[36410] in Kerberos
Re: Multiple principals from different realms via kinit?
daemon@ATHENA.MIT.EDU (Cedric Blancher)
Thu Aug 28 10:17:58 2014
MIME-Version: 1.0
In-Reply-To: <1409232667.6483.31.camel@willson.usersys.redhat.com>
Date: Thu, 28 Aug 2014 16:17:41 +0200
Message-ID: <CALXu0UeB7Oa=jLTpyk8Ja1yR=mtXNBVQV0b2kOy=P0-PEYyAog@mail.gmail.com>
From: Cedric Blancher <cedric.blancher@gmail.com>
To: "<kerberos@mit.edu>" <kerberos@mit.edu>
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 28 August 2014 15:31, Simo Sorce <simo@redhat.com> wrote:
> On Thu, 2014-08-28 at 14:36 +0200, Cedric Blancher wrote:
>> On 27 August 2014 18:16, Benjamin Kaduk <kaduk@mit.edu> wrote:
>> > On Wed, 27 Aug 2014, ольга крыжановская wrote:
>> >
>> >> How can I use multiple principals from different realms via kinit?
>> >>
>> >> I tried:
>> >> kinit fleyta@WARONTERROR.COM
>> >> ...
>> >> klist shows tgt for fleyta@WARONTERROR.COM
>> >
>> > klist -A shows tickets in all caches in the collection, not just the
>> > current cache (as klist without -A does). You'll generally want to be
>> > using a collection-enabled cache type such as DIR: or a post-1.12 KEYRING:
>> > in order to get the best behavior when using multiple client principals.
>> >
>> > As mentioned already, kswitch is also useful in these situations.
>>
>> How do services like NFSv4, HTTP/spnego or GSSAPI know which of the
>> entries is the one they want?
>
> They'll make a guess based on the realm, or pick the primary.
How do they 'guess'?
Is it possible to get rid of the notion of a primary one day?
Ced
--
Cedric Blancher <cedric.blancher@gmail.com>
Institute Pasteur
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
