Yes, cross-realm authentication would be much easier for this
particular host to handle.
However, I can't guarantee that these individual realms will have any
type of trust relationship with each other.

It's kinda like where you have your ISP account, your MSN-IM
credentials, and possibly your Yahoo credentials. The individual has
three relationships (one per service provider), but these service
providers do not know about each other.


On Feb 16, 2006, at 8:54 AM, Paul B. Hill wrote:

> Instead of answering your question I have to ask an orthogonal
> question.
> Is there some reason you can't instead try to use cross realm
> authentication
> to meet your needs?
> If the various realms are each set up for cross realm
> authentication, then
> it seems that it would be much simpler to manage your host's
> identity and
> the client libraries will have a much easier time of properly
> authenticating.
> Paul
> -----Original Message-----
> From: kerberos-bounces@MIT.EDU [mailto:kerberos-bounces@MIT.EDU] On
> Behalf
> Of Randy Turner
> Sent: Thursday, February 16, 2006 11:31 AM
> To:
> Subject: multiple realm membership
> Hello,
> I was wondering if the following use-case for Kerberos is valid:
> I have a host that wants to be a member of multiple realms
> simultaneously.
> When a host boots, it will obtain TG tickets from all ticket-granting
> servers that it is configured to know about. Essentially logging into
> to all realms for which the host has valid credentials
> This is all that has to be done if the host has no kerberized
> services that it wants to offer. At this point, if there is a client
> application on the host that wants to connect to a remote service in
> one of the realms, it selects the right TGT to use and obtains a
> ticket from the KDC/TGS that is associated with the target realm.
> If a host wants to offer kerberized services to potential clients,
> these clients could be attempt to access the services from any of the
> realms for which the host is a member. I'm assuming this means the
> host would have to keep keytabs that are sync'd with the KDC from
> each realm. Also, if a remote client sends a service ticket
> requesting access to a service, the host needs to know from what
> realm the request is coming from in order to select the right keytab
> to decrypt the ticket. Is there unencrypted portions of the ticket
> that can be used to find out from what realm the request is coming
> from ?
> I guess I'm curious if there are precedents for having a host
> maintaining simultaneous connectivity to multiple realms and have a
> set of username/password credentials for each of these realms?
> I'm curious if MIT-Kerberos even supports this type of scenario?
> Thanks in advance for any insight into this use case?
> Randy
> ________________________________________________
> Kerberos mailing list

Kerberos mailing list