[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple tgt's

To: heimdal-discuss@sics.se
Subject: Re: multiple tgt's
From: Alec Kloss <alec-keyword-heimdal.e899d7@SetFilePointer.com>
Date: Fri, 2 May 2008 17:40:04 -0500
In-Reply-To: <0AF9AD9C-C8CC-436F-BBD7-3FD2EE4AAFB6@kth.se>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <48129A6B.5010704@erentil.net><0AF9AD9C-C8CC-436F-BBD7-3FD2EE4AAFB6@kth.se>
Reply-To: heimdal-discuss@sics.se, Alec Kloss <alec-keyword-heimdal.e899d7@SetFilePointer.com>
User-Agent: Mutt/1.4.2.3i

On 2008-04-28 18:04, Love H?rnquist ?strand wrote:
> 
> 26 apr 2008 kl. 04.58 skrev Jon Wilson:
> 
> >Is there a way with kinit/pkinit to allow multiple tgt's at the same  
> >time?
> >
> >ie, a klist would show:
> >
> >krbtgt/REALM.COM@REALM.COM for bob@REALM.COM
> >krbtgt/REALM.NET@REALM.NET for bob@REALM.NET
> 
> 
> Most application dont support client credential selecting.
> 
> The only protable way is via switching KRB5CCNAME for each application.
> 
> API cache (mac) and SDB cache (all platforms, not ready for primetime  
> yet, new with heimdal 1.2) supports kswitch.
> 
> 
> The example below if from having the SDB set as the default cache,  
> there are still some bugs in the SDB cache code though with regards to  
> multi-credential handling and inital tickets handling.
> 

I too live in a world where I have a need for multiple TGTs with no
cross-realm.  I have mod_auth_kerb set up in multiple realms.  I
find the only remotely usable solution is to run konqueror with one
KRB5CCNAME and firefox with another, and then make sure I use the
browser that matches the site I want to access.  I also
occasionally abuse symlinks to change ticket caches for some apps
that are already running.  This is pretty inelegant.  Isn't there
some way that heimdal could check through a set of TGTs and if one
matches the realm of the required service ticket use that one?  If
not, try cross-realm through each TGT until one gets you there.
Sure, sometimes you'd have longer-than-optimal cross-realm
traversal, but it'd at least usually work.  

If I (or someone) were to produce a patch to implement this, would
it have a chance of being accepted?

-- 
Alec Kloss  alec@SetFilePointer.com   IM: angryspamhater@yahoo.com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
"No Bunny!" -- Simon, from Frisky Dingo

PGP signature

Follow-Ups:
- Re: multiple tgt's
  - From: Love Hörnquist Åstrand <lha@kth.se>

Prev by Date: Re: kinit and Windows Server 2008
Next by Date: Re: heimdal 1.2rc2
Prev by thread: Re: kinit and Windows Server 2008
Next by thread: Re: multiple tgt's
Index(es):
- Date
- Thread