Administering Kerberos Principals
This section provides the step-by-step instructions used to administer principals with the SEAM
Tool. This section also provides examples of command-line equivalents, when available.
Administering Kerberos Principals (Task Map)
Task |
Description |
For Instructions |
View the
list of principals. |
View the list of principals by clicking the Principals tab. |
How to View the List of Kerberos Principals |
View
a principal's attributes. |
View a principal's attributes by selecting the Principal in the
Principal List, then clicking the Modify button. |
How to View a Kerberos Principal's Attributes |
Create a new principal. |
Create a new principal
by clicking the Create New button in the Principal List panel. |
How to Create a New Kerberos Principal |
Duplicate a principal. |
Duplicate
a principal by selecting the principal to duplicate in the Principal List, then
clicking the Duplicate button. |
How to Duplicate a Kerberos Principal |
Modify a principal. |
Modify a principal by selecting the principal
to modify in the Principal List, then clicking the Modify button. Note that you
cannot modify a principal's name. To rename a principal, you must duplicate the
principal, specify a new name for it, save it, and then delete the
old principal. |
How to Modify a Kerberos Principal |
Delete a principal. |
Delete a principal by selecting the principal to delete
in the Principal List, then clicking the Delete button. |
How to Delete a Kerberos Principal |
Set up defaults for creating
new principals. |
Set up defaults for creating new principals by choosing Properties from the
Edit menu. |
How to Set Up Defaults for Creating New Kerberos Principals |
Modify the Kerberos administration privileges (kadm5.acl file). |
Command-line only. The Kerberos administration privileges determine
what operations a principal can perform on the Kerberos database, such as add
and modify. You need to edit the /etc/krb5/kadm5.acl file to modify the Kerberos administration
privileges for each principal. |
How to Modify the Kerberos Administration Privileges |
Automating the Creation of New Kerberos Principals
Even though the SEAM Tool provides ease-of-use, it doesn't provide a way to
automate the creation of new principals. Automation is especially useful if you need to
add 10 or even 100 new principals in a short time. However,
by using the kadmin.local command in a Bourne shell script, you can
do just that.
The following shell script line is an example of how to automate
the creation of new principals:
awk '{ print "ank +needchange -pw", $2, $1 }' < /tmp/princnames |
time /usr/sbin/kadmin.local> /dev/null
This example is split over two lines for readability. The script reads in
a file called princnames that contains principal names and their passwords, and adds
them to the Kerberos database. You would have to create the princnames file,
which contains a principal name and its password on each line, separated by
one or more spaces. The +needchange option configures the principal so that
the user is prompted for a new password during login with the principal
for the first time. This practice helps to ensure that the passwords in
the princnames file are not a security risk.
You can build more elaborate scripts. For example, your script could use the
information in the name service to obtain the list of user names
for the principal names. What you do and how you do it is
determined by your site's needs and your scripting expertise.
How to View the List of Kerberos Principals
An example of the command-line equivalent follows this procedure.
- If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin
- Click the Principals tab.
The list of principals is displayed.
- Display a specific principal or a sublist of principals.
Type a filter string in the Filter field, and press Return. If the
filter succeeds, the list of principals that match the filter is displayed.
The filter string must consist of one or more characters. Because the filter
mechanism is case sensitive, you need to use the appropriate uppercase and lowercase
letters for the filter. For example, if you type the filter string ge,
the filter mechanism displays only the principals with the ge string in them
(for example, george or edge).
If you want to display the entire list of principals, click Clear
Filter.
Example 25-1 Viewing the List of Kerberos Principals (Command Line)
In the following example, the list_principals command of kadmin is used to list
all the principals that match test*. Wildcards can be used with the
list_principals command.
kadmin: list_principals test*
test1@EXAMPLE.COM
test2@EXAMPLE.COM
kadmin: quit
How to View a Kerberos Principal's Attributes
An example of the command-line equivalent follows this procedure.
- If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin
- Click the Principals tab.
- Select the principal in the list that you want to view, then click
Modify.
The Principal Basics panel that contains some of the principal's attributes is displayed.
