Updates (multi-realm) to Leash32...

Steve Langasek vorlon at netexpress.net
Fri Jan 10 16:49:00 EST 2003

On Fri, Jan 10, 2003 at 03:38:33PM -0500, Ken Hornstein wrote:
> >By Multi-realm I mean "multiple realms"...  If you've used Krb5 much
> >you know that you can authenticate to multiple realms easily using
> >the kinit command.  I can do 'kinit jlockard at SI.UMICH.EDU' and then
> >'kinit jlockard at UMICH.EDU' to get tickets in both realms.

> ... except, of course, that unless you have two KRB5CCNAME environment
> variables the second kinit will wipe out the credentials from the
> first kinit.

> >I would
> >expect that if my application recognizes Krb5 that my application
> >would allow me to choose the realm in which I want it to do things.

> In my years of using Kerberos 5, I've _never_ seen a Kerberized
> application that let you pick which principal you should be use to
> authenticate.  I'm not counting the old Unix trick of setting the
> KRB5CCNAME environment variable.

I think the OpenLDAP tools, with SASL, let you do this sort of thing.

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/krbdev/attachments/20030110/c4d1d9ba/attachment.bin

More information about the krbdev mailing list