On Wed, May 22, 2002 at 02:34:02PM -0400, [EMAIL PROTECTED] wrote: > > Ideally the acceptor name is irrelevant to the acceptor. After all, > the ability to accept a sec context implies having the necessary and > valid keytab entries available, and that is good enough IMHO. Such > behaviour would be necessary on virtualized servers. > > For the acceptor to accept GSS contexts without regard as to the > acceptor name used by the initiator you need a patch to MIT krb5's > GSS implementation. The idea is to call gss_accept_sec_context() > with the default acceptor credential and later use > gss_inquire_sec_context() to determine the actual acceptor name, if > desired.
In other words, wait to see what ticket (initiator credentials) you get from the client, and then see if you have a keytab entry (acceptor credentials) for it? Cheers, -- Jacques A. Vidrine <[EMAIL PROTECTED]> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos [EMAIL PROTECTED] . [EMAIL PROTECTED] . [EMAIL PROTECTED] ________________________________________________ Kerberos mailing list [EMAIL PROTECTED] http://mailman.mit.edu/mailman/listinfo/kerberos
