[36427] in Kerberos
Re: How to use NFS with multiple principals in different realms?
daemon@ATHENA.MIT.EDU (Jurjen Bokma)
Thu Sep 4 12:03:26 2014
Message-ID: <54085BF3.60802@rug.nl>
Date: Thu, 04 Sep 2014 14:32:51 +0200
From: Jurjen Bokma <j.bokma@rug.nl>
MIME-Version: 1.0
To: Cedric Blancher <cedric.blancher@gmail.com>
In-Reply-To: <CALXu0Ufa166-PocKOOMBSF6yONaMxyUMHQmLA8NuSda9sE8PVQ@mail.gmail.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
"<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 09/04/2014 01:25 PM, Cedric Blancher wrote:
> On 4 September 2014 11:33, Jurjen Bokma <j.bokma@rug.nl> wrote:
>> You use cross realm authentication, so that your NFS client may obtain
>> tickets for servers that are not in its own realm.
>
> What if I cannot use cross realm authentication? For example if both
> realms do not like each other?
> What if I really have to kinit into multiple realms? Kerberos since
> 1.10 can do that and klist now has a new flag -A to list all entries
> if KRB5CCNAME points to a directory, e.g.
> KRB5CCNAME=DIR:/tmp/krbcc$UID/
>
> Ced
>
I tried that about a year ago, and failed to make it work.
As far as I know, gssd always picks the same key to authenticate with. I
did offer a patch on this list a couple of weeks ago that uses a
krb5.conf appdefaults option to configure *which* key, but that one
still doesn't make it possible to pick a different key for different shares.
Sorry
Jurjen
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
