System Administration Guide: Security Services
Previous Next

Administering Kerberos Principals

This section provides the step-by-step instructions used to administer principals with the SEAM Tool. This section also provides examples of command-line equivalents, when available.

Administering Kerberos Principals (Task Map)

Task

Description

For Instructions

View the list of principals.

View the list of principals by clicking the Principals tab.

How to View the List of Kerberos Principals

View a principal's attributes.

View a principal's attributes by selecting the Principal in the Principal List, then clicking the Modify button.

How to View a Kerberos Principal's Attributes

Create a new principal.

Create a new principal by clicking the Create New button in the Principal List panel.

How to Create a New Kerberos Principal

Duplicate a principal.

Duplicate a principal by selecting the principal to duplicate in the Principal List, then clicking the Duplicate button.

How to Duplicate a Kerberos Principal

Modify a principal.

Modify a principal by selecting the principal to modify in the Principal List, then clicking the Modify button.

Note that you cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal.

How to Modify a Kerberos Principal

Delete a principal.

Delete a principal by selecting the principal to delete in the Principal List, then clicking the Delete button.

How to Delete a Kerberos Principal

Set up defaults for creating new principals.

Set up defaults for creating new principals by choosing Properties from the Edit menu.

How to Set Up Defaults for Creating New Kerberos Principals

Modify the Kerberos administration privileges (kadm5.acl file).

Command-line only. The Kerberos administration privileges determine what operations a principal can perform on the Kerberos database, such as add and modify.

You need to edit the /etc/krb5/kadm5.acl file to modify the Kerberos administration privileges for each principal.

How to Modify the Kerberos Administration Privileges

Automating the Creation of New Kerberos Principals

Even though the SEAM Tool provides ease-of-use, it doesn't provide a way to automate the creation of new principals. Automation is especially useful if you need to add 10 or even 100 new principals in a short time. However, by using the kadmin.local command in a Bourne shell script, you can do just that.

The following shell script line is an example of how to automate the creation of new principals:

awk '{ print "ank +needchange -pw", $2, $1 }' < /tmp/princnames | 
        time /usr/sbin/kadmin.local> /dev/null

This example is split over two lines for readability. The script reads in a file called princnames that contains principal names and their passwords, and adds them to the Kerberos database. You would have to create the princnames file, which contains a principal name and its password on each line, separated by one or more spaces. The +needchange option configures the principal so that the user is prompted for a new password during login with the principal for the first time. This practice helps to ensure that the passwords in the princnames file are not a security risk.

You can build more elaborate scripts. For example, your script could use the information in the name service to obtain the list of user names for the principal names. What you do and how you do it is determined by your site's needs and your scripting expertise.

How to View the List of Kerberos Principals

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.

    The list of principals is displayed.


    Dialog box titled Seam Administration Tool shows a list of principals and a list filter. Shows Modify, Create New, Delete, and Duplicate buttons.
  3. Display a specific principal or a sublist of principals.

    Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of principals that match the filter is displayed.

    The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the principals with the ge string in them (for example, george or edge).

    If you want to display the entire list of principals, click Clear Filter.

Example 25-1 Viewing the List of Kerberos Principals (Command Line)

In the following example, the list_principals command of kadmin is used to list all the principals that match test*. Wildcards can be used with the list_principals command.

kadmin: list_principals test*
test1@EXAMPLE.COM
test2@EXAMPLE.COM
kadmin: quit

How to View a Kerberos Principal's Attributes

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to view, then click Modify.

    The Principal Basics panel that contains some of the principal's attributes is displayed.

  4. Continue to click Next to view all the principal's attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

  5. When you are finished viewing, click Cancel.
Example 25-2 Viewing a Kerberos Principal's Attributes

The following example shows the first window when you are viewing the jdb/admin principal.

Dialog box titled SEAM Administration Tool shows account data for the jdb/admin principal. Shows account expiration date and comments.
Example 25-3 Viewing a Kerberos Principal's Attributes (Command Line)

In the following example, the get_principal command of kadmin is used to view the attributes of the jdb/admin principal.

kadmin: getprinc jdb/admin
Principal: jdb/admin@EXAMPLE.COM
Expiration date: Fri Aug 25 17:19:05 PDT 2004
Last password change: [never]
Password expiration date: Wed Apr 14 11:53:10 PDT 2003
Maximum ticket life: 1 day 16:00:00
Maximum renewable life: 1 day 16:00:00
Last modified: Thu Jan 14 11:54:09 PST 2003 (admin/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_HW_AUTH
Policy: [none]
kadmin: quit

How to Create a New Kerberos Principal

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.


    Note - If you are creating a new principal that might need a new policy, you should create the new policy before you create the new principal. Go to How to Create a New Kerberos Policy.


    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Click New.

    The Principal Basics panel that contains some attributes for a principal is displayed.

  4. Specify a principal name and a password.

    Both the principal name and the password are mandatory.

  5. Specify values for the principal's attributes, and continue to click Next to specify more attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

  6. Click Save to save the principal, or click Done on the last panel.
  7. If needed, set up Kerberos administration privileges for the new principal in the /etc/krb5/kadm5.acl file.

