| From: | Magnus Hagander <magnus(at)hagander(dot)net> |
|---|---|
| To: | Tom Lane <tgl(at)sss(dot)pgh(dot)pa(dot)us> |
| Cc: | Heikki Linnakangas <heikki(at)enterprisedb(dot)com>, Dave Page <dpage(at)postgresql(dot)org>, pgsql-hackers <pgsql-hackers(at)postgresql(dot)org> |
| Subject: | Re: Future of krb5 authentication |
| Date: | 2007-07-18 16:31:12 |
| Message-ID: | 469E4050.10703@hagander.net |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-hackers |
Tom Lane wrote:
> Magnus Hagander <magnus(at)hagander(dot)net> writes:
>> On Wed, Jul 18, 2007 at 10:46:58AM -0400, Tom Lane wrote:
>>> This needs to be fixed.
>
>> Non, GSSAPI and krb5 are *not* mutually exclusive.
>
>> SSPI and GSSAPI are mutually exclusive.
>
> Color me confused then. What's the difference?
SSPI is a Windows-only implementation of the GSSAPI protocol, that has a
different API.
GSSAPI works on Unix and on Windows (but only with addon libraries, such
as MIT (unix or win) or Heimdal (unix only)).
The confusion probably comes from that GSSAPI is both a protocol
(supported by SSPI as well) and an API (not supported by SSPI).
Now, SSPI integrates with Active Directory, so it doesn't work if you
don't want to join your workstation to the Kerberos realm. Or as in
Stephens case, you want to be *both* on the Active Directory and in a
non-trusted Unix Kerberos realm.
But we're talking two different issues. Deprecating/removing krb5 is a
different thing from having GSSAPI and SSPI mutually exclusive or not.
//Magnus
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Stephen Frost | 2007-07-18 16:38:59 | Re: Future of krb5 authentication |
| Previous Message | Gregory Stark | 2007-07-18 16:06:05 | Re: Future of krb5 authentication |