[24357] in Kerberos
Re: Do multiple kerberos enabled services on a machine share the
daemon@ATHENA.MIT.EDU (John Hascall)
Sat Jul 30 18:56:50 2005
Message-Id: <200507302256.RAA29588@malison.ait.iastate.edu>
To: x_coder@hotmail.com
In-reply-to: Your message of 30 Jul 2005 11:51:34 -0700.
<1122749494.372630.298790@o13g2000cwo.googlegroups.com>
Date: Sat, 30 Jul 2005 17:56:03 CDT
From: John Hascall <john@iastate.edu>
cc: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
> Hi,
> Do all services running on a server share the same long term key in the
> KDC.
They could in theory, but this is not how it is normally done.
> What I mean is, lets say on a server that is part of a domain that is
> running say a file server and a email server, both of which use the
> kerberos protocol... Will a client wishing to communicate with both
> services be able to just use the same kerberos ticket?
If the user has a valid "TGT" ticket, the client can get the
service ticket it needs to authenticate with the server without
action from the user. So, from this aspect, yes, get one TGT
and everything is good, but under the covers there are usually
separate tickets for each (service, server) pair. For example:
> klist
Ticket cache: FILE:/var/dss/kerberos/tkt/v5_42db5d39085616
Default principal: john@IASTATE.EDU
Valid starting Expires Service principal
07/25/05 08:17:58 08/01/05 08:17:58 krbtgt/IASTATE.EDU@IASTATE.EDU
07/25/05 09:04:30 08/01/05 08:17:58 host/trusty.ait.iastate.edu@IASTATE.EDU
07/29/05 09:15:47 08/01/05 08:17:58 host/print-2.iastate.edu@IASTATE.EDU
07/30/05 17:54:20 08/01/05 08:17:58 accountd/moira.iastate.edu@IASTATE.EDU
07/30/05 17:54:44 08/01/05 08:17:58 accountd/lambda.it.iastate.edu@IASTATE.EDU
John
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
