Jeffrey Hutzelman <jh...@cmu.edu> writes:

> The problem you may be more likely to run into is that the server might
> not actually be able to accept tickets for more than one service
> principal at a time.  That is, it can be configured to accept the
> server's own principal name or the shared one, but not both.  Cyrus SASL
> had this problem for a long time, and I'm not sure it ever got fixed.

Originally, we locally patched Cyrus SASL to fix this bug.  I don't recall
if that was still the case or if we managed to at least get that patch as
far upstream as the Debian package.

> If you're willing to patch, the fix for that problem is actually pretty
> simple -- instead of acquiring GSSAPI acceptor credentials, the server's
> call to gss_accept_sec_context() should simply pass GSS_C_NO_CRED in
> place of the credential argument. Then the server will accept tickets
> for any principal in its keytab.

Yup, that was the fix.

-- 
Russ Allbery (ea...@eyrie.org)              <http://www.eyrie.org/~eagle/>

Reply via email to