Hi Michael, On 11/3/19 4:54 PM, Michael Osipov wrote: > > Yes, sure. The spot just made we wonder. My understanding for S4U2self > (my knowledge is limited to the AD KDC, may be different in MIT > Kerberos). You may or may not sign onto a service with Kerberos, the > service (HTTP/host@REALM) knows your UPN (client1@REALM). Now the > service wants to connect to a PostgreSQL DB with your credentials by > using S4U2self and then S4U2proxy. Since the SPN HTTP/host@REALM is > bound to either a machine account (server1$@REALM) or service account > (service@REALM) you have to impersonate with that account and not with > the SPN, then as soon as you have the TGT, you can request the sevice > ticket for the target service. > The confusion was 'sname' combined with 'PrincipalName.KRB_NT_PRINCIPAL'. >
Thanks for your clarification. My understanding is that you are referring to line 546 of webrev.01 [1]. 'sname' is the backend service name. As you well pointed out, it won't be of KRB_NT_PRINCIPAL type. In addition to that, there is no need to create a new sname PrincipalName there because we can use the instance received by parameter and it is not mutable. This has been addressed in webrev.02 [2]. Thanks, Martin.- -- [1] - http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.01/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java.sdiff.html [2] - http://cr.openjdk.java.net/~mbalao/webrevs/8005819/8005819.webrev.02/src/java.security.jgss/share/classes/sun/security/krb5/internal/CredentialsUtil.java.sdiff.html
