Stephen Frost wrote:
> * Magnus Hagander ([EMAIL PROTECTED]) wrote:
>> We enable the setting of the service name in the server configuration
>> file, but we never use that variable anywhere. We do, however, use the
>> service name on the client, in order to pick the correct key (and
>> turning this off makes GSSAPI no longer work).
>> If this is correct, we should not enable that parameter on the server.
>> If it's not correct, we should be using it somewhere.
> Uh, shouldn't you be acquiring the server credentials before accepting
> the context?  That'd be done using gss_acquire_cred(), which takes the
> service name (in gss_name_t structure) as an argument.  That would then
> be passed in to gss_accept_sec_context() instead of using
> GSS_C_NO_CREDENTIAL (in port->gss->cred). 

That's the direction I was thinking in. I just wanted to have it
confirmed. Henry, what's your take on this?

> I'm kind of suprised it's
> working without that and rather curious as to what it's doing under the
> hood to make that happen. :/

Most likely it's just checking the keytab to find a principal with the
same name as the one presented from the client. Since one is present, it
loads it up automatically, and verifies against it.


---------------------------(end of broadcast)---------------------------
TIP 9: In versions below 8.0, the planner will ignore your desire to
       choose an index scan if your joining column's datatypes do not

Reply via email to