AW: kcpytkt to copy a service ticket for client principal not matching the default principal

Josef Petermann josef.petermann at
Tue Jun 16 10:23:25 EDT 2020

Hi Greg,

thanks for the hint regarding Heimdal's implementation, 
we managed to use kgetcred to extract the service credential.

    # kinit -k -t /etc/httpd/rstudio-server.keytab rstudio-server at LAB.BIZ
    # kvno -k /etc/httpd/rstudio-server.keytab -U jpetermann -P HTTP/ at LAB.BIZ
    # kgetcred -n --out-cache=/home/jpetermann\ HTTP/ at LAB.BIZ

> I have been thinking of adding some options from Heimdal's kgetcred to
> kvno, including --out-ccache, which initializes a ccache and stores the
> retrieved credential into it.  Would that be adequate here?

It would be really helpful for us to have that functionality in krb5 as well, yes. 
Note that we also needed to use the -n flag to create a cache in the name of the "foreign" client principal.


More information about the krbdev mailing list