Provided by: krb5-user_1.20-1_amd64 bug


       kvno - print key version numbers of Kerberos principals


       kvno  [-c  ccache]  [-e  etype]  [-k  keytab]  [-q]  [-u  | -S sname] [-P] [--cached-only]
       [--no-store] [--out-cache cache] [[{-F cert_file | {-I  |  -U}  for_user}  [-P]]  |  --u2u
       ccache] service1 service2 ...


       kvno  acquires  a  service ticket for the specified Kerberos principals and prints out the
       key version numbers of each.


       -c ccache
              Specifies the name of a credentials cache to use (if not the default)

       -e etype
              Specifies the enctype which will be requested  for  the  session  key  of  all  the
              services   named  on  the  command  line.   This  is  useful  in  certain  backward
              compatibility situations.

       -k keytab
              Decrypt the acquired tickets using keytab to confirm their validity.

       -q     Suppress printing output when successful.  If a service ticket cannot be  obtained,
              an error message will still be printed and kvno will exit with nonzero status.

       -u     Use the unknown name type in requested service principal names.  This option Cannot
              be used with -S.

       -P     Specifies that the service1 service2 ...  arguments are to be treated  as  services
              for which credentials should be acquired using constrained delegation.  This option
              is only valid when used in conjunction with protocol transition.

       -S sname
              Specifies that the service1 service2 ... arguments are  interpreted  as  hostnames,
              and  the  service  principals  are  to  be constructed from those hostnames and the
              service name sname.  The service hostnames will be canonicalized according  to  the
              usual rules for constructing service principals.

       -I for_user
              Specifies  that protocol transition (S4U2Self) is to be used to acquire a ticket on
              behalf of for_user.  If constrained delegation is not requested, the  service  name
              must match the credentials cache client principal.

       -U for_user
              Same as -I, but treats for_user as an enterprise name.

       -F cert_file
              Specifies  that protocol transition is to be used, identifying the client principal
              with the X.509 certificate in cert_file.  The  certificate  file  must  be  in  PEM

              Only  retrieve  credentials already present in the cache, not from the KDC.  (Added
              in release 1.19.)

              Do not store retrieved credentials in the cache.  If --out-cache is also specified,
              credentials  will  still  be  stored  into  the output credential cache.  (Added in
              release 1.19.)

       --out-cache ccache
              Initialize ccache and store all  retrieved  credentials  into  it.   Do  not  store
              acquired credentials in the input cache.  (Added in release 1.19.)

       --u2u ccache
              Requests  a user-to-user ticket.  ccache must contain a local krbtgt ticket for the
              server principal.  The  reported  version  number  will  typically  be  0,  as  the
              resulting ticket is not encrypted in the server's long-term key.


       See kerberos(7) for a description of Kerberos environment variables.


              Default location of the credentials cache


       kinit(1), kdestroy(1), kerberos(7)




       1985-2022, MIT