1KVNO(1) MIT Kerberos KVNO(1)
2
3
4
6 kvno - print key version numbers of Kerberos principals
7
9 kvno [-c ccache] [-e etype] [-k keytab] [-q] [-u | -S sname] [-P]
10 [--cached-only] [--no-store] [--out-cache cache] [[{-F cert_file | {-I
11 | -U} for_user} [-P]] | --u2u ccache] service1 service2 ...
12
14 kvno acquires a service ticket for the specified Kerberos principals
15 and prints out the key version numbers of each.
16
18 -c ccache
19 Specifies the name of a credentials cache to use (if not the de‐
20 fault)
21
22 -e etype
23 Specifies the enctype which will be requested for the session
24 key of all the services named on the command line. This is use‐
25 ful in certain backward compatibility situations.
26
27 -k keytab
28 Decrypt the acquired tickets using keytab to confirm their va‐
29 lidity.
30
31 -q Suppress printing output when successful. If a service ticket
32 cannot be obtained, an error message will still be printed and
33 kvno will exit with nonzero status.
34
35 -u Use the unknown name type in requested service principal names.
36 This option Cannot be used with -S.
37
38 -P Specifies that the service1 service2 ... arguments are to be
39 treated as services for which credentials should be acquired us‐
40 ing constrained delegation. This option is only valid when used
41 in conjunction with protocol transition.
42
43 -S sname
44 Specifies that the service1 service2 ... arguments are inter‐
45 preted as hostnames, and the service principals are to be con‐
46 structed from those hostnames and the service name sname. The
47 service hostnames will be canonicalized according to the usual
48 rules for constructing service principals.
49
50 -I for_user
51 Specifies that protocol transition (S4U2Self) is to be used to
52 acquire a ticket on behalf of for_user. If constrained delega‐
53 tion is not requested, the service name must match the creden‐
54 tials cache client principal.
55
56 -U for_user
57 Same as -I, but treats for_user as an enterprise name.
58
59 -F cert_file
60 Specifies that protocol transition is to be used, identifying
61 the client principal with the X.509 certificate in cert_file.
62 The certificate file must be in PEM format.
63
64 --cached-only
65 Only retrieve credentials already present in the cache, not from
66 the KDC. (Added in release 1.19.)
67
68 --no-store
69 Do not store retrieved credentials in the cache. If --out-cache
70 is also specified, credentials will still be stored into the
71 output credential cache. (Added in release 1.19.)
72
73 --out-cache ccache
74 Initialize ccache and store all retrieved credentials into it.
75 Do not store acquired credentials in the input cache. (Added in
76 release 1.19.)
77
78 --u2u ccache
79 Requests a user-to-user ticket. ccache must contain a local
80 krbtgt ticket for the server principal. The reported version
81 number will typically be 0, as the resulting ticket is not en‐
82 crypted in the server's long-term key.
83
85 See kerberos for a description of Kerberos environment variables.
86
88 FILE:/tmp/krb5cc_%{uid}
89 Default location of the credentials cache
90
92 kinit, kdestroy, kerberos
93
95 MIT
96
98 1985-2022, MIT
99
100
101
102
1031.19.2 KVNO(1)