On 05/07/2015 02:21 PM, Brandon Allbery wrote: > On Thu, 2015-05-07 at 17:08 +0200, Fabrice Bacchella wrote: >> I can always provide a keytab for both the server and the client, so I >> don't need to have a kdc running. But how can I have the service >> ticket (host/localhost@DOMAIN) ? To get it I need a running KDC. If I >> put it in the keytab, it will be expire, right ?
> You appear to have, among other things, some confusion about the > difference between a key (which keytabs store) and tickets (which > clients supply to servers, and which must be generated by a KDC although > they can be cached from generation and delivery to client until > expiration in a ccache). You cannot generate a service ticket from a > service key yourself. You certainly can in principle. Heimdal even provides a tool called "kimpersonate" to do it. But aside from that, implementations don't generally make it easy. ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos
