Re: Can credentials from different realms be put in the same /tmp/krb5cc_ file?

Thu, 31 Jul 2003 08:32:41 -0700 

On Thu, 31 Jul 2003, Grace Tsai wrote:

> We have three different realms listed in our krb5.conf file.
> How can we let users keep credentials given by different realms
> into the same /tmp/krb5cc_<uid> file?

Some Kerberized applications or utilities may have trouble dealing with
credentials cache files containing tickets from multiple realms, but
if so then this would be either deliberately by design or because of
bad assumptions made by those programs.  There is nothing in the format
of the credentials cache file that precludes this.  One of my credentials
caches currently contains:

sirus# klist -5 /ticket/krb5cc_apache_5366
Ticket cache: FILE:/ticket/krb5cc_apache_5366
Default principal: markmont/[EMAIL PROTECTED]

Valid starting     Expires            Service principal
07/31/03 09:52:18  07/31/03 11:52:18  krbtgt/[EMAIL PROTECTED]
07/31/03 09:52:15  08/04/03 09:52:15  krbtgt/[EMAIL PROTECTED]
        for client markmont/[EMAIL PROTECTED]
07/31/03 09:52:15  08/04/03 09:52:15  [EMAIL PROTECTED]
        for client markmont/[EMAIL PROTECTED]
07/31/03 09:52:19  07/31/03 11:52:18  [EMAIL PROTECTED]
sirus#

...and this works fine.  This credentials cache file was not created
by kinit, however -- this credentials cache was created by one of our
in-house applications, using the MIT Kerberos 5 libraries and API.  The
Kerberized applications that I've tested with have no problem
understanding multiple realms in a single credentials cache file, but
it wouldn't surprise me at all to find some programs that can't handle
this.

kinit from MIT Kerberos 5 version 1.2.5 is one of the programs that
can't handle multiple realms in a single credentials cache, but this
is by design:  the kinit(1) manpage says:

    Any existing contents of the cache are destroyed by kinit.

...and so of course the following sort of thing doesn't work:

mozi% kinit -c /ticket/krb5cc_5366 [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
mozi% klist -5 /ticket/krb5cc_5366
Ticket cache: FILE:/ticket/krb5cc_5366
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
07/31/03 11:22:18  07/31/03 21:22:22  krbtgt/[EMAIL PROTECTED]
mozi% kinit -c /ticket/krb5cc_5366 [EMAIL PROTECTED]
Password for [EMAIL PROTECTED]:
mozi% klist -5 /ticket/krb5cc_5366
Ticket cache: FILE:/ticket/krb5cc_5366
Default principal: [EMAIL PROTECTED]

Valid starting     Expires            Service principal
07/31/03 11:22:38  07/31/03 21:22:38  krbtgt/[EMAIL PROTECTED]
mozi%

                Mark Montague
                LS&A Information Technology
                The University of Michigan
                [EMAIL PROTECTED]



________________________________________________
Kerberos mailing list           [EMAIL PROTECTED]
https://mailman.mit.edu/mailman/listinfo/kerberos

Reply via email to