[24488] in Kerberos
Re: Mail.app with multiple accounts using Kerberos
daemon@ATHENA.MIT.EDU (Jeffrey Altman)
Fri Aug 19 16:43:32 2005
From: Jeffrey Altman <jaltman2@nyc.rr.com>
Message-ID: <NerNe.7148$ZG2.1179922@twister.nyc.rr.com>
Date: Fri, 19 Aug 2005 20:25:17 GMT
To: kerberos@mit.edu
Errors-To: kerberos-bounces@mit.edu
David:
There are two very different issues that you raise:
(1) why can't a ccache contain TGTs for multiple principal names?
First, on a system that supports the CCAPI such as MacOS X and
Windows, there is no need to attempt this. It is possible to query
the list of ccaches and therefore the list of Kerberos principal
names.
Secondly, the ccache does not only contain tickets but it also
stores some information that is realm specific such as the time
offset between the client and the KDCs. This is used to adjust
the ticket times so that we know when they will actually be valid
instead of just approximating it.
(2) why can't an application just know which client principal is
the correct one for the given service?
This answer is extremely complicated since there are lots of edge
cases. You are describing a scenario in which the user has tickets
for joe@A and joe@B and wants to access mailboxes with service names
of mail@A and mail@B. Ok. This seems simple enough, we can just
match the realm names. But what if you have multiple mailboxes
served by mail@B and one of them is an administrative account. How is
the mail application supposed to be able to choose between joe@B and
joe/admin@B when contacting mail@B for the personal and admin mailboxes?
What about the case where you have a distributed file system such as
AFS and you have cell@A and cell@B with a cross-realm trust between
A and B. It is possible for joe@B to be used to contact cell@A and
doing so will get different access than joe@A would. How would the
file system client automatically choose?
The reality is that in the current day you either need to use
cross-realm or your applications have to maintain knowledge of which
principal should be used to access the given resource.
This is a non-trivial problem.
Jeffrey Altman
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos