That is recommended in any case. The service should have its own keytab, and you control the allowed names by what's in the keytab. Much simpler coding as well.
Personal email. [email protected] > On Jan 6, 2017, at 9:13 AM, Russ Allbery <[email protected]> wrote: > > Jeffrey Hutzelman <[email protected]> writes: > >> The problem you may be more likely to run into is that the server might >> not actually be able to accept tickets for more than one service >> principal at a time. That is, it can be configured to accept the >> server's own principal name or the shared one, but not both. Cyrus SASL >> had this problem for a long time, and I'm not sure it ever got fixed. > > Originally, we locally patched Cyrus SASL to fix this bug. I don't recall > if that was still the case or if we managed to at least get that patch as > far upstream as the Debian package. > >> If you're willing to patch, the fix for that problem is actually pretty >> simple -- instead of acquiring GSSAPI acceptor credentials, the server's >> call to gss_accept_sec_context() should simply pass GSS_C_NO_CRED in >> place of the credential argument. Then the server will accept tickets >> for any principal in its keytab. > > Yup, that was the fix. > > -- > Russ Allbery ([email protected]) <http://www.eyrie.org/~eagle/>
