Return-Path: Received: from haven.eyrie.org (haven.eyrie.org [166.84.7.159]) by krbdev.mit.edu (Postfix) with ESMTPS id CFB773F84A for ; Thu, 24 Dec 2015 12:24:20 -0500 (EST) Received: from lothlorien.eyrie.org (unknown [96.90.234.101]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by haven.eyrie.org (Postfix) with ESMTPS id ED93E118192 for ; Thu, 24 Dec 2015 09:24:19 -0800 (PST) Received: by lothlorien.eyrie.org (Postfix, from userid 1000) id AB0D5B41584; Thu, 24 Dec 2015 09:24:18 -0800 (PST) From: Russ Allbery To: rt@krbdev.mit.edu Subject: Re: [krbdev.mit.edu #8332] gss_init_sec_context w/host@ fails with anonymous tickets In-Reply-To: (Greg Hudson via's message of "Thu, 24 Dec 2015 02:27:03 -0500 (EST)") Organization: The Eyrie References: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux) Date: Thu, 24 Dec 2015 09:24:18 -0800 Message-ID: <877fk3oj3x.fsf@hope.eyrie.org> MIME-Version: 1.0 Content-Type: text/plain RT-Send-Cc: X-RT-Original-Encoding: iso-8859-1 Content-Length: 531 "Greg Hudson via RT" writes: > We do have a hostrealm pluggable interface starting in 1.12, so in > theory you could write a hostrealm module which supplies the service > principal realm as an authoritative realm, perhaps using wildcard > matching. Deploying such a module to all of the clients may not be > attractive, depending on your environment. Oh, interesting, thank you. That may very well be an option for us. -- Russ Allbery (eagle@eyrie.org)