Hi, When Curl forms the service principal given the service name, it simply formats the service principal name with "<service_name>/<host_name>" in Curl_sasl_build_spn. The "<host_name>" is basically the host name part of the URL. So if the host name is an IP address, the SPN would be wrong according to the following doc: http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html >> In the case of a host, the instance is the fully qualified hostname, e.g., daffodil.mit.edu.
Because of this, the kerberos ticket generated by KDC is unusable by the service. What's worse is that JDK would pass on calling GSSContext.acceptSecContext() silently but in fact it could not even get the client's principal name. This affects SPNEGO scenario for libcurl. Could libcurl perform a reverse DNS lookup to get the fully qualified hostname? Thanks, Bill
------------------------------------------------------------------- List admin: http://cool.haxx.se/list/listinfo/curl-library Etiquette: http://curl.haxx.se/mail/etiquette.html
