Obtain krb ticket for another user

Asked Mar 10 '15 at 11:45

Active Mar 10 '15 at 12:51

Viewed 165 times

I have a system account in my domain (DOM\sys) and it has access to service cifs/server@DOM. I want to obtain a ticket for this service using my own account (DOM\user). In other words I need sudo-like mechanism for kerberos - to obtain sys'es ticket without using his password. My flow would be:

obtain TGT for user
using this TGT obtain ticket to cifs/server@DOM for sys
now user can talk to server on behalf of sys

I searched for delegation / impersonation in kerberos, and found something, but it seems it isn't what I need (it "forwards" the identity proof, but still requires sys to provide password)

It looks like ksu is similar to what I need, but it works only for access to local account (here, second bullet)

edited Mar 10 '15 at 12:51

asked Mar 10 '15 at 11:45

joozek

Mimikatz.... ;) – Ryan Ries Mar 10 '15 at 12:04
What exactly is it you are trying to accomplish? – Jim B Mar 10 '15 at 12:50
@JimB To obtain ticket for `sys` using existing ticket for `user`. Just like sudo does on local systems. – joozek Mar 10 '15 at 12:53
I don't think you can do that. Just log in to the computer and ksu to the user you need to be... – jmp242 Mar 10 '15 at 14:06
@jmp242 The point is I need what ksu describes as "network permissions" - a ticket for another service. It's not granted by ksu – joozek Mar 10 '15 at 14:08

Obtain krb ticket for another user

0 Answers0