Do multiple kerberos enabled services on a machine share the same ticket - Kerberos

This is a discussion on Do multiple kerberos enabled services on a machine share the same ticket - Kerberos ; Hi, Do all services running on a server share the same long term key in the KDC. What I mean is, lets say on a server that is part of a domain that is running say a file server and ...

+ Reply to Thread
Results 1 to 3 of 3

Thread: Do multiple kerberos enabled services on a machine share the same ticket

  1. Do multiple kerberos enabled services on a machine share the same ticket

    Hi,
    Do all services running on a server share the same long term key in the
    KDC.

    What I mean is, lets say on a server that is part of a domain that is
    running say a file server and a email server, both of which use the
    kerberos protocol... Will a client wishing to communicate with both
    services be able to just use the same kerberos ticket?

    Thanks
    Lyle


  2. Re: Do multiple kerberos enabled services on a machine share thesame ticket


    > Hi,
    > Do all services running on a server share the same long term key in the
    > KDC.


    They could in theory, but this is not how it is normally done.

    > What I mean is, lets say on a server that is part of a domain that is
    > running say a file server and a email server, both of which use the
    > kerberos protocol... Will a client wishing to communicate with both
    > services be able to just use the same kerberos ticket?


    If the user has a valid "TGT" ticket, the client can get the
    service ticket it needs to authenticate with the server without
    action from the user. So, from this aspect, yes, get one TGT
    and everything is good, but under the covers there are usually
    separate tickets for each (service, server) pair. For example:

    > klist

    Ticket cache: FILE:/var/dss/kerberos/tkt/v5_42db5d39085616
    Default principal: john@IASTATE.EDU

    Valid starting Expires Service principal
    07/25/05 08:17:58 08/01/05 08:17:58 krbtgt/IASTATE.EDU@IASTATE.EDU
    07/25/05 09:04:30 08/01/05 08:17:58 host/trusty.ait.iastate.edu@IASTATE.EDU
    07/29/05 09:15:47 08/01/05 08:17:58 host/print-2.iastate.edu@IASTATE.EDU
    07/30/05 17:54:20 08/01/05 08:17:58 accountd/moira.iastate.edu@IASTATE.EDU
    07/30/05 17:54:44 08/01/05 08:17:58 accountd/lambda.it.iastate.edu@IASTATE.EDU


    John
    ________________________________________________
    Kerberos mailing list Kerberos@mit.edu
    https://mailman.mit.edu/mailman/listinfo/kerberos


  3. Re: Do multiple kerberos enabled services on a machine share the same ticket

    Perfect... thanks John.

    So when my principal (i.e my server) joins a domain, I will still see
    only one entry for that prinicpal on the KDC (for example under Active
    Directory users and computers list) even though that principal is
    hosting two different services, right?

    And to talk to either of these services, a seperate ticket is derived
    from the TGT

    Thanks
    Lyle


    John Hascall wrote:
    > > Hi,
    > > Do all services running on a server share the same long term key in the
    > > KDC.

    >
    > They could in theory, but this is not how it is normally done.
    >
    > > What I mean is, lets say on a server that is part of a domain that is
    > > running say a file server and a email server, both of which use the
    > > kerberos protocol... Will a client wishing to communicate with both
    > > services be able to just use the same kerberos ticket?

    >
    > If the user has a valid "TGT" ticket, the client can get the
    > service ticket it needs to authenticate with the server without
    > action from the user. So, from this aspect, yes, get one TGT
    > and everything is good, but under the covers there are usually
    > separate tickets for each (service, server) pair. For example:
    >
    > > klist

    > Ticket cache: FILE:/var/dss/kerberos/tkt/v5_42db5d39085616
    > Default principal: john@IASTATE.EDU
    >
    > Valid starting Expires Service principal
    > 07/25/05 08:17:58 08/01/05 08:17:58 krbtgt/IASTATE.EDU@IASTATE.EDU
    > 07/25/05 09:04:30 08/01/05 08:17:58 host/trusty.ait.iastate.edu@IASTATE.EDU
    > 07/29/05 09:15:47 08/01/05 08:17:58 host/print-2.iastate.edu@IASTATE.EDU
    > 07/30/05 17:54:20 08/01/05 08:17:58 accountd/moira.iastate.edu@IASTATE.EDU
    > 07/30/05 17:54:44 08/01/05 08:17:58 accountd/lambda.it.iastate.edu@IASTATE.EDU
    >
    >
    > John
    > ________________________________________________
    > Kerberos mailing list Kerberos@mit.edu
    > https://mailman.mit.edu/mailman/listinfo/kerberos



+ Reply to Thread