[EXTERNAL] RE: how to get proxy ticket?

Nebergall, Christopher cneberg at sandia.gov
Mon May 13 18:21:47 EDT 2013

Compile krb5-1.11.2/src/tests/gssapi/t_s4u.c  and you can test getting tickets for S4U2Self and S4U2Proxy.   You'll have to add your own code to cache the tickets to a ccache file.    You have to use at least 1.11 to get support for caching creds, but 1.11 also has  a bug where it doesn't work against AD.

You also have krb5-1.11.2/src/tests/gssapi/t_s4u2proxy_krb5.c which just does S4U2Proxy without S4U2Self.

Some docs are here

-----Original Message-----
From: krbdev-bounces at mit.edu [mailto:krbdev-bounces at mit.edu] On Behalf Of Wu, James C.
Sent: Monday, May 13, 2013 3:56 PM
To: krbdev at mit.edu
Subject: [EXTERNAL] RE: how to get proxy ticket?

I am trying to keep this conversation alive.  Kerberos V5 have S4U2Self and S4U2Proxy. 

Is there any command I can use for trying out this two protocols?



-----Original Message-----
From: Wu, James C. 
Sent: Monday, May 13, 2013 2:08 PM
To: Wu, James C.; krbdev at mit.edu
Subject: Re: how to get proxy ticket?

I guess I did not ask the right question. What I really want to know is how to have a service to impersonate other user via constraint delegation.
I would like to know if there is any command that I can use.


On 5/13/13 1:51 PM, "Wu, James C." <James.C.Wu at disney.com> wrote:

>I have created a service account and requested a forwardable and 
>proxiable ticket for it. Now, I want this service to take on the 
>identity of a client, how do I request a proxy ticket? The kinit 
>command does not have a proxy ticket option.
>krbdev mailing list             krbdev at mit.edu

krbdev mailing list             krbdev at mit.edu

More information about the krbdev mailing list