[24382] in Kerberos
Re: Do multiple kerberos enabled services on a machine share the
daemon@ATHENA.MIT.EDU (x_coder@hotmail.com)
Mon Aug 1 14:16:57 2005
From: x_coder@hotmail.com
Date: 1 Aug 2005 10:54:21 -0700
Message-ID: <1122918861.137710.141510@z14g2000cwz.googlegroups.com>
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
Perfect... thanks John.
So when my principal (i.e my server) joins a domain, I will still see
only one entry for that prinicpal on the KDC (for example under Active
Directory users and computers list) even though that principal is
hosting two different services, right?
And to talk to either of these services, a seperate ticket is derived
from the TGT
Thanks
Lyle
John Hascall wrote:
> > Hi,
> > Do all services running on a server share the same long term key in the
> > KDC.
>
> They could in theory, but this is not how it is normally done.
>
> > What I mean is, lets say on a server that is part of a domain that is
> > running say a file server and a email server, both of which use the
> > kerberos protocol... Will a client wishing to communicate with both
> > services be able to just use the same kerberos ticket?
>
> If the user has a valid "TGT" ticket, the client can get the
> service ticket it needs to authenticate with the server without
> action from the user. So, from this aspect, yes, get one TGT
> and everything is good, but under the covers there are usually
> separate tickets for each (service, server) pair. For example:
>
> > klist
> Ticket cache: FILE:/var/dss/kerberos/tkt/v5_42db5d39085616
> Default principal: john@IASTATE.EDU
>
> Valid starting Expires Service principal
> 07/25/05 08:17:58 08/01/05 08:17:58 krbtgt/IASTATE.EDU@IASTATE.EDU
> 07/25/05 09:04:30 08/01/05 08:17:58 host/trusty.ait.iastate.edu@IASTATE.EDU
> 07/29/05 09:15:47 08/01/05 08:17:58 host/print-2.iastate.edu@IASTATE.EDU
> 07/30/05 17:54:20 08/01/05 08:17:58 accountd/moira.iastate.edu@IASTATE.EDU
> 07/30/05 17:54:44 08/01/05 08:17:58 accountd/lambda.it.iastate.edu@IASTATE.EDU
>
>
> John
> ________________________________________________
> Kerberos mailing list Kerberos@mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
