Hi, in short: are there any shell commands included in the MIT Kerberos Distribution to obtain a specific service ticket once I have a TGT?
Long version: I'm going to write some shell scripts supporting management of principals in our realm (combined with user management and some more stuff). I would like to include some basic sanity checks before pushing anything into KDC database, eg. does the principal already exist. Unfortunately, every kadmin -q 'whatever' prompts me for the password for $USER/admin principal and I'm not able to circumvent this. From what I understand from man kadmin I need a valid ticket for the kadmin/admin service in my credentials cache. And indeed, if I $ kinit -S kadmin/admin frank/admin I can invoke $ kadmin -c "$KRB5CCNAME" -q 'listprincs' without giving a password to kadmin. But this way I have to supply a password to kinit and even worse it destroys all other tickets the user maybe already has in its cache. My idea would be to 1. check if the shell script caller has a valid kadmin/admin service ticket in its cache; if so use it, if not 2. check if the caller has a valid TGT in its cache; if so use it to obtain a kadmin/admin service ticket and use this (goto 1), if not invoke kinit to obtain a TGT (now prompting for a password, of course) and goto 2. I'm somewhat puzzled by all suggestions after some googling to use a keytab for that purpose (what I consider as rather insecure and ugly). I'm even more puzzled, that kadmin does not do the steps I mentioned on it's own. Of course, using kadmin should be done with caution, but that way the -q option is pretty useless (IMHO). Or am I missing some important point, maybe? Are there any shell tools to do that? I'm kinda advanced shell freak but (as you maybe notice due to my excessive use of goto's ;-)) a poor coder. But if it requires some lines of C and someone could point me to some resources (or even better some sample lines) I would try to deal with this, as well. Thanks in advance. Kind regards, -- Navteq (DE) GmbH Frank Gruellich Map24 Systems and Networks Duesseldorfer Strasse 40a 65760 Eschborn Germany Phone: +49 6196 77756-414 Fax: +49 6196 77756-100 USt-ID-No.: DE 197947163 Managing Directors: Thomas Golob, Alexander Wiegand, Hans Pieter Gieszen, Martin Robert Stockman ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos