Patch to ignore service principals when accepting connexions.

Luke Howard lukeh at
Wed Aug 25 18:11:29 EDT 2010

> Taking a look at the code, we only seem to use the service name in the
> ticket if the keytab operations vector doesn't include sequential gets.
> That's only true for the kdb keytab.

>From rd_req_dec.c:

    if (server != NULL || keytab->ops->start_seq_get == NULL) {

Server is NULL for the default acceptor identity, this happens iff the acceptor credential is:

(b) a credential acquired for GSS_C_NO_NAME

>From src/lib/gssapi/krb5/accept_sec_context.c:

    if ((code = krb5_rd_req(context, &auth_context, &ap_req,
                            cred->default_identity ? NULL : cred->name->princ,
                            &ticket))) {

(Really, (a) is a case of (b). See cred->default_identity being set in acquire_cred.c.)

-- Luke

More information about the krbdev mailing list