On the heimdal-discuss mailing list, the patch below has been pretty heavily discussed: On 2010-01-18 07:37, Alec Kloss wrote: > On 2010-01-17 23:56, Jeffrey Hutzelman wrote: > > --On Saturday, January 16, 2010 12:43:00 PM -0500 Ken Raeburn > > <raeburn@xxxxxxx> wrote: > > > > >but I haven't tweaked the server side to see if the Cyrus IMAP server > > >will accept a service principal name that isn't the one generated from > > >the local host name.) > > > > Cyrus SASL, and thus the Cyrus IMAP server, can be configured to accept a > > service principal name generated from an arbitrary hostname; it need not be > > the same as the host's actual name. However, it cannot be configured to > > accept multiple SPN's, or "any SPN for which I have a keytab entry", or > > anything useful like that. That is, it insists on building a service name > > and obtaining a credental for a specific service, rather than simply using > > CSS_C_NO_CREDENTIAL like all right-thinking acceptors. > > > > :-( > > > > Anyone have comments about this patch to SASL? > > > --- ./plugins/gssapi.c.orig 2008-09-11 15:13:32.000000000 -0500 > +++ ./plugins/gssapi.c 2008-10-30 12:33:48.000000000 -0500 > @@ -693,7 +693,7 @@ > > GSS_LOCK_MUTEX(params->utils); > maj_stat = gss_acquire_cred(&min_stat, > - text->server_name, > + GSS_C_NO_NAME, > GSS_C_INDEFINITE, > GSS_C_NO_OID_SET, > GSS_C_ACCEPT, > > -- > Alec Kloss alec@xxxxxxxxxxxxxxxxxx IM: daemonalec@xxxxxxxxx > PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E > "No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon No one there has come up with a compelling argument why it shouldn't be applied to SASL in general, perhaps enhanced to allow an administrator to specify a specific name to override the new default of GSS_C_NO_NAME.. Thoughts? -- Alec Kloss alec@xxxxxxxxxxxxxxxxxx IM: daemonalec@xxxxxxxxx PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E "No Bunny!" -- Simon, http://wiki.adultswim.com/xwiki/bin/Frisky+Dingo/Simon
Attachment:
pgpbRGuNzv9AL.pgp
Description: PGP signature
