> Hi, > Do all services running on a server share the same long term key in the > KDC.
They could in theory, but this is not how it is normally done. > What I mean is, lets say on a server that is part of a domain that is > running say a file server and a email server, both of which use the > kerberos protocol... Will a client wishing to communicate with both > services be able to just use the same kerberos ticket? If the user has a valid "TGT" ticket, the client can get the service ticket it needs to authenticate with the server without action from the user. So, from this aspect, yes, get one TGT and everything is good, but under the covers there are usually separate tickets for each (service, server) pair. For example: > klist Ticket cache: FILE:/var/dss/kerberos/tkt/v5_42db5d39085616 Default principal: [EMAIL PROTECTED] Valid starting Expires Service principal 07/25/05 08:17:58 08/01/05 08:17:58 krbtgt/[EMAIL PROTECTED] 07/25/05 09:04:30 08/01/05 08:17:58 host/[EMAIL PROTECTED] 07/29/05 09:15:47 08/01/05 08:17:58 host/[EMAIL PROTECTED] 07/30/05 17:54:20 08/01/05 08:17:58 accountd/[EMAIL PROTECTED] 07/30/05 17:54:44 08/01/05 08:17:58 accountd/[EMAIL PROTECTED] John ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
