Multiple principals in a single kerberos keytab file?
Srivatsan vn
srivatsan.vn at gmail.com
Mon Apr 8 22:50:13 EDT 2013
Hi
I have a situation where I have multiple keytab files (different
principal accounts) and my application is going to use these different
service
principal accounts and connect to one or more Oracle databases (all
kerberos enabled). Can I maintain only one keytab (merging all into one)in
my application environment?
If I merge all keytabs into one using kutil and issue kinit (or okinit)
using keytab and service principal, I could see the command runs successful
and see
the cache credentials getting updated. But I am not sure if the single
cache file is actually storing tickets for all the principals. When I issue
klist (or oklist),
I could only see the last issued service principal's ticket.
Do we ever put more than one principal in a single keytab file and maintain
it in an application env? If not, why there is an option to merge keytab
files? only to be used in kdc may be?
The reason why I want to maintain one keytab is, my applications rely on
Oracle OCI thick driver (sqlnet.ora) and I cant maintain multiple keytab
files and multiple sqlnet.ora,
as sqlnet.ora cannot be switched or changed in runtime.
I know I am missing something here, perhaps a flaw in my application design
using more than one service account in my application?
Please give me some directions, I dont find the right forum where I get my
queries answered. Thanks in advance.
-Srivatsan Nallazhagappan
More information about the Kerberos
mailing list