pub fn verify_credential(
tools: &Tools,
identity: &MachineIdentity,
) -> Result<()>Expand description
Prove the machine credential works: kinit -k into a private throwaway
cache, then destroy it. Equivalent to adcli testjoin.
The cache lives in a freshly-created private (0700) directory rather than
a predictable bare path in /tmp — mkdir fails on a pre-existing entry
(including an attacker’s symlink), so root never writes a ticket through a
path someone else planted.