How to automate kinit process to obtain TGT for Kerberos?
Solution 1
Stupid me, you can simply use following command:
echo "password" | kinit aduser@REALM
Solution 2
While you can just hard-code the password into your automation, the more correct Kerberos way to do this is to create a keytab for the principal and then use that to authenticate. kinit
supports authenticating from a keytab using the -k -t <keytab-path>
options.
The primary advantage of a keytab is that it isolates the credentials in a separate file and can be used directly by various Kerberos software (so you don't have to add code to read a password from a separate file). It can also be created with standard commands (with an AD KDC, use ktpass
). There are some more advantages if you had a Linux KDC, such as easily randomizing keys stored in the keytab rather than using a weaker password.
Solution 3
According to the man-page you might use:
kinit --password-file="~/my.secret" [email protected]
So you just might provide your password via a file.
Related videos on Youtube
user3622502
Updated on September 18, 2022Comments
-
user3622502 over 1 year
I'm currently writing a puppet module to automate the process of joining RHEL servers to an AD domain, with support for Kerberos.
Currently, I have problems with automatically obtain and cache Kerberos ticket-granting ticket via
kinit
. If this were to be done manually, I would do this:kinit [email protected]
This prompts for the AD user password, hence there is a problem with automate this.
How can I automate this? I've found some posts mentioning using
kadmin
to create a database with the AD users password in it, but I've had no luck. -
Dejan about 9 years
echo -n "$PASS" | kinit "$USER"
do not output trailing newline -
Havnar over 8 yearsOr print a poster with your password and hang it out! Storing your password in plain text is a no-no
-
Dennis Jaheruddin almost 8 yearsKeytab definitely seems to be the way to go. If you generate this in kadmin, make sure to use the
-norandkey
flag in ktadd if you don't want to invalidate the existing password. -
Indranil Gayen over 5 yearsdoes it work in windows ?
-
Sam Morris over 2 yearsFYI,
--password-file=
is available with thekinit
command that comes as a part of Heimdal Kerberos. It's not available with MIT Kerberos'kinit
command.