>We are also dealing with the same problem here -- on Mac, Windows, and Linux. > >What I don't understand is why the kerberos client doesn't seem to be able to >keep multiple tickets for multiple realms in the same cache and choose the >right tgt/service ticket based on the dns name -> realm mapping
There are a couple of problems: - There is something in the credential cache called the "primary principal", or the "default principal". It's the first thing printed out by klist. The Kerberos APIs need to have a client principal fed into them to construct the service ticket request. Virtually all code today gets this principal from the primary principal in the credential cache. While it's possible to put multiple TGTs in the credential cache today, no apps will make use of them. On some platforms you can have multiple TGTs in seperate "sessions" and switch between them (MacOS X), but when the "session" is switched, so is the primary principal. - Let's pretend this isn't a problem. The problem then becomes ... how do you decide what to do? Do you attempt cross-realm authentication? Do you search the credential cache for a TGT in the foreign realm and use that? There is, unfortunately, no good answer ... although people are exploring the options. The sites that I've seen address this today do so by setting up cross-realm authentication. --Ken ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
