Do multiple kerberos enabled services on a machine share the same ticket

[x_coder@hotmail.com]

Perfect... thanks John.

So when my principal (i.e my server) joins a domain, I will still see
only one entry for that prinicpal on the KDC (for example under Active
Directory users and computers list) even though that principal is
hosting two different services, right?

And to talk to either of these services, a seperate ticket is derived
from the TGT

Thanks
Lyle


John Hascall wrote:
> > Hi,
> > Do all services running on a server share the same long term key in the
> > KDC.
>
> They could in theory, but this is not how it is normally done.
>
> > What I mean is, lets say on a server that is part of a domain that is
> > running say a file server and a email server, both of which use the
> > kerberos protocol...  Will a client wishing to communicate with both
> > services be able to just use the same kerberos ticket?
>
> If the user has a valid "TGT" ticket, the client can get the
> service ticket it needs to authenticate with the server without
> action from the user.  So, from this aspect, yes, get one TGT
> and everything is good, but under the covers there are usually
> separate tickets for each (service, server) pair.  For example:
>
> > klist
> Ticket cache: FILE:/var/dss/kerberos/tkt/v5_42db5d39085616
> Default principal: john at IASTATE.EDU
>
> Valid starting     Expires            Service principal
> 07/25/05 08:17:58  08/01/05 08:17:58  krbtgt/IASTATE.EDU at IASTATE.EDU
> 07/25/05 09:04:30  08/01/05 08:17:58  host/trusty.ait.iastate.edu at IASTATE.EDU
> 07/29/05 09:15:47  08/01/05 08:17:58  host/print-2.iastate.edu at IASTATE.EDU
> 07/30/05 17:54:20  08/01/05 08:17:58  accountd/moira.iastate.edu at IASTATE.EDU
> 07/30/05 17:54:44  08/01/05 08:17:58  accountd/lambda.it.iastate.edu at IASTATE.EDU
>
>
> John
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos