Principal for service
Ken Raeburn
raeburn at MIT.EDU
Tue Feb 10 22:20:43 EST 2004
On Tuesday, Feb 10, 2004, at 21:48 US/Eastern, Russ Allbery wrote:
>> Is it necessary to add the service?
>
> It depends entirely on what your ftp server and client are using to do
> authentication. It looks like the version that comes with MIT tries
> ftp/hostname.example.com and then falls back on
> host/hostname.example.com
> if the former doesn't exist.
I believe this is what the ftp gssapi spec says to do -- try one, and
if it doesn't exist, use the other. (I believe the spec says you fall
back if the principal doesn't exist in the database, so if it's in the
database and wasn't added to the keytab, you're probably supposed to
lose. But I'd have to check the spec to be certain.)
In the general case, yes, you'd need to add the service principal to
both the database and the appropriate keytab file.
Ken
More information about the Kerberos
mailing list