Greetings Grant,
* Grant McKenzie (grant.r.mckenzie@gmail.com) wrote:
> in a heterogeneous environment with a server running on linux and a mix of
> clients running on windows and linux, would you not want to use GSSAPI?
We generally prefer in-line responses instead of "top-posting" on the PG
mailing lists.
In that mixed environment, you would typically have either:
One Realm run by the Active Directory system, with the Linux hosts
configured to use GSSAPI and joined to the Active Directory environment
and then using SSPI on the Windows clients.
or
Two realms, one run on the Active Directory system and one run on a
Linux host using an MIT KDC or Heimdal, with a cross-realm trust between
the two (at least one-way, for the Windows clients to be trusted by the
Linux servers, or two-way, if you have the need to go the other
direction also), and then the Windows systems running SSPI and the Linux
systems using GSSAPI.
What is perhaps not being understood here is that SSPI is Kerberos on
Windows using the Active Directory system. There's no need to also have
GSSAPI enabled on the Windows systems- that would just be adding in
libraries and complications that aren't necessary in an Active Directory
environment. If you're running Windows clients and *not* using Active
Directory, then there might be a reason to use GSSAPI on Windows and
Kerberos For Windows from MIT, but that's extremely rare these days...
Thanks!
Stephen