That is recommended in any case. The service should have its own keytab, and 
you control the allowed names by what's in the keytab. Much simpler coding as 

Personal email.

> On Jan 6, 2017, at 9:13 AM, Russ Allbery <> wrote:
> Jeffrey Hutzelman <> writes:
>> The problem you may be more likely to run into is that the server might
>> not actually be able to accept tickets for more than one service
>> principal at a time.  That is, it can be configured to accept the
>> server's own principal name or the shared one, but not both.  Cyrus SASL
>> had this problem for a long time, and I'm not sure it ever got fixed.
> Originally, we locally patched Cyrus SASL to fix this bug.  I don't recall
> if that was still the case or if we managed to at least get that patch as
> far upstream as the Debian package.
>> If you're willing to patch, the fix for that problem is actually pretty
>> simple -- instead of acquiring GSSAPI acceptor credentials, the server's
>> call to gss_accept_sec_context() should simply pass GSS_C_NO_CRED in
>> place of the credential argument. Then the server will accept tickets
>> for any principal in its keytab.
> Yup, that was the fix.
> -- 
> Russ Allbery (              <>

Reply via email to