- Continue to click Next to view all the principal's attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to
get information about the various attributes in each window. Or, for all the
principal attribute descriptions, go to SEAM Tool Panel Descriptions.
- When you are finished viewing, click Cancel.
Example 25-2 Viewing a Kerberos Principal's Attributes
The following example shows the first window when you are viewing the
jdb/admin principal.
Example 25-3 Viewing a Kerberos Principal's Attributes (Command Line)
In the following example, the get_principal command of kadmin is used to view
the attributes of the jdb/admin principal.
kadmin: getprinc jdb/admin
Principal: jdb/admin@EXAMPLE.COM
Expiration date: Fri Aug 25 17:19:05 PDT 2004
Last password change: [never]
Password expiration date: Wed Apr 14 11:53:10 PDT 2003
Maximum ticket life: 1 day 16:00:00
Maximum renewable life: 1 day 16:00:00
Last modified: Thu Jan 14 11:54:09 PST 2003 (admin/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, DES cbc mode with CRC-32, no salt
Attributes: REQUIRES_HW_AUTH
Policy: [none]
kadmin: quit
How to Create a New Kerberos Principal
An example of the command-line equivalent follows this procedure.
- If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for more information.
Note - If you are creating a new principal that might need a new policy,
you should create the new policy before you create the new principal. Go
to How to Create a New Kerberos Policy.
$ /usr/sbin/gkadmin
- Click the Principals tab.
- Click New.
The Principal Basics panel that contains some attributes for a principal is displayed.
- Specify a principal name and a password.
Both the principal name and the password are mandatory.
- Specify values for the principal's attributes, and continue to click Next to specify
more attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get
information about the various attributes in each window. Or, for all the principal
attribute descriptions, go to SEAM Tool Panel Descriptions.
- Click Save to save the principal, or click Done on the last panel.
- If needed, set up Kerberos administration privileges for the new principal in the
/etc/krb5/kadm5.acl file.
See How to Modify the Kerberos Administration Privileges for more details.
Example 25-4 Creating a New Kerberos Principal
The following example shows the Principal Basics panel when a new principal called
pak is created. The policy is set to testuser.
Example 25-5 Creating a New Kerberos Principal (Command Line)
In the following example, the add_principal command of kadmin is used to create
a new principal called pak. The principal's policy is set to testuser.
kadmin: add_principal -policy testuser pak
Enter password for principal "pak@EXAMPLE.COM": <Type the password>
Re-enter password for principal "pak@EXAMPLE.COM": <Type the password again>
Principal "pak@EXAMPLE.COM" created.
kadmin: quit
How to Duplicate a Kerberos Principal
This procedure explains how to use all or some of the attributes
of an existing principal to create a new principal. No command-line equivalent exists for
this procedure.
- If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin
- Click the Principals tab.
- Select the principal in the list that you want to duplicate, then click
Duplicate.
The Principal Basics panel is displayed. All the attributes of the selected principal
are duplicated, except for the Principal Name and Password fields, which are empty.
- Specify a principal name and a password.
Both the principal name and the password are mandatory. To make an
exact duplicate of the principal you selected, click Save and skip to Step 7.
- Specify different values for the principal's attributes, and continue to click Next to
specify more attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get
information about the various attributes in each window. Or, for all the principal
attribute descriptions, go to SEAM Tool Panel Descriptions.
- Click Save to save the principal, or click Done on the last panel.
- If needed, set up Kerberos administration privileges for the principal in /etc/krb5/kadm5.acl file.
See How to Modify the Kerberos Administration Privileges for more details.
How to Modify a Kerberos Principal
An example of the command-line equivalent follows this procedure.
- If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin
- Click the Principals tab.
- Select the principal in the list that you want to modify, then click
Modify.
The Principal Basics panel that contains some of the attributes for the principal
is displayed.
- Modify the principal's attributes, and continue to click Next to modify more attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get
information about the various attributes in each window. Or, for all the principal
attribute descriptions, go to SEAM Tool Panel Descriptions.
Note - You cannot modify a principal's name. To rename a principal, you must duplicate
the principal, specify a new name for it, save it, and then delete
the old principal.
