On 10/09/2008 08:18 AM, Doug Johnson wrote:
[..]
> I can get around the problem by doing a kdestroy before getting the
> second Kerberos ticket, but that seems like a kluge that users will not
> like.
you might want to create/provide a small "kinit.remote" wrapper that
sets up a different credential cache (export
KRB5CCNAME=FILE:/tmp.someplace), runs kinit for the new realm, warns the
user about the TGT for the different realm being available in that
terminal window only and e.g sets white on white text colours (security
through opacity?) similar to
/afs/cern.ch/user/i/iven/public/kinit.win ..
Regards
Jan