One interesting thing I just came across. I had another user try to connect to my DB using the GSS authentication and it failed. I checked everything out on the client side and it seemed to be OK, so I was puzzled. So then I had another user try and it worked just fine for him. That's weird, right? So then I went up and talked to our sysadmin guy who sets up the windows domain stuff and asked him if we could look at the accounts. The 2 accounts that worked (mine and the 3rd guy) were in a certain group and the other was not a member of that group. So, I had them put the user into that group. Then it suddenly starts working fine for that user. So, evidently, there is some setting on the Windows side for each account which authenticates via GSS that is required for the authentication to work right. We're going to go through the privs for that group and see if anything sticks out for us, but in the meantime, does anyone have any idea why the one user wouldn't work?
Thanks,
Greig
----- Original Message -----
From: "Stephen Frost" <sfrost@xxxxxxxxxxx>
To: greigwise@xxxxxxxxxxx
Cc: "Bryan Montgomery" <monty@xxxxxxxxxxx>, "pgsql-general" <pgsql-general@xxxxxxxxxxxxxx>
Sent: Wednesday, June 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: GSS Authentication
Greig,
* greigwise@xxxxxxxxxxx (greigwise@xxxxxxxxxxx) wrote:
> I finally got it working. Problem was that on the windows side on the service account within the account options, we needed to check "Use DES encryption types for this account". I had that changed on the AD side and that fixed the whole problem.
Great, glad to hear you got it working. Just to reiterate- you really
should be looking at using a 2008 AD with AES encryption types instead
of DES. DES is depreciated and no longer secure given today's
computers.
Thanks,
Stephen
Thanks,
Greig
----- Original Message -----
From: "Stephen Frost" <sfrost@xxxxxxxxxxx>
To: greigwise@xxxxxxxxxxx
Cc: "Bryan Montgomery" <monty@xxxxxxxxxxx>, "pgsql-general" <pgsql-general@xxxxxxxxxxxxxx>
Sent: Wednesday, June 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern
Subject: Re: GSS Authentication
Greig,
* greigwise@xxxxxxxxxxx (greigwise@xxxxxxxxxxx) wrote:
> I finally got it working. Problem was that on the windows side on the service account within the account options, we needed to check "Use DES encryption types for this account". I had that changed on the AD side and that fixed the whole problem.
Great, glad to hear you got it working. Just to reiterate- you really
should be looking at using a 2008 AD with AES encryption types instead
of DES. DES is depreciated and no longer secure given today's
computers.
Thanks,
Stephen
Attachment:
signature.asc
Description: Digital signature
-- Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
