On 08/28/2014 10:17 AM, Cedric Blancher wrote: >>> How do services like NFSv4, HTTP/spnego or GSSAPI know which of the >>> entries is the one they want?
NFS is a special case, as the program making the decision doesn't have access to the environment of the process which made the filesystem call. I'm not sure what the state of the art is here; typically gssd needs some knowledge of where the login system puts credentials, and it might make a choice based on the username. >> They'll make a guess based on the realm, or pick the primary. > > How do they 'guess'? If an application doesn't specify a client name, there are three mechanisms in order of priority: 1. The .k5identity file allows you to configure a client principal based on the target principal. See: http://web.mit.edu/kerberos/krb5-latest/doc/user/user_config/k5identity.html 2. If the realm of the target service is known via a [domain_realm] mapping in krb5.conf, a client principal in that realm will be selected. 3. The primary cache. It is also possible to write a plugin module which controls ccache selection, but I'm not aware of anyone doing so. You can also set KRB5CCNAME to the name of a subsidiary cache within the collection, to control the choice for a particular process. > Is it possible to get rid of the notion of a primary one day? It might be possible, but why would we want to? ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
