* Peter Koczan (pjkoczan@gmail.com) wrote:
> If I change the method to trust, it works, so it looks like krb5 isn't
> supported for local connections, at least not on the surface. I'd also like
> to get away from trust authentication because of the wonderful security
> problems it entails.
'local' in this case means 'unix socket'. Kerberos does a reverse-DNS
lookup on the IP address it's going to connect to in order to figure out
what service princ to ask the KDC for. That doesn't work for unix
sockets.
> Has anyone done this? Is this even possible? It's not a huge deal if it
> can't be done, but I'd like to know.
Can't be done as far as I'm aware because Kerberos doesn't know what
princ to use. I'm not sure if any of the Kerberos folks have really
looked into making it work, it might be possible to just use the fqdn or
some such. You might google around for 'kerberos over unix sockets' or
ask folks on the Kerberos lists.
Thanks,
Stephen