Jeffrey Hutzelman <jh...@cmu.edu> writes:
> The problem you may be more likely to run into is that the server might
> not actually be able to accept tickets for more than one service
> principal at a time. That is, it can be configured to accept the
> server's own principal name or the shared one, but not both. Cyrus SASL
> had this problem for a long time, and I'm not sure it ever got fixed.
Originally, we locally patched Cyrus SASL to fix this bug. I don't recall
if that was still the case or if we managed to at least get that patch as
far upstream as the Debian package.
> If you're willing to patch, the fix for that problem is actually pretty
> simple -- instead of acquiring GSSAPI acceptor credentials, the server's
> call to gss_accept_sec_context() should simply pass GSS_C_NO_CRED in
> place of the credential argument. Then the server will accept tickets
> for any principal in its keytab.
Yup, that was the fix.
Russ Allbery (ea...@eyrie.org) <http://www.eyrie.org/~eagle/>