That is recommended in any case. The service should have its own keytab, and 
you control the allowed names by what's in the keytab. Much simpler coding as 
well. 

Personal email. hbh...@oxy.edu

> On Jan 6, 2017, at 9:13 AM, Russ Allbery <ea...@eyrie.org> wrote:
> 
> Jeffrey Hutzelman <jh...@cmu.edu> writes:
> 
>> The problem you may be more likely to run into is that the server might
>> not actually be able to accept tickets for more than one service
>> principal at a time.  That is, it can be configured to accept the
>> server's own principal name or the shared one, but not both.  Cyrus SASL
>> had this problem for a long time, and I'm not sure it ever got fixed.
> 
> Originally, we locally patched Cyrus SASL to fix this bug.  I don't recall
> if that was still the case or if we managed to at least get that patch as
> far upstream as the Debian package.
> 
>> If you're willing to patch, the fix for that problem is actually pretty
>> simple -- instead of acquiring GSSAPI acceptor credentials, the server's
>> call to gss_accept_sec_context() should simply pass GSS_C_NO_CRED in
>> place of the credential argument. Then the server will accept tickets
>> for any principal in its keytab.
> 
> Yup, that was the fix.
> 
> -- 
> Russ Allbery (ea...@eyrie.org)              <http://www.eyrie.org/~eagle/>

Reply via email to