Path: utzoo!utgpu!news-server.csri.toronto.edu!rpi!usc!elroy.jpl.nasa.gov!decwrl!stanford.edu!ATHENA.MIT.EDU!tytso
From: tytso@ATHENA.MIT.EDU (Theodore Ts'o)
Newsgroups: comp.protocols.kerberos
Subject: Re: Why ksrvtgt?
Message-ID: <9106101935.AA16517@tsx-11.MIT.EDU>
Date: 10 Jun 91 19:35:30 GMT
References: <33990@shamash.cdc.com>
Sender: news@shelby.stanford.edu (USENET News System)
Reply-To: tytso@athena.mit.edu
Organization: Internet-USENET Gateway at Stanford University
Lines: 17


   Date: 10 Jun 91 15:40:31 GMT
   From: rem@raistlin.Stanford.EDU

   I have read the man page on ksrvtgt(1) for Kerberos 4.0 but do not
   understand where/why it would be used.  Does anyone have any examples?

An example: You have a nightly cron job running on a server which needs
Kerberos authentication to another server.  Since in Kerberos, service
identities and user identities are identical, you can use ksrvtgt to
fetch Kerberos ticket-granting-tickets using the service principal and
key stored in /etc/srvtab.  (Note: this means that your cron job must
have access to the srvtab).  You can then put "rcmd.<hostname>" on the
access control list of the second server, and then the first server can
obtain the privileges it needs to do its nightly task.

						- Ted