[19707] in Kerberos
Re: Can credentials from different realms be put in the same
daemon@ATHENA.MIT.EDU (Mark Montague)
Thu Jul 31 11:34:33 2003
Date: Thu, 31 Jul 2003 11:33:02 -0400 (EDT)
From: Mark Montague <markmont@umich.edu>
To: Grace Tsai <gtsai@bnl.gov>
In-Reply-To: <3F292C60.21F1D251@bnl.gov>
Message-ID: <Pine.SOL.4.33.0307311108330.25268-100000@mozi.lsait.lsa.umich.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
cc: kerberos questions <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
On Thu, 31 Jul 2003, Grace Tsai wrote:
> We have three different realms listed in our krb5.conf file.
> How can we let users keep credentials given by different realms
> into the same /tmp/krb5cc_<uid> file?
Some Kerberized applications or utilities may have trouble dealing with
credentials cache files containing tickets from multiple realms, but
if so then this would be either deliberately by design or because of
bad assumptions made by those programs. There is nothing in the format
of the credentials cache file that precludes this. One of my credentials
caches currently contains:
sirus# klist -5 /ticket/krb5cc_apache_5366
Ticket cache: FILE:/ticket/krb5cc_apache_5366
Default principal: markmont/www@UMICH.EDU
Valid starting Expires Service principal
07/31/03 09:52:18 07/31/03 11:52:18 krbtgt/UMICH.EDU@UMICH.EDU
07/31/03 09:52:15 08/04/03 09:52:15 krbtgt/LSA.UMICH.EDU@LSA.UMICH.EDU
for client markmont/www@LSA.UMICH.EDU
07/31/03 09:52:15 08/04/03 09:52:15 afs@LSA.UMICH.EDU
for client markmont/www@LSA.UMICH.EDU
07/31/03 09:52:19 07/31/03 11:52:18 afs@UMICH.EDU
sirus#
...and this works fine. This credentials cache file was not created
by kinit, however -- this credentials cache was created by one of our
in-house applications, using the MIT Kerberos 5 libraries and API. The
Kerberized applications that I've tested with have no problem
understanding multiple realms in a single credentials cache file, but
it wouldn't surprise me at all to find some programs that can't handle
this.
kinit from MIT Kerberos 5 version 1.2.5 is one of the programs that
can't handle multiple realms in a single credentials cache, but this
is by design: the kinit(1) manpage says:
Any existing contents of the cache are destroyed by kinit.
...and so of course the following sort of thing doesn't work:
mozi% kinit -c /ticket/krb5cc_5366 markmont@LSA.UMICH.EDU
Password for markmont@LSA.UMICH.EDU:
mozi% klist -5 /ticket/krb5cc_5366
Ticket cache: FILE:/ticket/krb5cc_5366
Default principal: markmont@LSA.UMICH.EDU
Valid starting Expires Service principal
07/31/03 11:22:18 07/31/03 21:22:22 krbtgt/LSA.UMICH.EDU@LSA.UMICH.EDU
mozi% kinit -c /ticket/krb5cc_5366 markmont@UMICH.EDU
Password for markmont@UMICH.EDU:
mozi% klist -5 /ticket/krb5cc_5366
Ticket cache: FILE:/ticket/krb5cc_5366
Default principal: markmont@UMICH.EDU
Valid starting Expires Service principal
07/31/03 11:22:38 07/31/03 21:22:38 krbtgt/UMICH.EDU@UMICH.EDU
mozi%
Mark Montague
LS&A Information Technology
The University of Michigan
markmont@umich.edu
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
