Red Hat Linux and its clones can be configured to authenticate users against a Kerberos realm both directly and via PAM. Unfortunately, its default setup maintains tickets for only one realm at a time – if you authenticate to a second realm, information regarding the first realm is overwritten. This page discusses one way to simultaneously maintain tickets in more than one realm.

First, your krb5.conf file must be configured for the realms in question. Here is an example of the relevant section in a krb5.conf file, set up for both a theoretical ECE department realm as well as the very real UW realm.

[libdefaults]
      ticket_lifetime = 24000
      default_realm = ECE.UW.EDU
      dns_lookup_realm = false
      dns_lookup_kdc = false

     [realms]
      ECE.UW.EDU = {
       kdc = kerberos1.ece.uw.edu:88
       kdc = kerberos2.ece.uw.edu:88
       admin_server = kerberos1.ece.uw.edu
       default_domain = ece.uw.edu
      }
      u.washington.edu = {
       kdc = k5-admin.u.washington.edu:88
       kdc = k5-kdc1.u.washington.edu:88
       kdc = k5-kdc2.u.washington.edu:88
       admin_server = k5-admin.u.washington.edu
       default_domain = u.washington.edu
      }

     [domain_realm]
      .ece.uw.edu = ECE.UW.EDU
      ece.uw.edu = ECE.UW.EDU
      .u.washington.edu = u.washington.edu
      u.washington.edu = u.washington.edu
      .cac.washington.edu = u.washington.edu
      cac.washington.edu = u.washington.edu
      deskmail.washington.edu = u.washington.edu
      .deskmail.washington.edu = u.washington.edu
      mailer26.u.washington.edu = u.washington.edu

In order to authenticate against multiple realms, you simply need to do two things:

  • Specify an alternate (and unique) cache file for each realm (after the first)
  • Tell any Kerberos commands to use the relevant cache file whenever you connect to a specific realm

The simplest way to do this is to set the environment variable KRB5CCNAME to the cache file’s name. This works if you will only be connecting to one realm while in a particular environment/shell (for example, inside an Xterm window).

     export KRB5CCNAME=/tmp/my_secret_uw_kerberos_file

When you do this, any subsequent Kerberos-related commands will use the data stored in the indicated file when authenticating.

There are other times when you won’t want to be tied to a particular window; or perhaps you want to connect to two realms for some reason. In this case you’ll need to specify the relevant cache file whenever you’re accessing a particular realm.