On Thu, Jun 14, 2012 at 9:14 PM, Dan White <dwhite@xxxxxxx> wrote: ...snip... > Another way to keep your principals straight is that you'll need a user > principal where you will run the *test utilities, and a service principal > on the server that the *test utility will connect to. > > The service principals will be initialized for you by libsasl2, and the > user principals will need to be kinit'd via some other mechanism (like in > your START/EVENTS section). ...snip... > The frontend *will* need to have a non-service > principal ticket initialized when performing gssapi authentication to the > backend. This is *exactly* what I continue to be confused about. Can't a service principal be used on both client and server sides? To me a user should only be a physical person that would login, not a process. For example, can the authenticated (mupdate client and backend) mupdate/imap1.example.com@xxxxxxxxxxx connect to (mupdate server) mupdate/murder.example.com@xxxxxxxxxxx. Why couldn't this happen? Steve ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
