Hi All, One thing that some folks in Fedora are evaluating is to integrate freeipa with fas, this would enable services like koji to gain kerberos auth, as well as git etc. It could also be enabled on fedorahosted etc.
but it brings to light a deficiency in krb5. while you can define multiple realms and manually switch between them in various ways. its not user friendly, and doesnt lend itself to having to frequently switch between kerberos providers. the lacking thing is that you can only cache one tgt at a time. you can work around this by manually defining different caches or running kinit each time you need to switch. the soultion seems to me to enable krb5 to cache multiple tgt's personally right now i have 2 kerberos servers i frequently deal with. 1 for home and one for work, if we end up deploying kerberos support in fedora ill have 3. and it will get really messy fast. I can keep things seperate now. but with fedora and work using kerberos that will be impossible. I wanted to throw out there the very real and possible usage senarios and get some further discussion on how best it will be to handle this going forward. Dennis
pgpavguI5AVcB.pgp
Description: PGP signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users