Mail.app with multiple accounts using Kerberos

Jeffrey Altman jaltman2 at nyc.rr.com
Fri Aug 19 16:25:17 EDT 2005


David:

There are two very different issues that you raise:

(1) why can't a ccache contain TGTs for multiple principal names?

First, on a system that supports the CCAPI such as MacOS X and
Windows, there is no need to attempt this.   It is possible to query
the list of ccaches and therefore the list of Kerberos principal
names.

Secondly, the ccache does not only contain tickets but it also
stores some information that is realm specific such as the time
offset between the client and the KDCs.   This is used to adjust
the ticket times so that we know when they will actually be valid
instead of just approximating it.

(2) why can't an application just know which client principal is
the correct one for the given service?

This answer is extremely complicated since there are lots of edge
cases.   You are describing a scenario in which the user has tickets
for joe at A and joe at B and wants to access mailboxes with service names
of mail at A and mail at B.  Ok.  This seems simple enough, we can just
match the realm names.  But what if you have multiple mailboxes
served by mail at B and one of them is an administrative account.  How is
the mail application supposed to be able to choose between joe at B and
joe/admin at B when contacting mail at B for the personal and admin mailboxes?

What about the case where you have a distributed file system such as
AFS and you have cell at A and cell at B with a cross-realm trust between
A and B.  It is possible for joe at B to be used to contact cell at A and
doing so will get different access than joe at A would.   How would the
file system client automatically choose?

The reality is that in the current day you either need to use
cross-realm or your applications have to maintain knowledge of which
principal should be used to access the given resource.

This is a non-trivial problem.

Jeffrey Altman


More information about the Kerberos mailing list