Re: SSPI authentication

* Magnus Hagander (magnus(at)hagander(dot)net) wrote:
> I've set it up as a different way of doing GSSAPI authentication. This
> means that if you can't have both SSPI and MIT KRB GSSAPI in the same
> installation. I don't see a problem with this - 99.9% of windows users
> will just want the SSPI version anyway. But I figured I'd throw it out
> here to see if there are any objections to this?

I'm not quite sure if that would affect what we do but it sounds like it
might. The main thing we use on the clients wrt Postgres is the ODBC
driver but I've used psql once or twice and have been trying to get
people to learn it.

We've got SSPI which is used for the Windows domain (and only the windows
resources) and then MIT Krb5 GSSAPI for the Unix resources. While
cross-realm is a nice idea it's less than easy to get going, especially
with even a half-way secure key (I'm not exactly a big fan of
arc/rc4...).

So, we have seperate key caches on each client that needs access to both
resources and that allows us to manage things much more easily and
seperately from the corporate folks running the Windows domain.

Additionally, it seems likely to me that there will be cases when people
running Windows don't *want* to set up an Active Directory for their
Windows machines but want to use Kerberos to auth to certain resources
(perhaps a campus environment where student systems aren't joined to an
AD domain?). Would that be possible with this? I havn't done much w/
SSPI so I'm not sure how deeply that's tied into things like that.

Thanks,

Stephen