[Freeipa-users] Supporting multiple seperate kerberos providers

[Dennis Gilmore]

Hi All,

One thing that some folks in Fedora are evaluating is to integrate
freeipa with fas, this would enable services like koji to gain kerberos
auth, as well as git etc. It could also be enabled on fedorahosted etc. 


but it brings to light a deficiency in krb5.  while you can define
multiple realms and manually switch between them in various ways. its
not user friendly, and doesnt lend itself to having to frequently switch
between kerberos providers.

the lacking thing is that you can only cache one tgt at a time. you can
work around this by manually defining different caches or running kinit
each time you need to switch.

the soultion seems to me to enable krb5 to cache multiple tgt's
personally right now i have 2 kerberos servers i frequently deal with. 1
for home and one for work, if we end up deploying kerberos support in
fedora ill have 3. and it will get really messy fast.  I can keep things
seperate now.  but with fedora and work using kerberos that will be
impossible. 

I wanted to throw out there the very real and possible usage senarios
and get some further discussion on how best it will be to handle this
going forward.

Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20100930/d0ee417d/attachment.sig>