home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Message-ID: <54085BF3.60802@rug.nl> Date: Thu, 04 Sep 2014 14:32:51 +0200 From: Jurjen Bokma <j.bokma@rug.nl> MIME-Version: 1.0 To: Cedric Blancher <cedric.blancher@gmail.com> In-Reply-To: <CALXu0Ufa166-PocKOOMBSF6yONaMxyUMHQmLA8NuSda9sE8PVQ@mail.gmail.com> Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>, "<kerberos@mit.edu>" <kerberos@mit.edu> Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: kerberos-bounces@mit.edu On 09/04/2014 01:25 PM, Cedric Blancher wrote: > On 4 September 2014 11:33, Jurjen Bokma <j.bokma@rug.nl> wrote: >> You use cross realm authentication, so that your NFS client may obtain >> tickets for servers that are not in its own realm. > > What if I cannot use cross realm authentication? For example if both > realms do not like each other? > What if I really have to kinit into multiple realms? Kerberos since > 1.10 can do that and klist now has a new flag -A to list all entries > if KRB5CCNAME points to a directory, e.g. > KRB5CCNAME=DIR:/tmp/krbcc$UID/ > > Ced > I tried that about a year ago, and failed to make it work. As far as I know, gssd always picks the same key to authenticate with. I did offer a patch on this list a couple of weeks ago that uses a krb5.conf appdefaults option to configure *which* key, but that one still doesn't make it possible to pick a different key for different shares. Sorry Jurjen ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |