kvno - print key version numbers of Kerberos principals
kvno [-c ccache] [-e etype]
[-k keytab] [-q] [-u | -S sname]
[-P] [--cached-only] [--no-store] [--out-cache
cache] [[{-F cert_file | {-I | -U}
for_user} [-P]] | --u2u ccache] service1
service2 ...
kvno acquires a service ticket for the specified Kerberos
principals and prints out the key version numbers of each.
- -c ccache
- Specifies the name of a credentials cache to use (if not the default)
- -e etype
- Specifies the enctype which will be requested for the session key of all
the services named on the command line. This is useful in certain backward
compatibility situations.
- -k keytab
- Decrypt the acquired tickets using keytab to confirm their
validity.
- -q
- Suppress printing output when successful. If a service ticket cannot be
obtained, an error message will still be printed and kvno will exit with
nonzero status.
- -u
- Use the unknown name type in requested service principal names. This
option Cannot be used with -S.
- -P
- Specifies that the service1 service2 ... arguments are to be
treated as services for which credentials should be acquired using
constrained delegation. This option is only valid when used in conjunction
with protocol transition.
- -S sname
- Specifies that the service1 service2 ... arguments are interpreted
as hostnames, and the service principals are to be constructed from those
hostnames and the service name sname. The service hostnames will be
canonicalized according to the usual rules for constructing service
principals.
- -I for_user
- Specifies that protocol transition (S4U2Self) is to be used to acquire a
ticket on behalf of for_user. If constrained delegation is not
requested, the service name must match the credentials cache client
principal.
- -U for_user
- Same as -I, but treats for_user as an enterprise name.
- -F cert_file
- Specifies that protocol transition is to be used, identifying the client
principal with the X.509 certificate in cert_file. The certificate
file must be in PEM format.
- --cached-only
- Only retrieve credentials already present in the cache, not from the KDC.
(Added in release 1.19.)
- --no-store
- Do not store retrieved credentials in the cache. If --out-cache is
also specified, credentials will still be stored into the output
credential cache. (Added in release 1.19.)
- --out-cache
ccache
- Initialize ccache and store all retrieved credentials into it. Do
not store acquired credentials in the input cache. (Added in release
1.19.)
- --u2u
ccache
- Requests a user-to-user ticket. ccache must contain a local krbtgt
ticket for the server principal. The reported version number will
typically be 0, as the resulting ticket is not encrypted in the server's
long-term key.
See kerberos(7) for a description of Kerberos environment
variables.