GSSAPI for various murder component setups
Stephen Ingram
sbingram at gmail.com
Sun Jun 17 21:04:15 EDT 2012
On Thu, Jun 14, 2012 at 9:14 PM, Dan White <dwhite at olp.net> wrote:
...snip...
> Another way to keep your principals straight is that you'll need a user
> principal where you will run the *test utilities, and a service principal
> on the server that the *test utility will connect to.
>
> The service principals will be initialized for you by libsasl2, and the
> user principals will need to be kinit'd via some other mechanism (like in
> your START/EVENTS section).
...snip...
> The frontend *will* need to have a non-service
> principal ticket initialized when performing gssapi authentication to the
> backend.
This is *exactly* what I continue to be confused about. Can't a
service principal be used on both client and server sides? To me a
user should only be a physical person that would login, not a process.
For example, can the authenticated (mupdate client and backend)
mupdate/imap1.example.com at EXAMPLE.COM connect to (mupdate server)
mupdate/murder.example.com at EXAMPLE.COM. Why couldn't this happen?
Steve
More information about the Info-cyrus
mailing list