Whats necessary to make wallet serve multiple realms?

Russ Allbery rra at stanford.edu
Mon Sep 16 12:05:19 EDT 2013


Tom_Krauss <thomas.krauss at itserv.de> writes:

> I wonder what`s the easiest way to get this done?

> I assume I need to compile the server side with appropriate suffixes per
> realm and refer to them by wallet_type on the client?

That would probably be the easiest way to handle it, since right now all
of the keytab object implementation can only be configured to talk to a
single realm.

> What would be a clever place to set "WALLET_CONFIG" for the different
> realms on the server?

Probably it makes sense to do this in the wallet-backend script.  Look for
objects of type keytab and then extract the realm from the principal name,
use that to determine the WALLET_CONFIG to set, and then invoke the normal
Perl modules but with the principal modified to not include the realm.

I hope to have time in the next three to six months to do another major
cleanup and partial rewrite of wallet and will try to keep this use case
in mind when I do to make it a bit easier.

-- 
Russ Allbery (rra at stanford.edu)             <http://www.eyrie.org/~eagle/>


More information about the Kerberos mailing list