Final call for changes in 1.4

Douglas E. Engert deengert at
Tue Oct 19 09:51:14 EDT 2004

Sam Hartman wrote:
>>>>>>"Douglas" == Douglas E Engert <deengert at> writes:
>     Douglas> How quickly is the cutoff? Do I have till tomorrow at
>     Douglas> least?  
> Yes.
>     Douglas> One change that has come up on the lists from
>     Douglas> time to time is having the gssapi accept_sec_context
>     Douglas> accept a service ticket where it can find an entry in the
>     Douglas> keytab file for matching service name and instance but
>     Douglas> any realm.  (rlogin can do this.)  Currently it only
>     Douglas> works for the default realm of the host.
> Our recommended way of accomplishing this is to pass in
> GSS_C_NO_CREDENTIAL and then check the resulting authentication name.

But what you are saying is to change the application which is following the
GSSAPI specs  by acquiring creds with <service>@<host>
If you pass GSS_NO_CREDENTIAL to accept then any principal in the keytab
is acceptable.

I don't want to have to change the applications. With this mod, there
is no change to the applicaiton, and only principals
with <service>/<hostname> and any realm in the keytab are acceptable.

> I don't think we are interested in special casing the realm case
> although we would be interested in discussing a mechanism that allowed
> you to have multiple acceptor credentials you were checking against
> for the 1.5 release.
> This might also need discussion in kitten.

Yes its a problem with GSSAPI being to generic at times.
Will have to read Nico's draft.


  Douglas E. Engert  <DEEngert at>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the krbdev mailing list