Updates (multi-realm) to Leash32...

Ken Hornstein kenh at cmf.nrl.navy.mil
Fri Jan 10 15:39:00 EST 2003

>By Multi-realm I mean "multiple realms"...  If you've used Krb5 much
>you know that you can authenticate to multiple realms easily using
>the kinit command.  I can do 'kinit jlockard at SI.UMICH.EDU' and then
>'kinit jlockard at UMICH.EDU' to get tickets in both realms.

... except, of course, that unless you have two KRB5CCNAME environment
variables the second kinit will wipe out the credentials from the
first kinit.

>I would
>expect that if my application recognizes Krb5 that my application
>would allow me to choose the realm in which I want it to do things.

In my years of using Kerberos 5, I've _never_ seen a Kerberized
application that let you pick which principal you should be use to
authenticate.  I'm not counting the old Unix trick of setting the
KRB5CCNAME environment variable.

The closest I've ever seen is what on the Mac, where you can
manage multiple TGTs and select which principal is your primary
principal.  But again, that isn't a per-application thing.


More information about the krbdev mailing list