[14685] in Kerberos
Re: Kerberos Client Q
daemon@ATHENA.MIT.EDU (Ken Raeburn)
Tue Jul 17 18:45:59 2001
To: Shaun McCullagh <shaun.mccullagh@marviQ.com>
Cc: kerberos@mit.edu
From: Ken Raeburn <raeburn@MIT.EDU>
Date: 17 Jul 2001 18:43:27 -0400
In-Reply-To: <3B4C66BE.C7B8E167@marviQ.com>
Message-ID: <tx1g0bvxjlc.fsf@mit.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Shaun McCullagh <shaun.mccullagh@marviQ.com> writes:
> Is it possible for a client machine to be a member of more than one
> realm?
Application clients don't generally need to belong to a specific
realm, much less only one realm, except for configuration
convenience. (E.g., so you don't have to type the realm name to
"kinit".)
Application servers also don't need to belong to one realm. At least,
that's the theory. The spec even says so, I believe, in that a
service can be registered in multiple realms. There may be random
bits of software here and there that assume that a host belongs to
exactly one realm for various purposes, but if it doesn't allow a
server to be in multiple realms, it's a bug.
> The reason I ask this, is I want to organise users into `access groups'
> to control which machines they have shell access to...
Sounds like the wrong approach. First of all, it sounds like you're
talking about grouping sets of users into different realms, which has
nothing to do with which realm the server is in, unless you
intentionally disable all inter-realm authentication. Second, you
really should use some sort of an access control list mechanism;
Kerberos isn't one.
