[OpenAFS] OS X Lion: multiple Kerberos realms ?

Brandon Allbery allbery.b@gmail.com
Wed, 18 Jul 2012 12:55:13 -0400 

--f46d0444ea81d5c7e604c51d8696
Content-Type: text/plain; charset=UTF-8

On Wed, Jul 18, 2012 at 12:45 PM, Gabriel L. Somlo <gsomlo@gmail.com> wrote:

> I can easily (via kinit, or the Ticket Viewer) acquire tickets for any
>

Via kinit?  Really?

Kerberos doesn't really have a good way t deal with multiple realms.
 Apple's modified Kerberos tries to work around this (so it *does* sort of
work from Ticket Viewer) but the standard Kerberos APIs don't provide ways
to specify the realm credentials to use.  This means (a) not much if any
support from login, and (b) programs like Samba and OpenAFS can only see
the currently selected credentials in Ticket Viewer, not all of them.

I will also note that this would only work "well" at login if you used the
same password in both realms, which is a very bad idea and possibly a
security violation.

-- 
brandon s allbery                                      allbery.b@gmail.com
wandering unix systems administrator (available)     (412) 475-9364 vm/sms

--f46d0444ea81d5c7e604c51d8696
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr">On Wed, Jul 18, 2012 at 12:45 PM, Gabriel L. Somlo <span d=
ir=3D"ltr">&lt;<a href=3D"mailto:gsomlo@gmail.com" target=3D"_blank">gsomlo=
@gmail.com</a>&gt;</span> wrote:<br><div class=3D"gmail_quote"><blockquote =
class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid=
;padding-left:1ex">
<div class=3D"im">I can easily (via kinit, or the Ticket Viewer) acquire ti=
ckets for any</div>
</blockquote><div><br></div><div>Via kinit? =C2=A0Really?</div><div><br></d=
iv><div>Kerberos doesn&#39;t really have a good way t deal with multiple re=
alms. =C2=A0Apple&#39;s modified Kerberos tries to work around this (so it =
*does* sort of work from Ticket Viewer) but the standard Kerberos APIs don&=
#39;t provide ways to specify the realm credentials to use. =C2=A0This mean=
s (a) not much if any support from login, and (b) programs like Samba and O=
penAFS can only see the currently selected credentials in Ticket Viewer, no=
t all of them.</div>
<div><br></div><div>I will also note that this would only work &quot;well&q=
uot; at login if you used the same password in both realms, which is a very=
 bad idea and possibly a security violation.</div><div><br></div></div>
-- <br>brandon s allbery =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =
=C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0<a href=3D"mailto:allbery.b@gmail.com" target=3D"_blank">allbery.=
b@gmail.com</a><br>wandering unix systems administrator (available) =C2=A0 =
=C2=A0 (412) 475-9364 vm/sms<br><br>

</div>

--f46d0444ea81d5c7e604c51d8696--