multiple principals in one cache?

Russ Allbery rra at stanford.edu
Wed Nov 10 17:31:17 EST 2010


Abe Singer <abe at ligo.caltech.edu> writes:

> According to kinit(1), when doing a kinit "Any existing tickets for
> _principal_ are overwritten."  However, we've found that *all* tickets
> are destroyed.  So if one does a kinit for user at REALM-1, then does a
> kinit for user at REALM-2, the tickets for user at REALM-1 get deleted from
> the cache.

> We'd *like* to be able kinit multiple principals for use with services
> in different realms (e.g. working realm and test realm).  Is the
> behavior we're seeing intentional (an the documentation is buggy) or a
> bug?

It's just not supported by the ticket cache format and ticket manager that
is used by default on UNIX.  The Kerberos implementations generally have
some support for this in other ticket cache types, and there have been
various proposals for how to store multiple principals in FILE caches, but
as yet I don't think any of that work is complete and usable.

The hard problem isn't so much how to store the data as it is how to
choose which ticket to use.  If you have tickets for multiple realms, you
have to figure out, when accessing a service, which of them to use.  I
think that's handled in the non-FILE ticket cache types, by recording a
current "default" identity somewhere, but I don't think any of that has
been implemented yet for the UNIX FILE ticket cache formats.

I may have missed a development in this area, though.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>



More information about the Kerberos mailing list