Obtaining Service Ticket with TGT only (via shell commands)
Frank Gruellich
frank.gruellich at navteq.com
Tue Mar 24 12:25:26 EDT 2009
Hi,
thanks for your answer.
Greg Hudson wrote:
> On Tue, 2009-03-24 at 12:48 +0100, Frank Gruellich wrote:
>> in short: are there any shell commands included in the MIT Kerberos
>> Distribution to obtain a specific service ticket once I have a TGT?
> The "kvno" command accomplishes this, if I'm understanding the question
> correctly.
Oh, cool, yes, seems so, at least as a side effect. But for some reason
it does not work with the kadmin/admin service principal:
(0) frank at nmsng [~] % kinit frank/admin
Password for frank/admin at EXAMPLE.COM:
(0) frank at nmsng [~] % kvno -q host/eloy.example.com at EXAMPLE.COM
(0) frank at nmsng [~] % kvno -q kadmin/admin at EXAMPLE.COM
kadmin/admin at EXAMPLE.COM: KDC policy rejects request while getting credentials
(1) frank at nmsng [~] % klist
Ticket cache: FILE:/tmp/krb5cc_20000_0mSrwN
Default principal: frank/admin at EXAMPLE.COM
Valid starting Expires Service principal
03/24/09 17:20:10 03/25/09 17:20:10 krbtgt/EXAMPLE.COM at EXAMPLE.COM
03/24/09 17:20:28 03/25/09 17:20:10 host/eloy.example.com at EXAMPLE.COM
Kerberos 4 ticket cache: /tmp/tkt20000
klist: You have no tickets cached
(1) frank at nmsng [~] %
It works for host/eloy.example.com, but not for kadmin/admin. I find:
Mar 24 17:20:40 bill krb5kdc[26337]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) 10.39.8.15: TGT BASED NOT ALLOWED: authtime 1237911610, frank/admin at EXAMPLE.COM for kadmin/admin at EXAMPLE.COM, KDC policy rejects request
in krb5kdc's logfile. Any hints what this means? Google doesn't reveal
to much for both error messages.
Kind regards,
--
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks
Duesseldorfer Strasse 40a
65760 Eschborn
Germany
Phone: +49 6196 77756-414
Fax: +49 6196 77756-100
USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman
More information about the Kerberos
mailing list