Two realms and access to Kerberized NFS areas?

Mantas Mikulėnas grawity at gmail.com
Thu Sep 6 09:41:11 EDT 2012


On Thu, Sep 6, 2012 at 3:54 PM, Kevin Longfellow <klongfel at yahoo.com> wrote:
> user logs in and runs kinit kbprinc at REALM1.COM
> user accesses KerberizedNFS home areas in REALM1.COM
>
> user now needs access to KerberizedNFS areas in REALM2.COM
>
> Can they simply run kinit kbprinc at REALM2.COM and both realms tgt/tgs will be maintained separately with both NFS areas being accessible?
>
> or
>
> When they run kinit kbprinc at REALM2.COM will that remove the tgt/tgs for REALM1.COM and remove access to REALM1.COM Kerberized nfs areas?

With traditional "FILE:" ccaches (e.g. the default
FILE:/tmp/krb5cc_*), the latter – the old cache will get destroyed and
a new one created in its place.

With directory ccaches ("DIR:/path"), the former – the old cache will
remain, and a new one will be added to the collection. (`klist -l`
shows the contents.)

However, the DIR type is only supported as of MIT Krb5 v1.10 and needs
at least nfs-utils v1.2.7-rc5, as well as reconfiguring the client
systems – both to create DIR ccaches on login (instead of FILE) and to
use DIR for the default ccache.

-- 
Mantas Mikulėnas



More information about the Kerberos mailing list