multiple principals in one cache?

Ken Hornstein kenh at cmf.nrl.navy.mil
Wed Nov 10 18:29:30 EST 2010 

>> We'd *like* to be able kinit multiple principals for use with services
>> in different realms (e.g. working realm and test realm).  Is the
>> behavior we're seeing intentional (an the documentation is buggy) or a
>> bug?
>
>The hard problem isn't so much how to store the data as it is how to
>choose which ticket to use.  If you have tickets for multiple realms, you
>have to figure out, when accessing a service, which of them to use.  I
>think that's handled in the non-FILE ticket cache types, by recording a
>current "default" identity somewhere, but I don't think any of that has
>been implemented yet for the UNIX FILE ticket cache formats.

AFAIK, the FILE ticket cache has (and always has) the concept of
the "primary principal"; this is what prints out under "Default principal"
when you do klist.

It is possible (but not with the default tools) to put two (or as many as
you want) TGTs in one credential cache; I once had to deal with a bug
report with aklog from a site which did that (but my answer was, "uh,
how the hell is that supposed to work?").  But as Russ has already
alluded, none of the programs you want to use will work correctly when
you do this; they all use the default principal as the client principal
when requesting tickets, so if your primary principal is user at REALM-1,
even if you have a ticket for user at REALM-2 the client libraries will
use user at REALM-1 and will attempt to do cross-realm.

So, what are your options?  Assuming you really want to use principals in
two different realms at the same time (or really, any two arbitrary
principals), I believe that your options are, in no particular order:

- Update the tools.  Modify kinit so it doesn't clear out the credential
  cache when you kinit, and then either create/modify a tool to
  rewrite the credential cache with a new primary principal (but
  keep all of the tickets) OR change all of the client tools to let
  you specify an arbitrary client/realm name.
- Play some games with credential caches.  Have two simultaneous credential
  caches and switch between them via changing environment variables.
- Use a Mac, which already has support for this.  Although what IT does is
  a little bit funky: it keeps the tickets for the different principals
  around in another credential cache, so the tickets for user at REALM-1
  are segregated from the tickets for user at REALM-2 (see the -A option
  to klist and kswitch under MacOS X).  But it works and is probably
  the most reasonable option that I know, given all of the issues that
  are involved with it.

Most people I know pick the second option.

--Ken

More information about the Kerberos mailing list