[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple tgt's

To: heimdal-discuss@sics.se
Subject: Re: multiple tgt's
From: Jon Wilson <lists@erentil.net>
Date: Mon, 28 Apr 2008 03:01:14 -0600
In-Reply-To: <1209362826.21403.11.camel@oreade38.ifh.de>
List-Archive: <http://list.sics.se/sympa/arc/heimdal-discuss>
List-Help: <mailto:sympa@sics.se?subject=help>
List-Id: <heimdal-discuss.sics.se>
List-Owner: <mailto:heimdal-discuss-request@sics.se>
List-Post: <mailto:heimdal-discuss@sics.se>
List-Subscribe: <mailto:sympa@sics.se?subject=subscribe%20heimdal-discuss>
List-Unsubscribe: <mailto:sympa@sics.se?subject=unsubscribe%20heimdal-discuss>
References: <48129A6B.5010704@erentil.net> <20080426.220330.121797103.haba@habanero.pdc.kth.se> <1209362826.21403.11.camel@oreade38.ifh.de>
Reply-To: heimdal-discuss@sics.se, Jon Wilson <lists@erentil.net>
User-Agent: Thunderbird 2.0.0.12 (Windows/20080213)

Andreas Haupt wrote:
> Hi,
>
> we're actually also "suffering" from this problem. Cross realm trust is
> not an option at all in our environment. It's actually difficult and not
> transparent for the users to get tickets for multiple realms.
> Fortunately there are still other ways to get afs tokens for foreign
> cells and hold them simultaneously.
>   
> On Sat, 2008-04-26 at 22:03 +0200, Harald Barth wrote:
>   
>>> krbtgt/REALM.COM@REALM.COM for bob@REALM.COM
>>> krbtgt/REALM.NET@REALM.NET for bob@REALM.NET
>>>       
>> If we just pretend we have two krbtgt in one ticket cache, which one
>> do you use to derive your service tickets from? If the two realms have
>> cross trust, there are two ways and no way to choose which one.
>>     
No, there's no cross trust, so thats not a problem (although it seems 
that even if there were, if one is doing setting up multiple tgt's, and 
since at least one will have to be a kinit (ie, not from login) that 
kinit would ask which one to give preference to if they are both valid 
for a given task).
> How about a configuration option in /etc/krb5.conf?
>   
krb5.conf would work fine, although I'd prefer a less static option (if 
both were available).

thanks for all the input..

-- 
Jon Wilson

Follow-Ups:
- Re: multiple tgt's
  - From: Harald Barth <haba@kth.se>

References:
- multiple tgt's
  - From: Jon Wilson <lists@erentil.net>
- Re: multiple tgt's
  - From: Harald Barth <haba@kth.se>
- Re: multiple tgt's
  - From: Andreas Haupt <andreas.haupt@desy.de>

Prev by Date: Re: multiple tgt's
Next by Date: Re: multiple tgt's
Prev by thread: Re: multiple tgt's
Next by thread: Re: multiple tgt's
Index(es):
- Date
- Thread