Can any of the Kerberos Servers be Queried . . .

Ken Raeburn raeburn at MIT.EDU
Fri Apr 18 13:51:34 EDT 2008

On Apr 18, 2008, at 13:03, John Stevens wrote:
> . . . for a list of all service principal name strings?
> In other words, if I wanted to find out all of the
> servers that are part of a realm/domain, is there a
> way to query the Kerberos servers to get this list?

If you have the right privileges, the kadmin protocol lets you ask for  
the names of all principals.  It doesn't distinguish users from  
servers, and it wouldn't entirely make sense since any principal can  
act in either role unless certain flags are set in the database.  But  
typically, server principal names will contain a "/" in the printed  
form, and the second component won't be "admin" or "root" or whatever  
else you might use for extra principals for users, so you can do some  
filtering and get an approximate list of principals generally used in  
the server role.


More information about the krbdev mailing list