|
||||||
|
||||||
ncsa |
||||||
|
User Information Home
 NCSA's Help Desk is available 24 hours a day, seven days a week, 365 days a year: Kerberos and Multiple PrincipalsThis page is designed for someone who needs to manage Kerberos credentials for multiple principals. The usual reason for doing this is that you have logins in two Kerberos realms and use them both regularly.
The ProblemThe problem is that Kerberos today does not allow you to store credentials for more that one principal in a credentials cache at one time. If you try to add credentials for a second principal to a cache already containing credentials for a principal, the credentials for the first principal will be overwritten.
The SolutionThe solution is to mantain two (or more) credential caches using the KRB5CCNAME environment variable to select between them. KRB5CCNAME should point at a file that contains your credentials. Normally it contains something like /tmp/krb5cc_6767. It can contain the name of any file you like, as long as it's writable by you, and it's not conflicting with a file that someone else is trying to use.For example, let's say you have logins in two Kerberos realms, jdoe@NCSA.EDU and johnd@OTHERREALM.COM and you want to maintain Kerberos credentials for both. So you choose two filenames for credentials caches that you know to be unique, /tmp/krb5cc_jdoe_ncsa and /tmp/krb5cc_johnd_other would probably be fine choices. Then by setting KRB5CCNAME to point at one cache or the other you control which cache the kerberos programs will use. Here is an example csh session where you get credentials for both realms and then login into each in turn.
...Get credentials for jdoe@NCSA.EDU... $ setenv KRB5CCNAME /tmp/krb5cc_jdoe_ncsa $ kinit jdoe@NCSA.EDU You can also put sequences of commands into shell aliases or shell scripts to ease the process.
Questions or comments about this page may be sent to kerberos@ncsa.uiuc.edu |
||||||
|
|
||||||
