RE: kinit and old credentials

["Howard Chu" <hyc@highlandsun.com>]

I'm surprised it works with K4. As I recall, K4's credential cache didn't
store a principal name with each individual ticket, but rather it had one
principal name for the entire cache. As such, you shouldn't be able to do
this.

I'm also surprised that it doesn't work with K5, since the K5 credential
cache stored a principal name with each individual ticket. But then again,
this is all from my (8 year old) memory of the MIT code, and I haven't looked
at the Heimdal cred cache code. I know this whole issue was a problem for us
when we wrote the combined K4/K5 Kclient module back at Platinum Technology;
I solved it by hacking the K4 to behave like the K5 cache, all in a single
shared memory region.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-heimdal-discuss@sics.se
> [mailto:owner-heimdal-discuss@sics.se]On Behalf Of Love
> Sent: Thursday, March 20, 2003 9:23 AM
> To: Andreas Haupt
> Cc: heimdal-discuss@sics.se
> Subject: Re: kinit and old credentials
>
>
> Andreas Haupt <ahaupt@ifh.de> writes:
>
> > Are there plans to enable multiple principals in the
> credentials file in a
> > future version? This would be very useful for our site.
>
> Yes. I've though about it.
>
> > To my mind it is a step back, because, as I wrote, it works with
> > Kerberos4.
>
> I don't think it does. Well, now it does, since now there isn't any
> Kerberos 4 cross realm any more.
>
> It works with klog, but that's cheating.
>
> Love
>