[20136] in Kerberos_V5_Development
AW: kcpytkt to copy a service ticket for client principal not
daemon@ATHENA.MIT.EDU (Josef Petermann)
Tue Jun 16 10:24:07 2020
From: Josef Petermann <josef.petermann@eoda.de>
To: Greg Hudson <ghudson@mit.edu>, "krbdev@mit.edu" <krbdev@mit.edu>
Date: Tue, 16 Jun 2020 14:23:25 +0000
Message-ID: <AM0PR0402MB3780EE668A0724FFE9615690FB9D0@AM0PR0402MB3780.eurprd04.prod.outlook.com>
In-Reply-To: <c7743ee0-1e83-fb24-34d1-a97f5abc60ba@mit.edu>
Content-Language: de-DE
MIME-Version: 1.0
Cc: Alexander Kinz <alexander.kinz@eoda.de>
Content-Type: text/plain; charset="iso-8859-1"
Errors-To: krbdev-bounces@mit.edu
Content-Transfer-Encoding: 8bit
Hi Greg,
thanks for the hint regarding Heimdal's implementation,
we managed to use kgetcred to extract the service credential.
# kinit -k -t /etc/httpd/rstudio-server.keytab rstudio-server@LAB.BIZ
# kvno -k /etc/httpd/rstudio-server.keytab -U jpetermann -P HTTP/ip-172-20-0-118.lab.biz@LAB.BIZ
# kgetcred -n --out-cache=/home/jpetermann\@lab.biz/cache45 HTTP/ip-172-20-0-118.lab.biz@LAB.BIZ
> I have been thinking of adding some options from Heimdal's kgetcred to
> kvno, including --out-ccache, which initializes a ccache and stores the
> retrieved credential into it. Would that be adequate here?
It would be really helpful for us to have that functionality in krb5 as well, yes.
Note that we also needed to use the -n flag to create a cache in the name of the "foreign" client principal.
Thanks,
Josef
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
