KfW 3.2.2 multiple users via SSH
petesea@bigfoot.com
petesea at bigfoot.com
Mon Nov 9 17:50:04 EST 2009
I'm using Kerberos for Windows 3.2.2 on Windows XP SP3 and noticed a
problem using kinit/klist when multiple users ssh to the host.
If I ssh to the windows host as "userA", then run klist, I see the
following:
(as userA - krbcc32s NOT running)
$ klist
klist.exe: No credentials cache found (ticket cache API:krb5cc)
That's as expected. And... looking at ProcessExplorer, the krbcc32s
process is now running as "userA".
Now, ssh as "userB" and run klist:
(as userB - krbcc32s running as userA)
$ klist
klist.exe: Credentials cache I/O operation failed XXX while getting default ccache
If I kill krbcc32s and redo the test, but login as "userB" first, I see
just the reverse, ie:
(as userB - krbcc32s NOT running)
$ klist
klist.exe: No credentials cache found (ticket cache API:krb5cc)
(as userA - krbcc32s running as userB)
$ klist
klist.exe: Credentials cache I/O operation failed XXX while getting default ccache
My first suspicion was the fact that the CC is the same for both users
(API:krb5cc), but if I redo the above tests and set KRB5CCNAME to
something unique for each user (eg. API:krb5cc_userA, API:krb5cc_userB) it
fails the same way.
If I use a unique "FILE:" credentials cache for each user (eg.
FILE:C:/tmp/krb5cc_userA, FILE:C:/tmp/krb5cc_userB), then it seems to
work, but krb5cc32s is running as the first user who started it, which
bothers me.
Soooo... 2 questions:
1) Is is not possible to use an API: credentials cache for more then one
user?
2) Is it OK to use a FILE: credentials cache in this case even though
krb5cc32s is running as the first user who started it?
More information about the Kerberos
mailing list