[139] in Kerberos
Re: Interrealm misfeatures and alte
jon@ATHENA.MIT.EDU (jon@ATHENA.MIT.EDU)
Sun Aug 9 21:33:04 1987
From srz@athena.MIT.EDU Mon Nov 3 14:47:47 1986
From: srz@athena.MIT.EDU
Date: Mon, 3 Nov 86 14:45:18 EST
To: wesommer@ATHENA.MIT.EDU
Subject: Re: Interrealm misfeatures and alternate an_to_ln
Cc: kerberos@athena.MIT.EDU
Actually, the ticket file does contain the realm of the principal they
are in, except kerberos doesn't rely on it to determine the local
domain. As kerberos is currently set up, there is only one krbtgt
entry in which the instance (the realm that the ticket is good for)
is the same as the realm in which the ticket was gotten. That is the
'local' realm.
For example, if I am in the LCS realm, and do a 'kinit', I get a ticket
of the form: 'srz', '', 'krbtgt', 'LCS.MIT.EDU', 'LCS.MIT.EDU'. When
I log on over to athena, I get an additional ticket: 'srz', '', 'krbtgt',
'ATHENA.MIT.EDU', 'LCS.MIT.EDU'. If rd_ad_tkt were changed so that it
determined the local realm from the tickets, as opposed to using
krb.conf, then a single 'kinit -r' would change your realm for the entire
session. The ticket file would stay the same.
