Can any of the Kerberos Servers be Queried . . .
raeburn at MIT.EDU
Fri Apr 18 13:51:34 EDT 2008
On Apr 18, 2008, at 13:03, John Stevens wrote:
> . . . for a list of all service principal name strings?
> In other words, if I wanted to find out all of the
> servers that are part of a realm/domain, is there a
> way to query the Kerberos servers to get this list?
If you have the right privileges, the kadmin protocol lets you ask for
the names of all principals. It doesn't distinguish users from
servers, and it wouldn't entirely make sense since any principal can
act in either role unless certain flags are set in the database. But
typically, server principal names will contain a "/" in the printed
form, and the second component won't be "admin" or "root" or whatever
else you might use for extra principals for users, so you can do some
filtering and get an approximate list of principals generally used in
the server role.
More information about the krbdev