How to get Kerberos default principal
Question:
if I type kinit into my terminal:
kinit
…then I get the following Kerberos authentication prompt:
Password for [email protected]:
What I’m wondering is, is there a way to programatically get the [email protected] string via the shell (or python)? kinit somehow knows who the default user is (in my case, JayFrizzle). Is there a way I can get this information, either via calling Kerberos orfrom a preexisting file on my computer?
Answers:
The short answer is that there is no reliable mechanism by which you can determine the Kerberos principal of a user before they have acquired a valid Kerberos ticket.
As I mentioned in the comment, kinit will use your local username as the username portion of your Kerberos principal. But: there’s no guarantee that this is correct; it’s entirely possible that someone may always kinit with an explicit username that differs from their local username.
And it’s even trickier than that: depending on the local system configuration, kinit may not even be involved in acquiring a Kerberos token. For example, the sssd authentication service supports Kerberos natively, and has its own configuration that is completely separate from that used by the MIT (or Heimdal) Kerberos packages.
SSSD allows for mapping between local usernames and Kerberos principal names (so that, for example, when you log into your local system as JayFrizzle you will automatically acquire a Kerberos ticket for [email protected]).
This also means that determining the Kerberos domain isn’t really possible, either. If you’re just using the MIT kerberos tools, you could in theory parse the default domain out of /etc/krb5.conf…but again, this may or may not actually be correct (because the user can specify an explicit domain name when running kinit).
So if you know your environment, and you know you’re only relying on the traditional MIT kerberos command line tools, you can use the local username and the default domain from /etc/krb5.conf to get the information you want.
But realistically, you should just require that the user acquire credentials via some other means, and then use klist or some programmatic analog to get the principal name.
try with oklist command it will display default principal like below.
Default principal: [email protected]
Valid starting Expires Service principal.
if I type kinit into my terminal:
kinit
…then I get the following Kerberos authentication prompt:
Password for [email protected]:
What I’m wondering is, is there a way to programatically get the [email protected] string via the shell (or python)? kinit somehow knows who the default user is (in my case, JayFrizzle). Is there a way I can get this information, either via calling Kerberos orfrom a preexisting file on my computer?
The short answer is that there is no reliable mechanism by which you can determine the Kerberos principal of a user before they have acquired a valid Kerberos ticket.
As I mentioned in the comment, kinit will use your local username as the username portion of your Kerberos principal. But: there’s no guarantee that this is correct; it’s entirely possible that someone may always kinit with an explicit username that differs from their local username.
And it’s even trickier than that: depending on the local system configuration, kinit may not even be involved in acquiring a Kerberos token. For example, the sssd authentication service supports Kerberos natively, and has its own configuration that is completely separate from that used by the MIT (or Heimdal) Kerberos packages.
SSSD allows for mapping between local usernames and Kerberos principal names (so that, for example, when you log into your local system as JayFrizzle you will automatically acquire a Kerberos ticket for [email protected]).
This also means that determining the Kerberos domain isn’t really possible, either. If you’re just using the MIT kerberos tools, you could in theory parse the default domain out of /etc/krb5.conf…but again, this may or may not actually be correct (because the user can specify an explicit domain name when running kinit).
So if you know your environment, and you know you’re only relying on the traditional MIT kerberos command line tools, you can use the local username and the default domain from /etc/krb5.conf to get the information you want.
But realistically, you should just require that the user acquire credentials via some other means, and then use klist or some programmatic analog to get the principal name.
try with oklist command it will display default principal like below.
Default principal: [email protected]
Valid starting Expires Service principal.