Subject: | mismatch between client keytab default principal for kinit and GSS-API |
When client keytabs are used to automatically obtain initiator credentials for the GSS-API, we use
the heuristic of picking the first krb5 principal in the keytab as the GSS identity to use for the
initiator. However, 'kinit -k -i', though it uses the client keytab, defaults to attempting to get
credentials for host/[hostname]. This latter functionality is of questionable utility, and the
inconsistency between the two scenarios has potential for confusion. We should probably switch
the kinit behavior to match the gssapi behavior.
the heuristic of picking the first krb5 principal in the keytab as the GSS identity to use for the
initiator. However, 'kinit -k -i', though it uses the client keytab, defaults to attempting to get
credentials for host/[hostname]. This latter functionality is of questionable utility, and the
inconsistency between the two scenarios has potential for confusion. We should probably switch
the kinit behavior to match the gssapi behavior.