[19709] in Kerberos
Re: Can credentials from different realms be put in the same
daemon@ATHENA.MIT.EDU (Cesar Garcia)
Thu Jul 31 12:23:56 2003
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16169.16939.875705.745037@limus.ms.com>
Date: Thu, 31 Jul 2003 12:22:03 -0400
From: Cesar Garcia <Cesar.Garcia@morganstanley.com>
To: Grace Tsai <gtsai@bnl.gov>
In-Reply-To: <3F292C60.21F1D251@bnl.gov>
cc: kerberos questions <kerberos@mit.edu>
Errors-To: kerberos-bounces@mit.edu
This is really impractical, since most applications attempt to use
tickets for the default principal named in the ticket. Unless [all of]
your applications intend explicitly acquire credentials for a named
[client] principal, a single credential's cache is going to be
difficult.
My personal recommendation would be:
1 - use a single realm if politics and other factors permit (if you've
already set up three realms, then there are factors prohibiting you
from doing this).
2 - have each your users belong to a single realm and enable trust
across realms (note, some apps only authorize users in the local
realm). In this case each user will have a single identity, not three.
3 - have users use separate credential cache files for each realm
(defined via KRB5CCNAME). If you can figure out a way to automate
this for your users, you'll save them huge headaches.
>>>>> "Grace" == Grace Tsai <gtsai@bnl.gov> writes:
Grace> Hi,
Grace> We have three different realms listed in our krb5.conf file.
Grace> How can we let users keep credentials given by different realms
Grace> into the same /tmp/krb5cc_<uid> file?
Grace> Thanks in advance.
Grace> Grace
Grace> ________________________________________________
Grace> Kerberos mailing list Kerberos@mit.edu
Grace> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
