentication

Greig, * greigw...@comcast.net (greigw...@comcast.net) wrote: > I finally got it working. Problem was that on the windows side on the service > account within the account options, we needed to check "Use DES encryption > types for this account". I had that changed on the AD side and that fixed t

Re: [GENERAL] GSS Authentication

1/69? That can't be > right, can it? > > > Thanks again. > > Greig > > - Original Message - > From: "Stephen Frost" > To: "Bryan Montgomery" > Cc: greigw...@comcast.net, pgsql-general@postgresql.org > Sent: Saturday, June 12,

Re: [GENERAL] GSS Authentication

To: greigw...@comcast.net Cc: pgsql-general@postgresql.org, "Bryan Montgomery" Sent: Tuesday, June 15, 2010 4:25:55 PM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication * greigw...@comcast.net (greigw...@comcast.net) wrote: > kinit -S POSTGRES/host.domain.co

Re: [GENERAL] GSS Authentication

- Original Message - From: "Stephen Frost" To: greigw...@comcast.net Cc: pgsql-general@postgresql.org, "Bryan Montgomery" Sent: Tuesday, June 15, 2010 4:25:55 PM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL

Re: [GENERAL] GSS Authentication

* greigw...@comcast.net (greigw...@comcast.net) wrote: > kinit -S POSTGRES/host.domain.com user > > (where user is my account name in AD). That then asked for my password and > when I entered it, it seemed to work. And now klist shows that I have a > ticket. Doing it this way though, the keytab

Re: [GENERAL] GSS Authentication

gresql.org Sent: Saturday, June 12, 2010 8:35:13 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication * Bryan Montgomery (mo...@english.net) wrote: > I've been trying this as well off and on. In my case I'm not convinced the > AD configuration is correct (An

Re: [GENERAL] GSS Authentication

nday, June 14, 2010 3:22:36 PM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication Thanks for the help. In response to your questions, I did make sure the service name was right. klist -k on the keytab file gives: KVNO

Re: [GENERAL] GSS Authentication

cuting archive command "cp pg_xlog/0001000100BD /postgresdb/log_arch/0001000100BD To: greigw...@comcast.net Cc: pgsql-general@postgresql.org Sent: Saturday, June 12, 2010 12:58:03 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication * greig

Re: [GENERAL] GSS Authentication

Hi Steven, Thanks for the info here. In particular, On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost wrote: > You may also need to make sure that your default realm is set correctly > and that your reverse DNS is working. Also, can you look in the PG > server-side logs and see what errors are be

Re: [GENERAL] GSS Authentication

* Bryan Montgomery (mo...@english.net) wrote: > I've been trying this as well off and on. In my case I'm not convinced the > AD configuration is correct (And someone else manages that). Yeah, that can be a challenge.. but it's *definitely* possible to get it set up and working correctly. > Can y

Re: [GENERAL] GSS Authentication

Bryan, * Bryan Montgomery (mo...@english.net) wrote: > On Sat, Jun 12, 2010 at 12:58 AM, Stephen Frost wrote: > Can you elaborate on the DNS requirements? How would I check the reverse > DNS? I assume just pinging both server by hostname? Kerberos depends on reverse DNS. Reverse DNS is IP Addre

Re: [GENERAL] GSS Authentication

I've been trying this as well off and on. In my case I'm not convinced the AD configuration is correct (And someone else manages that). Can you use kinit with the key tab options to get a good response from the server? I think I should be able to do this .. $ kinit -V -k -t poe3b.keytab HTTP/poe3b

Re: [GENERAL] GSS Authentication

* greigw...@comcast.net (greigw...@comcast.net) wrote: > 2) Setup a new account in AD and used ktpass to create a keytab file for the > SPN. Did you make sure to use the right service name when creating the keytab? Can you do a klist -k on the keytab file and send the output? Does hostname --fq

[GENERAL] GSS Authentication

I'm trying to get my PostgreSQL server on Linux configured so that I can connect from a Windows client using GSS Authentication against Active Directory. I found some helpful references on how to do this, but I'm still coming up short. To summarize what I've done so far by way of configuration: