How to use NFS with multiple principals in different realms?

Jurjen Bokma j.bokma at rug.nl
Thu Sep 4 08:32:51 EDT 2014


On 09/04/2014 01:25 PM, Cedric Blancher wrote:
> On 4 September 2014 11:33, Jurjen Bokma <j.bokma at rug.nl> wrote:
>> You use cross realm authentication, so that your NFS client may obtain
>> tickets for servers that are not in its own realm.
> 
> What if I cannot use cross realm authentication? For example if both
> realms do not like each other?
> What if I really have to kinit into multiple realms? Kerberos since
> 1.10 can do that and klist now has a new flag -A to list all entries
> if KRB5CCNAME points to a directory, e.g.
> KRB5CCNAME=DIR:/tmp/krbcc$UID/
> 
> Ced
> 
I tried that about a year ago, and failed to make it work.
As far as I know, gssd always picks the same key to authenticate with. I
did offer a patch on this list a couple of weeks ago that uses a
krb5.conf appdefaults option to configure *which* key, but that one
still doesn't make it possible to pick a different key for different shares.

Sorry
Jurjen



More information about the Kerberos mailing list