DOKK / manpages / debian 10 / heimdal-clients / kgetcred.1.en
KGETCRED(1) General Commands Manual KGETCRED(1)

kgetcredget a ticket for a particular service

kgetcred [--canonicalize] [--canonical] [-c -cache | --cache=cache] [-e enctype | --enctype=enctype] [--debug] [-H | --hostbased] [--name-type=name-type] [--no-transit-check] [--no-store] [--cached-only] [--version] [--help] principal

kgetcred [options] --hostbased principal

kgetcred [options] --hostbased service hostname [extra-components]

kgetcred obtains a ticket for the given service principal. Usually tickets for services are obtained automatically when needed but sometimes for some odd reason you want to obtain a particular ticket or of a special type.

If --hostbased is given then the given service principal name will be canonicalized (see below).

The third form constructs a host-based principal from the given service name and hostname. The service name "host" is used if the given service name in the third usage is the empty string.

For host-based names, the local host's hostname is used if the given hostname is the empty string or if the principal has a single component.

Any additional components will be included, even for host-based service principal names, but there are no defaults nor local canonicalization rules for additional components.

Local name canonicalization rules are applied unless the --canonical option is given. Currently local name canonicalization rules are supported only for host-based principal names' hostname component.

The principal's realm name may be canonicalized by following Kerberos referrals from the client principal's home realm if the --canonicalize option is given or if the local name canonicalization rules are configured to use referrals.

Supported options:

requests that the KDC canonicalize the principal. Currently this only canonicalizes the realm by chasing referrals from the user's start realm, but in the future this may also enable the KDC to canonicalize the complete principal name.
turns off local canonicalization of the principal name.
name-type
the name-type to use when parsing the principal name.
is short for --name-type=srv_hst.
cache, --cache=cache
the credential cache to use.
cache
the credential cache to use for delegation.
enctype, --enctype=enctype
encryption type to use.
requests that the KDC doesn't do transit checking.
do not store tickets in the ccache.
do not talk the TGS, search only the ccache.
 
enables debug output to stderr.
 
 

If the --canonical option is used, then no further canonicalization should be done locally by the client (for example, DNS), but if --canonicalize is used, then the client will ask that the KDC canonicalize the name.

If the --canonicalize option is used with --hostbased a host-based name-type, and --canonical is not used, then the hostname will be canonicalized according to the name canonicalization rules in krb5.conf.

GSS-API initiator applications with host-based services will get the same behavior as using the --canonicalize --hostbased options here.

kinit(1), klist(1), krb5.conf(5), krb5_openlog(3)

March 12, 2004 HEIMDAL