keytab to krb5_creds?

Russ Allbery rra at
Fri Jan 28 17:00:17 EST 2011

John Hascall <john at> writes:

> It seems to me that one ought to be able to construct a krb5_creds
> struct given a keytab (and the princ name you want from it)?  [probably
> re-inventing a number of wheels due to non-publically visible functions]

The kimpersonate tool that comes with Heimdal does essentially this.  Per
the man page:

     The kimpersonate program creates a "fake" ticket using the
     service-key of the service.  The service key can be read from a
     Kerberos 5 keytab, AFS KeyFile or (if compiled with support for
     Kerberos 4) a Kerberos 4 srvtab.

Russ Allbery (rra at             <>

More information about the Kerberos mailing list