[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: multiple tgt's

On 2008-04-28 18:04, Love H?rnquist ?strand wrote:
> 26 apr 2008 kl. 04.58 skrev Jon Wilson:
> >Is there a way with kinit/pkinit to allow multiple tgt's at the same  
> >time?
> >
> >ie, a klist would show:
> >
> Most application dont support client credential selecting.
> The only protable way is via switching KRB5CCNAME for each application.
> API cache (mac) and SDB cache (all platforms, not ready for primetime  
> yet, new with heimdal 1.2) supports kswitch.
> The example below if from having the SDB set as the default cache,  
> there are still some bugs in the SDB cache code though with regards to  
> multi-credential handling and inital tickets handling.

I too live in a world where I have a need for multiple TGTs with no
cross-realm.  I have mod_auth_kerb set up in multiple realms.  I
find the only remotely usable solution is to run konqueror with one
KRB5CCNAME and firefox with another, and then make sure I use the
browser that matches the site I want to access.  I also
occasionally abuse symlinks to change ticket caches for some apps
that are already running.  This is pretty inelegant.  Isn't there
some way that heimdal could check through a set of TGTs and if one
matches the realm of the required service ticket use that one?  If
not, try cross-realm through each TGT until one gets you there.
Sure, sometimes you'd have longer-than-optimal cross-realm
traversal, but it'd at least usually work.  

If I (or someone) were to produce a patch to implement this, would
it have a chance of being accepted?

Alec Kloss  alec@SetFilePointer.com   IM: angryspamhater@yahoo.com
PGP key at http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xA241980E
"No Bunny!" -- Simon, from Frisky Dingo

PGP signature