Updates (multi-realm) to Leash32...

John M. Lockard jlockard at umich.edu
Fri Jan 10 17:03:01 EST 2003

On Fri, Jan 10, 2003 at 03:38:33PM -0500, Ken Hornstein wrote:
> >By Multi-realm I mean "multiple realms"...  If you've used Krb5 much
> >you know that you can authenticate to multiple realms easily using
> >the kinit command.  I can do 'kinit jlockard at SI.UMICH.EDU' and then
> >'kinit jlockard at UMICH.EDU' to get tickets in both realms.
> ... except, of course, that unless you have two KRB5CCNAME environment
> variables the second kinit will wipe out the credentials from the
> first kinit.

Yep, I know of that "trick", and it's not the most convenient thing to
try and explain to your normal University computer user.

> >I would
> >expect that if my application recognizes Krb5 that my application
> >would allow me to choose the realm in which I want it to do things.
> In my years of using Kerberos 5, I've _never_ seen a Kerberized
> application that let you pick which principal you should be use to
> authenticate.  I'm not counting the old Unix trick of setting the
> KRB5CCNAME environment variable.

I never said that I wanted to pick which princical, just the realm.
In an application, such as mulberry, I can tell the app with realm
I want to authenticate too.  I may have several identities in the
client, and each identity would have a different realm that it would
auth against.

> The closest I've ever seen is what on the Mac, where you can
> manage multiple TGTs and select which principal is your primary
> principal.  But again, that isn't a per-application thing.
> --Ken

--jlockard - "There is no 'I' in 'TEAM',
              so 'I' am not a part of it." - Jeff VanDeRyt

More information about the krbdev mailing list