Kerberos protocol transition with unconstrained delegation (i.e. TGT impersonation)

Fri Oct 28 00:06:50 EDT 2022

On 10/27/22 12:36, Jeffrey Hutzelman wrote:
> You don't need libkadm5 for any of this -- all you need to print a service
> ticket (even a TGT) is the service's key. Heimdal comes with a program,
> kimpersonate, which does this and could easily be used as a basis for your
> impersonation service.

MIT krb5 has a sort-of equivalent: "kinit -k -t KDB: username".  The KDC 
is still in the loop, but no password or keytab for the user is 
required.  (Add "-S krbtgt/OTHERREALM" for a cross-realm TGT.)