* Magnus Hagander ([EMAIL PROTECTED]) wrote: > I've set it up as a different way of doing GSSAPI authentication. This > means that if you can't have both SSPI and MIT KRB GSSAPI in the same > installation. I don't see a problem with this - 99.9% of windows users > will just want the SSPI version anyway. But I figured I'd throw it out > here to see if there are any objections to this?
I'm not quite sure if that would affect what we do but it sounds like it might. The main thing we use on the clients wrt Postgres is the ODBC driver but I've used psql once or twice and have been trying to get people to learn it. We've got SSPI which is used for the Windows domain (and only the windows resources) and then MIT Krb5 GSSAPI for the Unix resources. While cross-realm is a nice idea it's less than easy to get going, especially with even a half-way secure key (I'm not exactly a big fan of arc/rc4...). So, we have seperate key caches on each client that needs access to both resources and that allows us to manage things much more easily and seperately from the corporate folks running the Windows domain. Additionally, it seems likely to me that there will be cases when people running Windows don't *want* to set up an Active Directory for their Windows machines but want to use Kerberos to auth to certain resources (perhaps a campus environment where student systems aren't joined to an AD domain?). Would that be possible with this? I havn't done much w/ SSPI so I'm not sure how deeply that's tied into things like that. Thanks, Stephen
Description: Digital signature