Mail.app with multiple accounts using Kerberos
Ken Hornstein
kenh at cmf.nrl.navy.mil
Fri Aug 19 13:06:40 EDT 2005
>We are also dealing with the same problem here -- on Mac, Windows, and Linux.
>
>What I don't understand is why the kerberos client doesn't seem to be able to
>keep multiple tickets for multiple realms in the same cache and choose the
>right tgt/service ticket based on the dns name -> realm mapping
There are a couple of problems:
- There is something in the credential cache called the "primary principal",
or the "default principal". It's the first thing printed out by klist.
The Kerberos APIs need to have a client principal fed into them to
construct the service ticket request. Virtually all code today gets
this principal from the primary principal in the credential cache.
While it's possible to put multiple TGTs in the credential cache today,
no apps will make use of them. On some platforms you can have multiple
TGTs in seperate "sessions" and switch between them (MacOS X), but
when the "session" is switched, so is the primary principal.
- Let's pretend this isn't a problem. The problem then becomes ... how do
you decide what to do? Do you attempt cross-realm authentication? Do
you search the credential cache for a TGT in the foreign realm and use
that? There is, unfortunately, no good answer ... although people are
exploring the options.
The sites that I've seen address this today do so by setting up cross-realm
authentication.
--Ken
More information about the Kerberos
mailing list