kerberos junit test

Greg Hudson ghudson at
Thu May 7 14:29:02 EDT 2015

On 05/07/2015 02:21 PM, Brandon Allbery wrote:
> On Thu, 2015-05-07 at 17:08 +0200, Fabrice Bacchella wrote:
>> I can always provide a keytab for both the server and the client, so I
>> don't need to have a kdc running. But how can I have the service
>> ticket (host/localhost at DOMAIN) ? To get it I need a running KDC. If I
>> put it in the keytab, it will be expire, right ?

> You appear to have, among other things, some confusion about the
> difference between a key (which keytabs store) and tickets (which
> clients supply to servers, and which must be generated by a KDC although
> they can be cached from generation and delivery to client until
> expiration in a ccache). You cannot generate a service ticket from a
> service key yourself.

You certainly can in principle.  Heimdal even provides a tool called
"kimpersonate" to do it.  But aside from that, implementations don't
generally make it easy.

More information about the Kerberos mailing list