Hi Michael, Thanks for having a look at this proposal.
On 10/29/19 12:35 PM, Osipov, Michael wrote: > * In handleS4U2ProxyReferral(): >> + sname = new PrincipalName(PrincipalName.KRB_NT_PRINCIPAL, >> + sname.getNameStrings(), sname.getRealm()); > > Why do you use here KRB_NT_PRINCIPAL? Is that the assumption that in AD > all services are bound to regular accounts compared to MIT Kerberos? > The backend PrincipalName is constructed from a string, so we really don't know the type and KRB_NT_UNKNOWN is used. I've not found any issue in my tests with KRB_NT_PRINCIPAL but it should look less arbitrary to keep KRB_NT_UNKNOWN. I'll do some more testing and change it if there are no issues. > client1@REALM => HTTP/host@REALM where HTTP/host@REALM is bound to > srv$@REALM => postgres/host2@REALM and the transition is done with > srv$@REALM? > I'm not sure of what you mean here. Can you please elaborate a bit more? Kind regards, Martin.-
