GSSAPI for various murder component setups

Stephen Ingram sbingram at
Sun Jun 17 21:04:15 EDT 2012

On Thu, Jun 14, 2012 at 9:14 PM, Dan White <dwhite at> wrote:


> Another way to keep your principals straight is that you'll need a user
> principal where you will run the *test utilities, and a service principal
> on the server that the *test utility will connect to.
> The service principals will be initialized for you by libsasl2, and the
> user principals will need to be kinit'd via some other mechanism (like in
> your START/EVENTS section).


> The frontend *will* need to have a non-service
> principal ticket initialized when performing gssapi authentication to the
> backend.

This is *exactly* what I continue to be confused about. Can't a
service principal be used on both client and server sides? To me a
user should only be a physical person that would login, not a process.
For example, can the authenticated (mupdate client and backend)
mupdate/ at EXAMPLE.COM connect to (mupdate server)
mupdate/ at EXAMPLE.COM. Why couldn't this happen?


More information about the Info-cyrus mailing list