[5587] in Kerberos
Re: Using multiple TGTs
daemon@ATHENA.MIT.EDU (georges rahbani)
Wed Aug 2 12:29:05 1995
Date: Wed, 02 Aug 1995 09:19:51 -0700
To: kdrenard@arl.mil (Kenneth D. Renard )
From: georgesr@wrq.com (georges rahbani)
Cc: kerberos@MIT.EDU
>[Kerberos V5 Beta 5]
>
>I am looking for thoughts and ideas about using multiple ticket caches
>to access multiple Kerberos realms where cross-realm trust is not a
>possibility. Currently, users select a ticket cache by setting their
>KRB5CCNAME environment variable. I see 2 possible improvements
>to this:
>
>1. Allow multiple TGTs (for different realms) in the same ticket cache.
> When a user runs "kinit" to authenticate with a second realm, the TGT
> is put in the same cache as their current TGT and can be used accordingly.
> (What do you do about the principal named in the cache??)
>
>2. Allow the KRB5CCNAME variable to have multiple caches named. KRB5CCNAME
> would be an array of ticket cache identifiers that could be searched by
> krb5_cc_resolve() given the default realm in krb5_context, or by
> a seperate realm identifier.
>
Ken,
I added a new utility to kerberos that changes the default cache name during
runtime. This way I can use multiple caches to different realms without
changing anything in the way the credentials cache works. This is working
fine for the kerberos client under Windows.
Regards
Georges Rahbani
Walker, Richer & Quinn, Inc.
georgesr@wrq.com