    See How to Modify the Kerberos Administration Privileges for more details.

Example 25-4 Creating a New Kerberos Principal

The following example shows the Principal Basics panel when a new principal called pak is created. The policy is set to testuser.

Dialog box titled SEAM Administration Tool shows account data for the pak principal. Shows password, account expiration date, and testuser policy.
Example 25-5 Creating a New Kerberos Principal (Command Line)

In the following example, the add_principal command of kadmin is used to create a new principal called pak. The principal's policy is set to testuser.

kadmin: add_principal -policy testuser pak
Enter password for principal "pak@EXAMPLE.COM": <Type the password>
Re-enter password for principal "pak@EXAMPLE.COM": <Type the password again>
Principal "pak@EXAMPLE.COM" created.
kadmin: quit

How to Duplicate a Kerberos Principal

This procedure explains how to use all or some of the attributes of an existing principal to create a new principal. No command-line equivalent exists for this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to duplicate, then click Duplicate.

    The Principal Basics panel is displayed. All the attributes of the selected principal are duplicated, except for the Principal Name and Password fields, which are empty.

  4. Specify a principal name and a password.

    Both the principal name and the password are mandatory. To make an exact duplicate of the principal you selected, click Save and skip to Step 7.

  5. Specify different values for the principal's attributes, and continue to click Next to specify more attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

  6. Click Save to save the principal, or click Done on the last panel.
  7. If needed, set up Kerberos administration privileges for the principal in /etc/krb5/kadm5.acl file.

    See How to Modify the Kerberos Administration Privileges for more details.

How to Modify a Kerberos Principal

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to modify, then click Modify.

    The Principal Basics panel that contains some of the attributes for the principal is displayed.

  4. Modify the principal's attributes, and continue to click Next to modify more attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.


    Note - You cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal.


  5. Click Save to save the principal, or click Done on the last panel.
  6. Modify the Kerberos administration privileges for the principal in the /etc/krb5/kadm5.acl file.

    See How to Modify the Kerberos Administration Privileges for more details.

Example 25-6 Modifying a Kerberos Principal's Password (Command Line)

In the following example, the change_password command of kadmin is used to modify the password for the jdb principal. The change_password command does not let you change the password to a password that is in the principal's password history.

kadmin: change_password jdb
Enter password for principal "jdb": <Type the new password>
Re-enter password for principal "jdb": <Type the password again>
Password for "jdb@EXAMPLE.COM" changed.
kadmin: quit

To modify other attributes for a principal, you must use the modify_principal command of kadmin.

How to Delete a Kerberos Principal

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to delete, then click Delete.

    After you confirm the deletion, the principal is deleted.

  4. Remove the principal from the Kerberos access control list (ACL) file, /etc/krb5/kadm5.acl.

    See How to Modify the Kerberos Administration Privileges for more details.

Example 25-7 Deleting a Kerberos Principal (Command Line)

In the following example, the delete_principal command of kadmin is used to delete the jdb principal.

kadmin: delete_principal pak
Are you sure you want to delete the principal "pak@EXAMPLE.COM"? (yes/no): yes
Principal "pak@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: quit

How to Set Up Defaults for Creating New Kerberos Principals

No command-line equivalent exists for this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Choose Properties from the Edit Menu.

    The Properties window is displayed.


    Dialog box titled Properties shows defaults for new principals and list controls. Defaults for principals cover security and other options.
  3. Select the defaults that you want to use when you create new principals.

    Choose Context-Sensitive Help from the Help menu for information about the various attributes in each window.

  4. Click Save.

How to Modify the Kerberos Administration Privileges

Even though your site probably has many user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos access control list (ACL) file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for individual principals. Or, you can use the '*' wildcard in the principal name to specify privileges for groups of principals.

  1. Become superuser on the master KDC.
  2. Edit the /etc/krb5/kadm5.acl file.

    An entry in the kadm5.acl file must have the following format:

    principal privileges [principal-target]

    principal

    Specifies the principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the admin instance, you would use */admin@realm.

    Note that a common use of an admin instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for his administrative use, called jdb/admin. This way, the user jdb obtains jdb/admin tickets only when he or she actually needs to use those privileges.

    privileges

    Specifies which operations can or cannot be performed by the principal. This field consists of a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted.

    a

    [Dis]allows the addition of principals or policies.

    d

    [Dis]allows the deletion of principals or policies.

    m

    [Dis]allows the modification of principals or polices.

    c

    [Dis]allows the changing of passwords for principals.

    i

    [Dis]allows inquiries to the Kerberos database.

    l

    [Dis]allows the listing of principals or policies in the Kerberos database.

    x or *

    Allows all privileges (admcil).

    principal-target

    When a principal is specified in this field, the privileges apply to the principal only when the principal operates on the principal-target. Any part of the principal name can include the '*' wildcard, which is useful to group principals.

Example 25-8 Modifying the Kerberos Administration Privileges

The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database:

*/admin@EXAMPLE.COM *

The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privileges to add, list, and inquire about any principal that has the root instance.

jdb@EXAMPLE.COM ali */root@EXAMPLE.COM
Previous Next