Obtaining Service Ticket with TGT only (via shell commands)

Frank Gruellich frank.gruellich at navteq.com
Tue Mar 24 07:48:19 EDT 2009


in short: are there any shell commands included in the MIT Kerberos
Distribution to obtain a specific service ticket once I have a TGT?

Long version: I'm going to write some shell scripts supporting
management of principals in our realm (combined with user management and
some more stuff).  I would like to include some basic sanity checks
before pushing anything into KDC database, eg. does the principal
already exist.  Unfortunately, every kadmin -q 'whatever' prompts me for
the password for $USER/admin principal and I'm not able to circumvent
this.  From what I understand from man kadmin I need a valid ticket for
the kadmin/admin service in my credentials cache.  And indeed, if I

 $ kinit -S kadmin/admin frank/admin

I can invoke

 $ kadmin -c "$KRB5CCNAME" -q 'listprincs'

without giving a password to kadmin.  But this way I have to supply a
password to kinit and even worse it destroys all other tickets the user
maybe already has in its cache.

My idea would be to 1. check if the shell script caller has a valid
kadmin/admin service ticket in its cache; if so use it, if not 2. check
if the caller has a valid TGT in its cache; if so use it to obtain a
kadmin/admin service ticket and use this (goto 1), if not invoke kinit
to obtain a TGT (now prompting for a password, of course) and goto 2.

I'm somewhat puzzled by all suggestions after some googling to use a
keytab for that purpose (what I consider as rather insecure and ugly).
I'm even more puzzled, that kadmin does not do the steps I mentioned on
it's own.  Of course, using kadmin should be done with caution, but that
way the -q option is pretty useless (IMHO).  Or am I missing some
important point, maybe?

Are there any shell tools to do that?  I'm kinda advanced shell freak
but (as you maybe notice due to my excessive use of goto's ;-)) a poor
coder.  But if it requires some lines of C and someone could point me to
some resources (or even better some sample lines) I would try to deal
with this, as well.

Thanks in advance.

Kind regards,
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

More information about the Kerberos mailing list