[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple tgt's

Andreas Haupt wrote:
> Hi,
> we're actually also "suffering" from this problem. Cross realm trust is
> not an option at all in our environment. It's actually difficult and not
> transparent for the users to get tickets for multiple realms.
> Fortunately there are still other ways to get afs tokens for foreign
> cells and hold them simultaneously.
> On Sat, 2008-04-26 at 22:03 +0200, Harald Barth wrote:
>>> krbtgt/REALM.COM@REALM.COM for bob@REALM.COM
>>> krbtgt/REALM.NET@REALM.NET for bob@REALM.NET
>> If we just pretend we have two krbtgt in one ticket cache, which one
>> do you use to derive your service tickets from? If the two realms have
>> cross trust, there are two ways and no way to choose which one.
No, there's no cross trust, so thats not a problem (although it seems 
that even if there were, if one is doing setting up multiple tgt's, and 
since at least one will have to be a kinit (ie, not from login) that 
kinit would ask which one to give preference to if they are both valid 
for a given task).
> How about a configuration option in /etc/krb5.conf?
krb5.conf would work fine, although I'd prefer a less static option (if 
both were available).

thanks for all the input..

Jon Wilson