Jeffrey Hutzelman <> writes:

> The problem you may be more likely to run into is that the server might
> not actually be able to accept tickets for more than one service
> principal at a time.  That is, it can be configured to accept the
> server's own principal name or the shared one, but not both.  Cyrus SASL
> had this problem for a long time, and I'm not sure it ever got fixed.

Originally, we locally patched Cyrus SASL to fix this bug.  I don't recall
if that was still the case or if we managed to at least get that patch as
far upstream as the Debian package.

> If you're willing to patch, the fix for that problem is actually pretty
> simple -- instead of acquiring GSSAPI acceptor credentials, the server's
> call to gss_accept_sec_context() should simply pass GSS_C_NO_CRED in
> place of the credential argument. Then the server will accept tickets
> for any principal in its keytab.

Yup, that was the fix.

Russ Allbery (              <>

Reply via email to