OK. So, to get it to use a different encryption type, I'm thinking I'd have to specify that when I create the keytab (and then uncheck the Use DES option on the account setup in Windows). So, when I created my keytab, I used a command like this on the AD side:
ktpass -princ POSTGRES/host.domain....@domain.com -crypto DES-CBC-MD5 -mapuser host -pass mypasswd -out postgres.keytab So for the -crypto option, what would be your recommendation for what I should use and would this require changes on the DB server side? Thanks again. Greig ----- Original Message ----- From: "Stephen Frost" <sfr...@snowman.net> To: greigw...@comcast.net Cc: "Bryan Montgomery" <mo...@english.net>, "pgsql-general" <pgsql-general@postgresql.org> Sent: Wednesday, June 16, 2010 11:05:16 AM GMT -05:00 US/Canada Eastern Subject: Re: [GENERAL] GSS Authentication Greig, * greigw...@comcast.net (greigw...@comcast.net) wrote: > I finally got it working. Problem was that on the windows side on the service > account within the account options, we needed to check "Use DES encryption > types for this account". I had that changed on the AD side and that fixed the > whole problem. Great, glad to hear you got it working. Just to reiterate- you really should be looking at using a 2008 AD with AES encryption types instead of DES. DES is depreciated and no longer secure given today's computers. Thanks, Stephen
signature.asc
Description: Digital signature
-- Sent via pgsql-general mailing list (pgsql-general@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-general
