OSF DCE Administration Guide--Core Components

ManualsBrandsHP ManualsServerHP NonStop G-Series

401

402

403

404

405

406

407

408

409

410

OSF DCE Administration Guide—Core Components

Identity Info Expires: 91/10/03:12:07:18

Account Expires: 91/12/31:12:00:00

Passwd Expires: 91/10/31:12:00:00

31.4.3.3 The Third Part of the klist Display—Tickets

The third and ﬁnal part of the klist display shows the principal’s ticket information and

the name of the principal’s ticket cache. The ﬁrst three tickets labeled Server in the

following display are the tickets used after the principal logged in and obtained privilege

attributes. The display for all principals has these entries.

The remaining tickets labeled Client show the principal’s ticket-granting ticket and

service tickets. In the listing for each ticket after the word Client, the display shows the

name of the privilege server, a server that grants privilege attributes after the principal’s

identity has been authenticated by the DCE Security Service. The name of the server to

which the principal has tickets is shown after the Server entry, and the dates and times

these tickets are valid are shown on the following line. For example, in the following

sample display, the last line shows that the principal has a ticket to the server named

ﬁle_server. The lifetime of this ticket is from 1:24 and 2 seconds p.m. on 10/2/91 to

12:07 and 18 seconds p.m. on 10/3/91. (The time is shown in 24-hour format.)

Kerberos Ticket Information:

Ticket cache: /tmp/dcecred_17a80000

Default principal: music/mozart@dresden.com

Server: krbtgt/dresden@dresden.com

valid 91/10/02:12:07:18 to 91/10/03:12:07:18

Server:dce/rgy@dresden.com

valid 91/10/02:12:07:20 to 91/10/03:12:07:18

Server:dce/ptgt@dresden.com

valid 91/10/02:12:07:49 to 91/10/03:12:07:18

Client:dce/ptgt@dresden Server:krbtgt/dresden@dresden.com

valid 91/10/02:12:07:50 to 91/10/03:12:07:18

Client:dce/ptgt@dresden.com Server:dce/rgy@dresden.com

valid 91/10/02:12:07:53 to 91/10/03:12:07:18

Client:dce/ptgt@dresden.com Server:file_server@dresden.com

valid 91/10/02:13:24:02 to 91/10/03:12:07:18

31.4.4 Destroying a Principal’s Tickets

Use the kdestroy command to invalidate the tickets that a principal has acquired. When

the principal logs out, the principal’s tickets are not destroyed; they remain valid until

they expire. DCE users may want to use kdestroy just before they log out to ensure that

no valid tickets remain. However, if the principal has the kernel-resident ticket cache,

the principal’s tickets are destroyed when the principal’s last process terminates. This

31 − 6 Tandem Computers Incorporated 124243