kerberos creds cache - primary principal

Dr. Greg Wettstein greg at wind.enjellic.com
Tue Sep 30 15:09:51 EDT 2003


On Sep 30,  1:15am, Noolyg wrote:
} Subject: kerberos creds cache - primary principal

> Hi, 

Good afternoon, hope the day is going well for you.

> I have some questions...
> I would like to know what does the "primary principal" of a ccahe
> means?
> I didn't really get that from the documentation...
> And who is the primary principal of the default cache?

The primary principal of a credentials cache is the identity (user)
who has been granted possession of the service credentials in the
cache.  More simplistically it is the identity of a user who
authenticated his/her self to the KDC.

>From a technically accurate perspective it would be more correct to
say that the primary principal is an identity who has possession of an
authenticator which can be used to verify the authenticity of the
service credentials in the cache.

> If i want to store all my creds in the default cache, but not remove
> any existing ones using a different principal than the primary?

I think the ccache code in the library can handle this situation but
I'm not sure that the applications themselves handle the situation
very well.

> How can 2 clients use the same cache?

I'm not sure that this makes much sense.  The contents of the
credentials cache authenticates an identity.  It wouldn't seem to make
sense from a security perspective for two clients or individuals to
share the same authentication.

> Thanks a lot!
> 
> :)

Hope this makes sense.

}-- End of excerpt from Noolyg

As always,
Dr. G.W. Wettstein, Ph.D.   Enjellic Systems Development, LLC.
4206 N. 19th Ave.           Specializing in information infra-structure
Fargo, ND  58102            development.
PH: 701-281-1686
FAX: 701-281-3949           EMAIL: greg at enjellic.com
------------------------------------------------------------------------------
"Inspite of all evidence to the contrary, the entire universe is
composed of only two basic substances: magic and bullshit."
                                -- Ian Macdonald


More information about the Kerberos mailing list