[Freeipa-users] Supporting multiple seperate kerberos providers

[Simo Sorce]

On Thu, 30 Sep 2010 13:54:40 -0500
Dennis Gilmore <dennis at ausil.us> wrote:

> Hi All,
> 
> One thing that some folks in Fedora are evaluating is to integrate
> freeipa with fas, this would enable services like koji to gain
> kerberos auth, as well as git etc. It could also be enabled on
> fedorahosted etc. 
> 
> 
> but it brings to light a deficiency in krb5.  while you can define
> multiple realms and manually switch between them in various ways. its
> not user friendly, and doesnt lend itself to having to frequently
> switch between kerberos providers.
> 
> the lacking thing is that you can only cache one tgt at a time. you
> can work around this by manually defining different caches or running
> kinit each time you need to switch.
> 
> the soultion seems to me to enable krb5 to cache multiple tgt's
> personally right now i have 2 kerberos servers i frequently deal
> with. 1 for home and one for work, if we end up deploying kerberos
> support in fedora ill have 3. and it will get really messy fast.  I
> can keep things seperate now.  but with fedora and work using
> kerberos that will be impossible. 
> 
> I wanted to throw out there the very real and possible usage senarios
> and get some further discussion on how best it will be to handle this
> going forward.

I guess we should discuss this with the broader kerberos community.

In theory credential caches can hold multiple tickets, but the tools
(kinit,kdestroy and friends) just do not support it now and tend to
wipe out everything.

I think I've seen recently something about this so maybe voicing the
problem on the "kerberos" (at mit.edu) mailing list may spark a good
discussion.

On my side I will try to make this problem known to some MIT devs and
see what they think.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York