{"id":223,"date":"2022-10-25T21:59:40","date_gmt":"2022-10-26T04:59:40","guid":{"rendered":"https:\/\/peden.ece.uw.edu\/computing\/?page_id=223"},"modified":"2022-10-25T22:02:10","modified_gmt":"2022-10-26T05:02:10","slug":"multiple-kerberos-tickets","status":"publish","type":"page","link":"https:\/\/peden.ece.uw.edu\/computing\/multiple-kerberos-tickets\/","title":{"rendered":"Keeping Multiple Kerberos Tickets in &#8220;Red Hat&#8221; Linux"},"content":{"rendered":"<p><span class=\"lead1\"><strong>Red Hat Linux and its clones can be configured to authenticate users against a Kerberos realm both directly and via PAM. Unfortunately, its default setup maintains tickets for only one realm at a time &#8211; if you authenticate to a second realm, information regarding the first realm is overwritten. This page discusses one way to simultaneously maintain tickets in more than one realm.<\/strong> <\/span><\/p>\n<p>First, your krb5.conf file must be configured for the realms in question. Here is an example of the relevant section in a krb5.conf file, set up for both a theoretical ECE department realm as well as the very real UW realm.<\/p>\n<pre>[libdefaults]\r\n      ticket_lifetime = 24000\r\n      default_realm = ECE.UW.EDU\r\n      dns_lookup_realm = false\r\n      dns_lookup_kdc = false\r\n\r\n     [realms]\r\n      ECE.UW.EDU = {\r\n       kdc = kerberos1.ece.uw.edu:88\r\n       kdc = kerberos2.ece.uw.edu:88\r\n       admin_server = kerberos1.ece.uw.edu\r\n       default_domain = ece.uw.edu\r\n      }\r\n      u.washington.edu = {\r\n       kdc = k5-admin.u.washington.edu:88\r\n       kdc = k5-kdc1.u.washington.edu:88\r\n       kdc = k5-kdc2.u.washington.edu:88\r\n       admin_server = k5-admin.u.washington.edu\r\n       default_domain = u.washington.edu\r\n      }\r\n\r\n     [domain_realm]\r\n      .ece.uw.edu = ECE.UW.EDU\r\n      ece.uw.edu = ECE.UW.EDU\r\n      .u.washington.edu = u.washington.edu\r\n      u.washington.edu = u.washington.edu\r\n      .cac.washington.edu = u.washington.edu\r\n      cac.washington.edu = u.washington.edu\r\n      deskmail.washington.edu = u.washington.edu\r\n      .deskmail.washington.edu = u.washington.edu\r\n      mailer26.u.washington.edu = u.washington.edu<\/pre>\n<p class=\"justified\">In order to authenticate against multiple realms, you simply need to do two things:<\/p>\n<ul>\n<li>Specify an alternate (and unique) cache file for each realm (after the first)<\/li>\n<li>Tell any Kerberos commands to use the relevant cache file whenever you connect to a specific realm<\/li>\n<\/ul>\n<p class=\"justified\">The simplest way to do this is to set the environment variable KRB5CCNAME to the cache file&#8217;s name. This works if you will only be connecting to one realm while in a particular environment\/shell (for example, inside an Xterm window).<\/p>\n<pre>     export KRB5CCNAME=\/tmp\/my_secret_uw_kerberos_file\r\n<\/pre>\n<p class=\"justified\">When you do this, any subsequent Kerberos-related commands will use the data stored in the indicated file when authenticating.<\/p>\n<p class=\"justified\">There are other times when you won&#8217;t want to be tied to a particular window; or perhaps you want to connect to two realms for some reason. In this case you&#8217;ll need to specify the relevant cache file whenever you&#8217;re accessing a particular realm.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Red Hat Linux and its clones can be configured to authenticate users against a Kerberos realm both directly and via PAM. Unfortunately, its default setup maintains tickets for only one realm at a time &#8211; if you authenticate to a second realm, information regarding the first realm is overwritten. This page discusses one way to&#8230;<\/p>\n<div><a class=\"more\" href=\"https:\/\/peden.ece.uw.edu\/computing\/multiple-kerberos-tickets\/\">Read more<\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"tags":[4,21],"class_list":["post-223","page","type-page","status-publish","hentry","tag-faq","tag-kerberos"],"_links":{"self":[{"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/pages\/223","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/comments?post=223"}],"version-history":[{"count":3,"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/pages\/223\/revisions"}],"predecessor-version":[{"id":226,"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/pages\/223\/revisions\/226"}],"wp:attachment":[{"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/media?parent=223"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/peden.ece.uw.edu\/computing\/wp-json\/wp\/v2\/tags?post=223"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}