Obtaining Service Ticket with TGT only (via shell commands)

Greg Hudson ghudson at MIT.EDU
Tue Mar 24 12:44:29 EDT 2009

On Tue, 2009-03-24 at 17:25 +0100, Frank Gruellich wrote:
> Oh, cool, yes, seems so, at least as a side effect.  But for some reason
> it does not work with the kadmin/admin service principal:

If you go into kadmin and run "getprinc kadmin/admin", you should see:

        Attributes: DISALLOW_TGT_BASED

which means you can only get a ticket for this principal with an initial
ticket request and not with a TGT.  You can change this with "modprinc
+allow_tgs_req kadmin/admin" but I believe that would compromise the
requirement that people have to reenter their passwords in order to run

For the purposes of your script, you can either treat a "KDC policy
rejects request" error as an indication that the principal exists, or
you can assume you won't run into that situation on any of the
principals you are managing with the script.

More information about the Kerberos mailing list