Stephen Frost wrote: > * Magnus Hagander ([EMAIL PROTECTED]) wrote: >> We enable the setting of the service name in the server configuration >> file, but we never use that variable anywhere. We do, however, use the >> service name on the client, in order to pick the correct key (and >> turning this off makes GSSAPI no longer work). >> >> If this is correct, we should not enable that parameter on the server. >> If it's not correct, we should be using it somewhere. > > Uh, shouldn't you be acquiring the server credentials before accepting > the context? That'd be done using gss_acquire_cred(), which takes the > service name (in gss_name_t structure) as an argument. That would then > be passed in to gss_accept_sec_context() instead of using > GSS_C_NO_CREDENTIAL (in port->gss->cred).
That's the direction I was thinking in. I just wanted to have it confirmed. Henry, what's your take on this? > I'm kind of suprised it's > working without that and rather curious as to what it's doing under the > hood to make that happen. :/ Most likely it's just checking the keytab to find a principal with the same name as the one presented from the client. Since one is present, it loads it up automatically, and verifies against it. //Magnus ---------------------------(end of broadcast)--------------------------- TIP 9: In versions below 8.0, the planner will ignore your desire to choose an index scan if your joining column's datatypes do not match