NAME

       kgetcred — get a ticket for a particular service

SYNOPSIS

       kgetcred  [--canonicalize]  [--canonical]  [-c  -cache  | --cache=cache] [-e enctype | --enctype=enctype]
                [--debug]  [-H  |   --hostbased]   [--name-type=name-type]   [--no-transit-check]   [--no-store]
                [--cached-only] [-n | --anonymous] [--version] [--help] principal
       kgetcred [options] --hostbased principal
       kgetcred [options] --hostbased service hostname [extra-components]

DESCRIPTION

       kgetcred  obtains  a  ticket  for the given service principal.  Usually tickets for services are obtained
       automatically when needed but sometimes for some odd reason you want to obtain a particular ticket or  of
       a special type.

       If --hostbased is given then the given service principal name will be canonicalized (see below).

       The  third  form constructs a host-based principal from the given service name and hostname.  The service
       name "host" is used if the given service name in the third usage is the empty string.

       For host-based names, the local host's hostname is used if the given hostname is the empty string  or  if
       the principal has a single component.

       Any additional components will be included, even for host-based service principal names, but there are no
       defaults nor local canonicalization rules for additional components.

       Local  name  canonicalization  rules are applied unless the --canonical option is given.  Currently local
       name canonicalization rules are supported only for host-based principal names' hostname component.

       The principal's realm name  may  be  canonicalized  by  following  Kerberos  referrals  from  the  client
       principal's  home realm if the --canonicalize option is given or if the local name canonicalization rules
       are configured to use referrals.

       Supported options:

       --canonicalize
               requests that the KDC canonicalize the principal.  Currently this only canonicalizes the realm by
               chasing referrals from the user's start realm, but in the future this may also enable the KDC  to
               canonicalize the complete principal name.

       --canonical
               turns off local canonicalization of the principal name.

       --name-type=name-type
               the name-type to use when parsing the principal name.

       --hostbased
               is short for --name-type=srv_hst.

       -c cache, --cache=cache
               the credential cache to use.

       --delegation-credential-cache=cache
               the credential cache to use for delegation.

       -e enctype, --enctype=enctype
               encryption type to use.

       --no-transit-check
               requests that the KDC doesn't do transit checking.

       --no-store
               do not store tickets in the ccache.

       --cached-only
               do not talk the TGS, search only the ccache.

       --anonymous
               obtain an anonymous service ticket.

       --forwardable

       --debug
               enables debug output to stderr.

       --version

       --help

       If  the --canonical option is used, then no further canonicalization should be done locally by the client
       (for example, DNS), but if --canonicalize is used, then the client will ask that the KDC canonicalize the
       name.

       If the --canonicalize option is used with --hostbased a host-based  name-type,  and  --canonical  is  not
       used, then the hostname will be canonicalized according to the name canonicalization rules in krb5.conf.

       GSS-API  initiator  applications  with  host-based  services  will  get  the  same  behavior as using the
       --canonicalize --hostbased options here.

SEE ALSO

       kinit(1), klist(1), krb5.conf(5), krb5_openlog(3)

HEIMDAL                                          March 12, 2004                                      KGETCRED(1)