On Fri, 5 Feb 2010, George Mamalakis wrote: > shows no tickets. This could be also a security threat, in case different > kerberos principals (users in this setup) use a shared machine account to > logon, and then access their resources by kiniting to their respective > principals. > The kernel only knows the effective uid and the current gssd assumes that there will be "one" user principal with a TGT in /tmp/krb5cc_N (where 'N' is that uid#). Having multiple principals sharing the same login/uid (which I'm guessing is what you refer to as a "shared machine account", isn't going to work. I suppose that the gssd could do a "uid"->"username"->"principal name" mapping and then use that "principal name", but it is still going to be unique (ie only one) per uid. rickReceived on Fri Feb 05 2010 - 19:08:12 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:00 UTC