Multiple principals from different realms via kinit?

Greg Hudson ghudson at mit.edu
Thu Aug 28 12:29:55 EDT 2014


On 08/28/2014 10:17 AM, Cedric Blancher wrote:
>>> How do services like NFSv4, HTTP/spnego or GSSAPI know which of the
>>> entries is the one they want?

NFS is a special case, as the program making the decision doesn't have
access to the environment of the process which made the filesystem call.
 I'm not sure what the state of the art is here; typically gssd needs
some knowledge of where the login system puts credentials, and it might
make a choice based on the username.

>> They'll make a guess based on the realm, or pick the primary.
> 
> How do they 'guess'?

If an application doesn't specify a client name, there are three
mechanisms in order of priority:

1. The .k5identity file allows you to configure a client principal based
on the target principal.  See:
http://web.mit.edu/kerberos/krb5-latest/doc/user/user_config/k5identity.html

2. If the realm of the target service is known via a [domain_realm]
mapping in krb5.conf, a client principal in that realm will be selected.

3. The primary cache.

It is also possible to write a plugin module which controls ccache
selection, but I'm not aware of anyone doing so.

You can also set KRB5CCNAME to the name of a subsidiary cache within the
collection, to control the choice for a particular process.

> Is it possible to get rid of the notion of a primary one day?

It might be possible, but why would we want to?


More information about the Kerberos mailing list