[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: none


first of all, thanks for the answer

On 25 Oct 2002, Johan Danielsson wrote:

> "Eugeny S. Mints" <jack@oktet.ru> writes:
> > Could anybody clarify a usage of krb5_context and krb5_auth_context
> > structures in more words than 'krb5_context is designed to represent
> > the per process stae and krb5_auth_context per connection context'.
> I think that describes the situation quite well. The krb5_context
> contains "application settings", while the auth_context contains
> session keys, sequence numbers and such.
> > Examples of usage in multi user, multi processes enviroment are very
> > aprecatable.
> Each process normally has one krb5_context and one or more
> krb5_auth_context's. For multi-threaded applications you could in
> theory share both types of contexts between threads, but that would
> require locking that we don't have.
> > Then I'll change default cache for user0 to cache1 which is empty
> > and again execute ,say, ktelnet server0. The queston is: will a new
> > TGT be obtained in this case and placed into credental cache cache1?
> No, you never automatically get a new TGT, you have to obtain one
> manually. There's of course no technical reason why telnet couldn't do
> the equivalent of kinit in that case.

The core of my the question is "autpmatical gatting" of a TGT. I try  to
re-form the question. Let I call kinit two times:
1) ./kinit -ccache=cache0
2) ./kinit -ccache=cache1
Let in both cases my principal is the same, realm is the same and there is
only one KDC - in both cases all are identical except credentials caches.
Am I right that in this case I will have two different TGTs? What may be
the reason for such behavior? May be it is, for example, for to have two
different TGSs
for one KDC - one of TGT, for exapmle, has forwardable option set while
another has not?

But what will happen if I call kinit two times with the same parameters?
Will the first TGT destroy in this case?

> /Johan