Can credentials from different realms be put in the same /tmp/krb5cc_<uid> file?

Cesar Garcia Cesar.Garcia at morganstanley.com
Thu Jul 31 12:22:03 EDT 2003


This is really impractical, since most applications attempt to use
tickets for the default principal named in the ticket. Unless [all of]
your applications intend explicitly acquire credentials for a named
[client] principal, a single credential's cache is going to be
difficult.

My personal recommendation would be:
1 - use a single realm if politics and other factors permit (if you've
already set up three realms, then there are factors prohibiting you
from doing this).

2 - have each your users belong to a single realm and enable trust
across realms (note, some apps only authorize users in the local
realm). In this case each user will have a single identity, not three.

3 - have users use separate credential cache files for each realm
(defined via KRB5CCNAME). If you can figure out a way to automate
this for your users, you'll save them huge headaches.

>>>>> "Grace" == Grace Tsai <gtsai at bnl.gov> writes:

Grace> Hi,
Grace> We have three different realms listed in our krb5.conf file.
Grace> How can we let users keep credentials given by different realms
Grace> into the same /tmp/krb5cc_<uid> file?

Grace> Thanks in advance.

Grace> Grace



Grace> ________________________________________________
Grace> Kerberos mailing list           Kerberos at mit.edu
Grace> https://mailman.mit.edu/mailman/listinfo/kerberos



More information about the Kerberos mailing list