- Click Save to save the principal, or click Done on the last panel.
- Modify the Kerberos administration privileges for the principal in the /etc/krb5/kadm5.acl file.
See How to Modify the Kerberos Administration Privileges for more details.
Example 25-6 Modifying a Kerberos Principal's Password (Command Line)
In the following example, the change_password command of kadmin is used to modify
the password for the jdb principal. The change_password command does not let you
change the password to a password that is in the principal's password history.
kadmin: change_password jdb
Enter password for principal "jdb": <Type the new password>
Re-enter password for principal "jdb": <Type the password again>
Password for "jdb@EXAMPLE.COM" changed.
kadmin: quit
To modify other attributes for a principal, you must use the modify_principal
command of kadmin.
How to Delete a Kerberos Principal
An example of the command-line equivalent follows this procedure.
- If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin
- Click the Principals tab.
- Select the principal in the list that you want to delete, then click
Delete.
After you confirm the deletion, the principal is deleted.
- Remove the principal from the Kerberos access control list (ACL) file, /etc/krb5/kadm5.acl.
See How to Modify the Kerberos Administration Privileges for more details.
Example 25-7 Deleting a Kerberos Principal (Command Line)
In the following example, the delete_principal command of kadmin is used to delete
the jdb principal.
kadmin: delete_principal pak
Are you sure you want to delete the principal "pak@EXAMPLE.COM"? (yes/no): yes
Principal "pak@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: quit
How to Set Up Defaults for Creating New Kerberos Principals
No command-line equivalent exists for this procedure.
- If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin
- Choose Properties from the Edit Menu.
The Properties window is displayed.
- Select the defaults that you want to use when you create new principals.
Choose Context-Sensitive Help from the Help menu for information about the various attributes
in each window.
- Click Save.
How to Modify the Kerberos Administration Privileges
Even though your site probably has many user principals, you usually want only
a few users to be able to administer the Kerberos database. Privileges to
administer the Kerberos database are determined by the Kerberos access control list (ACL)
file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for
individual principals. Or, you can use the '*' wildcard in the principal name
to specify privileges for groups of principals.
- Become superuser on the master KDC.
- Edit the /etc/krb5/kadm5.acl file.
An entry in the kadm5.acl file must have the following format:
principal privileges [principal-target]
principal |
Specifies the
principal to which the privileges are granted. Any part of the principal
name can include the '*' wildcard, which is useful for providing the same
privileges for a group of principals. For example, if you want to specify
all principals with the admin instance, you would use */admin@realm. Note that a common
use of an admin instance is to grant separate privileges (such as
administration access to the Kerberos database) to a separate Kerberos principal. For
example, the user jdb might have a principal for his administrative use, called
jdb/admin. This way, the user jdb obtains jdb/admin tickets only when he or she
actually needs to use those privileges. |
privileges |
Specifies which operations can or cannot
be performed by the principal. This field consists of a string of
one or more of the following list of characters or their uppercase counterparts.
If the character is uppercase (or not specified), then the operation is
disallowed. If the character is lowercase, then the operation is permitted. |
|
a |
[Dis]allows the
addition of principals or policies. |
|
d |
[Dis]allows the deletion of principals or policies. |
|
m |
[Dis]allows the
modification of principals or polices. |
|
c |
[Dis]allows the changing of passwords for principals. |
|
i |
[Dis]allows inquiries
to the Kerberos database. |
|
l |
[Dis]allows the listing of principals or policies in the
Kerberos database. |
|
x or * |
Allows all privileges (admcil). |
principal-target |
When a principal is specified in
this field, the privileges apply to the principal only when the principal operates on
the principal-target. Any part of the principal name can include the '*' wildcard,
which is useful to group principals. |
Example 25-8 Modifying the Kerberos Administration Privileges
The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM
realm with the admin instance all the privileges on the Kerberos database:
*/admin@EXAMPLE.COM *
The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privileges
to add, list, and inquire about any principal that has the root instance.
jdb@EXAMPLE.COM ali */root@EXAMPLE.COM