With the release of KRB5 1.10 A Kerberos workstation can finally have two different TGTs from two different KDCs active at the same time. Until this technology makes it into the major distributions, we are stuck with the limitation of the browser only knowing about one TGT/KDC/Realm at a time. If you find yourself needing to talk to a second KDC without disrupting your primary, here are the steps you can take.
- Start firefox as you normally would.
- Open up a command line prompt
- Get the Kerberos Configuration file for the new server. This can be done by copying the new KDC’s /etc/krb5.conf to a local file. For this example ~/etc/krb5-105.conf Set an environment variable pointing to the new file: export KRB5_CONFIG=/home/ayoung/etc/krb5-105.conf
- decide on a location for a second Kerberos Credential cache and set an environment variable to point to it:Â export KRB5CCNAME=/home/ayoung/etc/krb5cc
- kinit to the new location. echo secretpassword | kinit admin
- Run firefox from the command line but using a new profile and not talking to the original instance:Â firefox –no-remote -P
- Point the new firefox instance at a web page that is part of the new Kerberos Realm.
When you are done, make sure you shut down the new firefox instance prior to shutting down your default one, or Firefox will reassign your profiel on next start up to be the newly created profile as opposed to your default.
Once The new Kerberos release is available, I’ll show how to avoid having to do all of the extra steps.
“can finally have two different TGS” -> do you mean two different TGTs? 🙂
Also, if you echo your password like that, it’ll be stored in your shell history!
Yeah, thanks, fixed the typo. The echo is just something I do with testing accounts for development.