Re: multiple tgt's

[Love Hörnquist Åstrand <lha@kth.se>]

26 apr 2008 kl. 04.58 skrev Jon Wilson:

> Is there a way with kinit/pkinit to allow multiple tgt's at the same  
> time?
>
> ie, a klist would show:
>
> krbtgt/REALM.COM@REALM.COM for bob@REALM.COM
> krbtgt/REALM.NET@REALM.NET for bob@REALM.NET


Most application dont support client credential selecting.

The only protable way is via switching KRB5CCNAME for each application.

API cache (mac) and SDB cache (all platforms, not ready for primetime  
yet, new with heimdal 1.2) supports kswitch.


The example below if from having the SDB set as the default cache,  
there are still some bugs in the SDB cache code though with regards to  
multi-credential handling and inital tickets handling.

Love

$ kinit lha@SU.SE
lha@SU.SE's Password:
$ kinit lha@KTH.SE
lha@KTH.SE's Password:
$ klist -l
   Principal     Cache name        Expires
lha@SU.SE     unique-00305450   Apr 29 03:57:07
lha@KTH.SE    2                 Apr 29 03:57:32
$ kswitch -p lha@KTH.SE
$ KRB5CCNAME=SDB: klist | head -2
Credentials cache: SDB:2
         Principal: lha@KTH.SE
$ kswitch -p lha@SU.SE
$ klist | head -2
Credentials cache: SDB:unique-00305450
         Principal: lha@SU.SE
$ kdestroy
$ klist -l
   Principal     Cache name     Expires
lha@KTH.SE    2              Apr 29 03:57:32