How to get TGT of an arbitrary user

[Sam Hartman]

>>>>> "Frank" == Frank Burkhardt <fbonews1 at gmx.net> writes:

    Frank> Hi everyone, is it possible to get the TGT of an arbitrary
    Frank> principal without changing it's password?  Maybe there's a
    Frank> 'ktadd'-option which prevents modifying the principal's
    Frank> key?  I do have full control over the realm.

It's possible from a theoretical standpoint but no code is included to
do this.  There's sort of a strong belief that doing so would make it
too easy to abuse administrative privilege in a realm.  Perhaps more
importantly it might lead to application architectures that depend on
being able to become other users--in effect depending on being able to
do something like the su command on Unix.  Such application
architectures tend to be the wrong way of using Kerberos.