[32880] in Kerberos

home help back first fref pref prev next nref lref last post

Re: multiple principals in one cache?

daemon@ATHENA.MIT.EDU (Russ Allbery)
Wed Nov 10 17:31:35 2010

From: Russ Allbery <rra@stanford.edu>
To: Abe Singer <abe@ligo.caltech.edu>
In-Reply-To: <20101110222239.GB26076@ligo.caltech.edu> (Abe Singer's message
	of "Wed, 10 Nov 2010 14:22:40 -0800")
Date: Wed, 10 Nov 2010 14:31:17 -0800
Message-ID: <874obooloq.fsf@windlord.stanford.edu>
MIME-Version: 1.0
Cc: kerberos@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu

Abe Singer <abe@ligo.caltech.edu> writes:

> According to kinit(1), when doing a kinit "Any existing tickets for
> _principal_ are overwritten."  However, we've found that *all* tickets
> are destroyed.  So if one does a kinit for user@REALM-1, then does a
> kinit for user@REALM-2, the tickets for user@REALM-1 get deleted from
> the cache.

> We'd *like* to be able kinit multiple principals for use with services
> in different realms (e.g. working realm and test realm).  Is the
> behavior we're seeing intentional (an the documentation is buggy) or a
> bug?

It's just not supported by the ticket cache format and ticket manager that
is used by default on UNIX.  The Kerberos implementations generally have
some support for this in other ticket cache types, and there have been
various proposals for how to store multiple principals in FILE caches, but
as yet I don't think any of that work is complete and usable.

The hard problem isn't so much how to store the data as it is how to
choose which ticket to use.  If you have tickets for multiple realms, you
have to figure out, when accessing a service, which of them to use.  I
think that's handled in the non-FILE ticket cache types, by recording a
current "default" identity somewhere, but I don't think any of that has
been implemented yet for the UNIX FILE ticket cache formats.

I may have missed a development in this area, though.

-- 
Russ Allbery (rra@stanford.edu)             <http://www.eyrie.org/~eagle/>
________________________________________________
Kerberos mailing list           Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos

home help back first fref pref prev next nref lref last post