Re: Preliminary GSSAPI Patches

Stephen Frost wrote:
> * Magnus Hagander (magnus(at)hagander(dot)net) wrote:
>> We enable the setting of the service name in the server configuration
>> file, but we never use that variable anywhere. We do, however, use the
>> service name on the client, in order to pick the correct key (and
>> turning this off makes GSSAPI no longer work).
>>
>> If this is correct, we should not enable that parameter on the server.
>> If it's not correct, we should be using it somewhere.
>
> Uh, shouldn't you be acquiring the server credentials before accepting
> the context? That'd be done using gss_acquire_cred(), which takes the
> service name (in gss_name_t structure) as an argument. That would then
> be passed in to gss_accept_sec_context() instead of using
> GSS_C_NO_CREDENTIAL (in port->gss->cred).

That's the direction I was thinking in. I just wanted to have it
confirmed. Henry, what's your take on this?

> I'm kind of suprised it's
> working without that and rather curious as to what it's doing under the
> hood to make that happen. :/

Most likely it's just checking the keytab to find a principal with the
same name as the one presented from the client. Since one is present, it
loads it up automatically, and verifies against it.

//Magnus