AW: kcpytkt to copy a service ticket for client principal not matching the default principal
josef.petermann at eoda.de
Tue Jun 16 10:23:25 EDT 2020
thanks for the hint regarding Heimdal's implementation,
we managed to use kgetcred to extract the service credential.
# kinit -k -t /etc/httpd/rstudio-server.keytab rstudio-server at LAB.BIZ
# kvno -k /etc/httpd/rstudio-server.keytab -U jpetermann -P HTTP/ip-172-20-0-118.lab.biz at LAB.BIZ
# kgetcred -n --out-cache=/home/jpetermann\@lab.biz/cache45 HTTP/ip-172-20-0-118.lab.biz at LAB.BIZ
> I have been thinking of adding some options from Heimdal's kgetcred to
> kvno, including --out-ccache, which initializes a ccache and stores the
> retrieved credential into it. Would that be adequate here?
It would be really helpful for us to have that functionality in krb5 as well, yes.
Note that we also needed to use the -n flag to create a cache in the name of the "foreign" client principal.
More information about the krbdev