[36966] in Kerberos
Re: kerberos junit test
daemon@ATHENA.MIT.EDU (Greg Hudson)
Thu May 7 14:29:17 2015
Message-ID: <554BAEEE.20202@mit.edu>
Date: Thu, 07 May 2015 14:29:02 -0400
From: Greg Hudson <ghudson@mit.edu>
MIME-Version: 1.0
To: Brandon Allbery <ballbery@sinenomine.net>,
"kerberos@mit.edu" <kerberos@mit.edu>
In-Reply-To: <1431022907.24711.3.camel@vikktakkht>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: kerberos-bounces@mit.edu
On 05/07/2015 02:21 PM, Brandon Allbery wrote:
> On Thu, 2015-05-07 at 17:08 +0200, Fabrice Bacchella wrote:
>> I can always provide a keytab for both the server and the client, so I
>> don't need to have a kdc running. But how can I have the service
>> ticket (host/localhost@DOMAIN) ? To get it I need a running KDC. If I
>> put it in the keytab, it will be expire, right ?
> You appear to have, among other things, some confusion about the
> difference between a key (which keytabs store) and tickets (which
> clients supply to servers, and which must be generated by a KDC although
> they can be cached from generation and delivery to client until
> expiration in a ccache). You cannot generate a service ticket from a
> service key yourself.
You certainly can in principle. Heimdal even provides a tool called
"kimpersonate" to do it. But aside from that, implementations don't
generally make it easy.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
