Jeffrey Hutzelman <[email protected]> writes: > The problem you may be more likely to run into is that the server might > not actually be able to accept tickets for more than one service > principal at a time. That is, it can be configured to accept the > server's own principal name or the shared one, but not both. Cyrus SASL > had this problem for a long time, and I'm not sure it ever got fixed.
Originally, we locally patched Cyrus SASL to fix this bug. I don't recall if that was still the case or if we managed to at least get that patch as far upstream as the Debian package. > If you're willing to patch, the fix for that problem is actually pretty > simple -- instead of acquiring GSSAPI acceptor credentials, the server's > call to gss_accept_sec_context() should simply pass GSS_C_NO_CRED in > place of the credential argument. Then the server will accept tickets > for any principal in its keytab. Yup, that was the fix. -- Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
