On 09/04/2014 01:25 PM, Cedric Blancher wrote: > On 4 September 2014 11:33, Jurjen Bokma <j.bokma@xxxxxx> wrote: >> You use cross realm authentication, so that your NFS client may obtain >> tickets for servers that are not in its own realm. > > What if I cannot use cross realm authentication? For example if both > realms do not like each other? > What if I really have to kinit into multiple realms? Kerberos since > 1.10 can do that and klist now has a new flag -A to list all entries > if KRB5CCNAME points to a directory, e.g. > KRB5CCNAME=DIR:/tmp/krbcc$UID/ > > Ced > I tried that about a year ago, and failed to make it work. As far as I know, gssd always picks the same key to authenticate with. I did offer a patch on this list a couple of weeks ago that uses a krb5.conf appdefaults option to configure *which* key, but that one still doesn't make it possible to pick a different key for different shares. Sorry Jurjen -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
