|
I've done some investigation into this, and I don't think this feature is feasible. It appears that the relevant call down to gss_import_name in Cyrus SASL uses GSS_C_NT_HOSTBASED_SERVICE. Per libkrb5's documentation(http://web.mit.edu/kerberos/krb5-devel/doc/appdev/gssapi.html):
"""
GSS_C_NT_HOSTBASED_SERVICE: The value should be a string of the form service or service@hostname. This is the most common way to name target services when initiating a security context, and is the most likely name type to work across multiple mechanisms.
"""
So, libkrb5 is going to be receiving a hostname from which it will attempt to derive the realm. There doesn't seem to be a clear way to override this derivation from the shell's code. However, if DNS resolution or KDC referrals are not sufficient, it is possible to configure krb5.conf's 'domain_realm' section. For my testing on my own machine, I was able to use a statement like:
[domain_realm]
|
localhost.localdomain = REALM_TWO
|
Given that this feature request conflicts with the current structure of third party libraries, and there is a way to achieve the desired behaviour via configuration file changes, I am closing this ticket.
|