Return-Path: <eagle@eyrie.org>
Received: from haven.eyrie.org (haven.eyrie.org [166.84.7.159]) by krbdev.mit.edu (Postfix) with ESMTPS id CFB773F84A for <rt@krbdev.mit.edu>; Thu, 24 Dec 2015 12:24:20 -0500 (EST)
Received: from lothlorien.eyrie.org (unknown [96.90.234.101]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by haven.eyrie.org (Postfix) with ESMTPS id ED93E118192 for <rt@krbdev.mit.edu>; Thu, 24 Dec 2015 09:24:19 -0800 (PST)
Received: by lothlorien.eyrie.org (Postfix, from userid 1000) id AB0D5B41584; Thu, 24 Dec 2015 09:24:18 -0800 (PST)
From: Russ Allbery <eagle@eyrie.org>
To: rt@krbdev.mit.edu
Subject: Re: [krbdev.mit.edu #8332] gss_init_sec_context w/host@<hostname> fails with anonymous tickets
In-Reply-To: <rt-8332-45354.4.0371125190115@krbdev.mit.edu> (Greg Hudson via's message of "Thu, 24 Dec 2015 02:27:03 -0500 (EST)")
Organization: The Eyrie
References: <rt-8332-45354.4.0371125190115@krbdev.mit.edu>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.5 (gnu/linux)
Date: Thu, 24 Dec 2015 09:24:18 -0800
Message-ID: <877fk3oj3x.fsf@hope.eyrie.org>
MIME-Version: 1.0
Content-Type: text/plain
RT-Send-Cc: 
X-RT-Original-Encoding: iso-8859-1
Content-Length: 531

"Greg Hudson via RT" <rt-comment@krbdev.mit.edu> writes:

> We do have a hostrealm pluggable interface starting in 1.12, so in
> theory you could write a hostrealm module which supplies the service
> principal realm as an authoritative realm, perhaps using wildcard
> matching.  Deploying such a module to all of the clients may not be
> attractive, depending on your environment.

Oh, interesting, thank you.  That may very well be an option for us.

-- 
Russ Allbery (eagle@eyrie.org)              <http://www.eyrie.org/~eagle/>