* Peter Koczan (pjkoczan@gmail.com) wrote:
> On Thu, Jul 24, 2008 at 7:50 PM, Stephen Frost <sfrost@snowman.net> wrote:
> > So you know, that generally means "wrong password". Have you tried
> > kinit'ing first? Is it prompting you for a password?
>
> I tried kinit, and it didn't work, but putting my real Kerberos
> password in the password field worked. It looks like it's trying to
> get a new set of credentials/tickets when authenticating, instead of
> using stashed or readily available credentials.
Ah, yes, I have some recollection of that. I forget how, exactly, but I
thought that I found a way around that.
> This is better than nothing, but it would be very nice to not force
> users to specify a password when connecting. It kinda defeats the
> purpose of a single-sign-on authentication system, and I'd really
> prefer not having users put their password in plaintext files, as it
> seems rather insecure. At the very least, the password should be able
> to be obscured or encrypted somehow in the connection, but even this
> is less than ideal.
I agree 110%. It really needs to use the existing credentials, though
it's nice that this shows the basic capability working.
> Is there any way to tell JDBC to use available KRB5/GSSAPI credentials?
I'll try to find some time to test my setup again and see if I can find
a way to do that. Of course, part of the problem here will end up being
silly applications that insist on being given a username and password.
It'd be nice if those could be left blank, but even so, users will end
up being annoyed by it. :( My primary JDBC app at the moment is uDig,
in case anyone's listening. ;)
> > I'm *really* anxious to have GSSAPI support in JDBC and fully
> > supported.. I've got it working in a test rig, but I need it working
> > under Linux and Windows for a number of clients and I havn't had time to
> > make sure all the issues are worked through. :/
>
> Me too. Now I just have to get SSL working, too.
Please update us on how that goes. :)
Thanks,
Stephen