Can credentials from different realms be put in the same /tmp/krb5cc_<uid> file?
Mark Montague
markmont at umich.edu
Thu Jul 31 11:38:28 EDT 2003
On Thu, 31 Jul 2003, Douglas E. Engert wrote:
> If there is no cross realm, then the user will need to get multiple
> TGTs and each will need to be in a seperate cache.
> You can set the KRB5CCNAME= to point to the active cache
> and reset it before doing some operation which needs a different
> cache.
In the message I just posted with the example output from klist,
there is no cross realm trust relationship between the LSA.UMICH.EDU
and the UMICH.EDU Kerberos realms. Yet I had tickets for both realms
in the same cache. So the limitations are with various Kerberos
utilities and programs rather than with the Kerberos libraries
and APIs. It's possible to have tickets from multiple realms
in the same credentials cache if you have programs which support
this -- as the code that we wrote in-house does. Sorry for beating
this point to death.
If you want something that's guaranteed to work with all applications
without having to edit any code, though, then maintaining multiple
credentials caches is probably the best way to go, as Doug says.
Mark Montague
LS&A Information Technology
The University of Michigan
markmont at umich.edu
More information about the Kerberos
mailing list