blob: 970fbb47759e6d478d90483216d865782bb7bc14 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
.. _kvno(1):
kvno
====
SYNOPSIS
--------
**kvno**
[**-c** *ccache*]
[**-e** *etype*]
[**-k** *keytab*]
[**-q**]
[**-u** | **-S** *sname*]
[**-P**]
[**--cached-only**]
[**--no-store**]
[**--out-cache** *cache*]
[[{**-F** *cert_file* | {**-I** | **-U**} *for_user*} [**-P**]] | **--u2u** *ccache*]
*service1 service2* ...
DESCRIPTION
-----------
kvno acquires a service ticket for the specified Kerberos principals
and prints out the key version numbers of each.
OPTIONS
-------
**-c** *ccache*
Specifies the name of a credentials cache to use (if not the
default)
**-e** *etype*
Specifies the enctype which will be requested for the session key
of all the services named on the command line. This is useful in
certain backward compatibility situations.
**-k** *keytab*
Decrypt the acquired tickets using *keytab* to confirm their
validity.
**-q**
Suppress printing output when successful. If a service ticket
cannot be obtained, an error message will still be printed and
kvno will exit with nonzero status.
**-u**
Use the unknown name type in requested service principal names.
This option Cannot be used with *-S*.
**-P**
Specifies that the *service1 service2* ... arguments are to be
treated as services for which credentials should be acquired using
constrained delegation. This option is only valid when used in
conjunction with protocol transition.
**-S** *sname*
Specifies that the *service1 service2* ... arguments are
interpreted as hostnames, and the service principals are to be
constructed from those hostnames and the service name *sname*.
The service hostnames will be canonicalized according to the usual
rules for constructing service principals.
**-I** *for_user*
Specifies that protocol transition (S4U2Self) is to be used to
acquire a ticket on behalf of *for_user*. If constrained
delegation is not requested, the service name must match the
credentials cache client principal.
**-U** *for_user*
Same as -I, but treats *for_user* as an enterprise name.
**-F** *cert_file*
Specifies that protocol transition is to be used, identifying the
client principal with the X.509 certificate in *cert_file*. The
certificate file must be in PEM format.
**--cached-only**
Only retrieve credentials already present in the cache, not from
the KDC. (Added in release 1.19.)
**--no-store**
Do not store retrieved credentials in the cache. If
**--out-cache** is also specified, credentials will still be
stored into the output credential cache. (Added in release 1.19.)
**--out-cache** *ccache*
Initialize *ccache* and store all retrieved credentials into it.
Do not store acquired credentials in the input cache. (Added in
release 1.19.)
**--u2u** *ccache*
Requests a user-to-user ticket. *ccache* must contain a local
krbtgt ticket for the server principal. The reported version
number will typically be 0, as the resulting ticket is not
encrypted in the server's long-term key.
ENVIRONMENT
-----------
See :ref:`kerberos(7)` for a description of Kerberos environment
variables.
FILES
-----
|ccache|
Default location of the credentials cache
SEE ALSO
--------
:ref:`kinit(1)`, :ref:`kdestroy(1)`, :ref:`kerberos(7)`
|