Obtaining Service Ticket with TGT only (via shell commands)

Frank Gruellich frank.gruellich at navteq.com
Tue Mar 24 12:25:26 EDT 2009


thanks for your answer.

Greg Hudson wrote:
> On Tue, 2009-03-24 at 12:48 +0100, Frank Gruellich wrote:
>> in short: are there any shell commands included in the MIT Kerberos
>> Distribution to obtain a specific service ticket once I have a TGT?
> The "kvno" command accomplishes this, if I'm understanding the question
> correctly.

Oh, cool, yes, seems so, at least as a side effect.  But for some reason
it does not work with the kadmin/admin service principal:

 (0) frank at nmsng [~] % kinit frank/admin
 Password for frank/admin at EXAMPLE.COM:
 (0) frank at nmsng [~] % kvno -q host/eloy.example.com at EXAMPLE.COM
 (0) frank at nmsng [~] % kvno -q kadmin/admin at EXAMPLE.COM
 kadmin/admin at EXAMPLE.COM: KDC policy rejects request while getting credentials
 (1) frank at nmsng [~] % klist
 Ticket cache: FILE:/tmp/krb5cc_20000_0mSrwN
 Default principal: frank/admin at EXAMPLE.COM

 Valid starting     Expires            Service principal
 03/24/09 17:20:10  03/25/09 17:20:10  krbtgt/EXAMPLE.COM at EXAMPLE.COM
 03/24/09 17:20:28  03/25/09 17:20:10  host/eloy.example.com at EXAMPLE.COM

 Kerberos 4 ticket cache: /tmp/tkt20000
 klist: You have no tickets cached
 (1) frank at nmsng [~] %

It works for host/eloy.example.com, but not for kadmin/admin.  I find:

 Mar 24 17:20:40 bill krb5kdc[26337]: TGS_REQ (7 etypes {18 17 16 23 1 3 2}) TGT BASED NOT ALLOWED: authtime 1237911610,  frank/admin at EXAMPLE.COM for kadmin/admin at EXAMPLE.COM, KDC policy rejects request

in krb5kdc's logfile.  Any hints what this means?  Google doesn't reveal
to much for both error messages.

Kind regards,
Navteq (DE) GmbH
Frank Gruellich
Map24 Systems and Networks

Duesseldorfer Strasse 40a
65760 Eschborn

Phone:      +49 6196 77756-414
Fax:        +49 6196 77756-100

USt-ID-No.: DE 197947163
Managing Directors: Thomas Golob, Alexander Wiegand,
Hans Pieter Gieszen, Martin Robert Stockman

More information about the Kerberos mailing list