Reputation: 1733
How to get Kerberos default principal
if I type kinit into my terminal:
kinit
...then I get the following Kerberos authentication prompt:
Password for [email protected]:
What I'm wondering is, is there a way to programatically get the [email protected] string via the shell (or python)? kinit somehow knows who the default user is (in my case, JayFrizzle). Is there a way I can get this information, either via calling Kerberos orfrom a preexisting file on my computer?
Upvotes: 0
Views: 6868
Answers (2)
Reputation: 1
try with oklist command it will display default principal like below.
Default principal: [email protected]
Valid starting Expires Service principal.
Upvotes: 0
Reputation: 312128
The short answer is that there is no reliable mechanism by which you can determine the Kerberos principal of a user before they have acquired a valid Kerberos ticket.
As I mentioned in the comment, kinit will use your local username as the username portion of your Kerberos principal. But: there's no guarantee that this is correct; it's entirely possible that someone may always kinit with an explicit username that differs from their local username.
And it's even trickier than that: depending on the local system configuration, kinit may not even be involved in acquiring a Kerberos token. For example, the sssd authentication service supports Kerberos natively, and has its own configuration that is completely separate from that used by the MIT (or Heimdal) Kerberos packages.
SSSD allows for mapping between local usernames and Kerberos principal names (so that, for example, when you log into your local system as JayFrizzle you will automatically acquire a Kerberos ticket for [email protected]).
This also means that determining the Kerberos domain isn't really possible, either. If you're just using the MIT kerberos tools, you could in theory parse the default domain out of /etc/krb5.conf...but again, this may or may not actually be correct (because the user can specify an explicit domain name when running kinit).
So if you know your environment, and you know you're only relying on the traditional MIT kerberos command line tools, you can use the local username and the default domain from /etc/krb5.conf to get the information you want.
But realistically, you should just require that the user acquire credentials via some other means, and then use klist or some programmatic analog to get the principal name.
Upvotes: 1
Related Questions
- How do I get the directory where a Bash script is located from within the script itself?
- How do I print colored text to the terminal?
- How do I check whether a file exists without exceptions?
- How do I merge two dictionaries in a single expression in Python?
- How do I split a string on a delimiter in Bash?
- How to reload .bashrc settings without logging out and back in again?
- How to concatenate string variables in Bash
- How do I execute a program or call a system command?
- How do I check if a directory exists or not in a Bash shell script?
- How to check if a string contains a substring in Bash