<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=ISO-8859-1">
<title></title>
</head>
<body>
John M. Lockard wrote:<br>
<blockquote type="cite" cite="mid20030110170209.E23682@umich.edu">
<pre wrap="">On Fri, Jan 10, 2003 at 03:38:33PM -0500, Ken Hornstein wrote:
</pre>
<blockquote type="cite">
<blockquote type="cite">
<pre wrap="">By Multi-realm I mean "multiple realms"... If you've used Krb5 much
you know that you can authenticate to multiple realms easily using
the kinit command. I can do 'kinit <a class="moz-txt-link-abbreviated" href="mailto:jlockard@SI.UMICH.EDU">jlockard@SI.UMICH.EDU</a>' and then
'kinit <a class="moz-txt-link-abbreviated" href="mailto:jlockard@UMICH.EDU">jlockard@UMICH.EDU</a>' to get tickets in both realms.
</pre>
</blockquote>
<pre wrap="">... except, of course, that unless you have two KRB5CCNAME environment
variables the second kinit will wipe out the credentials from the
first kinit.
</pre>
</blockquote>
<pre wrap=""><!---->
Yep, I know of that "trick", and it's not the most convenient thing to
try and explain to your normal University computer user.
</pre>
<pre wrap="">
I never said that I wanted to pick which princical, just the realm.
In an application, such as mulberry, I can tell the app with realm
I want to authenticate too. I may have several identities in the
client, and each identity would have a different realm that it would
auth against.</pre>
</blockquote>
It does not matter if you are talking about multiple user names or
multiple realms, the fact is that you have multiple principals. The
Kerberos Credential Cache only allows credentials for a single
principal to be stored within a cache.<br>
<br>
When you issue "kinit <a class="moz-txt-link-abbreviated" href="mailto:jlockard@UMICH.EDU">jlockard@UMICH.EDU</a>" and then "kinit
<a class="moz-txt-link-abbreviated" href="mailto:jlockard@SI.UMICH.EDU">jlockard@SI.UMICH.EDU</a>" the credentials for <a class="moz-txt-link-abbreviated" href="mailto:jlockard@UMICH.EDU">jlockard@UMICH.EDU</a> are
erased when you perform the second kinit.<br>
<br>
I frequently use Leash32 to get credentials for a variety of realms
including CC.COLUMBIA.EDU, KERMIT.COLUMBIA.EDU and ATHENA.MIT.EDU. The
credentials are stored into the credential cache indicated on the
Kerberos Five Properties page. (While this appears to be an editable
field Leash32 ignores changes made to it.)<br>
<br>
Kermit 95 actually lets you specify from within the application which
Credentials Cache you wish to use. So you can in fact with K95 store
multiple sets of credentials and toggle between them. However, there is
no mechanism to specify which is the default.<br>
<br>
Since Kerberos 5 applications reference the credential cache by name
and most do not have a method for specifying the cache name, the best
that could be done would be to allow Leash32 to manage multiple
credential caches and move credentials in and out of the API:krb5cc
cache when you select a specific principal as the active one.<br>
<br>
Is this what you are looking for?<br>
<br>
- Jeff<br>
<br>
</body>
</html>