multiple realm membership

Douglas E. Engert deengert at anl.gov
Thu Feb 16 12:43:19 EST 2006 


Randy Turner wrote:

> Hello,
> 
> I was wondering if the following use-case for Kerberos is valid:
> 
> I have a host that wants to be a member of multiple realms  
> simultaneously.
> 
> When a host boots, it will obtain TG tickets from all ticket-granting  
> servers that it is configured to know about. Essentially logging into  
> to all realms for which the host has valid credentials

Basic Kerberos does not work that way. The host does not get TGTs.
It does not login.  Users get TGTs when they login or do a kinit.

> 
> This is all that has to be done if the host has no kerberized  
> services that it wants to offer. At this point, if there is a client  
> application on the host that wants to connect to a remote service in  
> one of the realms, it selects the right TGT to use and obtains a  

It selects the user's TGT  from the ticket cache, Normally a usee
has only one, and it is pointed at but the KRB5CCNAME env variable.
SO you could juggle these if needed.

> ticket from the KDC/TGS that is associated with the target realm.
> 
> If a host wants to offer kerberized services to potential clients,  
> these clients could be attempt to access the services from any of the  
> realms for which the host is a member. I'm assuming this means the  
> host would have to keep <n> keytabs that are sync'd with the KDC from  
> each realm.

The host's keytab entries from different realms can all be in the same
keytab if you want.


> Also, if a remote client sends a service ticket  
> requesting access to a service, the host needs to know from what  
> realm the request is coming from in order to select the right keytab  
> to decrypt the ticket. 

It knows what realm it is from as that is part of the principal:
  <service>/<hostname>@<realm>

Is there unencrypted portions of the ticket
> that can be used to find out from what realm the request is coming  
> from ?

Yes, see http://www.ietf.org/rfc/rfc4120.txt

> 
> I guess I'm curious if there are precedents for having a host  
> maintaining simultaneous connectivity to multiple realms and have a  
> set of username/password credentials for each of these realms?


Host's don't normmaly have username/passwords. They have service
principals and keys.

But if I think I know what you are asking, yes a host can have multiple
keytab entries from different realms, which is handy while moving a host
from one realm to another.

> 
> I'm curious if MIT-Kerberos even supports this type of scenario?

Yes, the rlogind will do this using any host/<hostname>@* entry
found in the keytab. but the gssapi may or may not depending on
how the gss_accept_sec_contect was called. It my only
accept for the default realm. There are mods to get around this.

> 
> Thanks in advance for any insight into this use case?
> Randy
> 
> ________________________________________________
> Kerberos mailing list           Kerberos at mit.edu
> https://mailman.mit.edu/mailman/listinfo/kerberos
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

More information about the Kerberos mailing list