Command Line

To create a principal, enter the following at the kadmin prompt:

add_principal [options] principal 
 options are: 
         [-x db_princ_args] [-expire expdate] [-pwexpire pwexpdate] [-maxlife 
        maxtixlife] 
        [-kvno kvno] [-policy policy] [-randkey] [-pw password] 
                [-maxrenewlife maxrenewlife] 
                [-e keysaltlist] 
                [{+|-}attribute] 
attributes are: 
            allow_postdated allow_forwardable allow_tgs_req allow_renewable 
            allow_proxiable allow_dup_skey allow_tix requires_preauth 
            requires_hwauth needchange allow_svr password_changing_service

Table 25. add_principal Parameter Description

Parameter	Description
-x	Denotes the database-specific options. The following are the options for LDAP as the backend: -x userdn=<userdn> Specifies the associated eDirectory user object while creating a Kerberos user principal. -x up=<on|off|clr> Specifies if the Kerberos User Principal associated with the eDirectory user object will make use of the universal password. -x tktpolicydn Associates a ticket policy object to the Kerberos principal. -x containerdn=<container_dn> Specifies the eDirectory container under which the Kerberos service principal is to be created.
-expire	Specifies the expiration date of the principal
-pwexpire	Specifies the password expiration date
-maxlife	Specifies the maximum ticket life for the principal
-kvno	Explicity sets the key version number.
-policy	Specifies the password policy used by this principal. If no policy is supplied, then if the policy "default" exists and the -clearpolicy is also not specified, then the policy "default" is used; otherwise, the principal will have no password policy, and a warning message will be printed.
-randkey	Sets the key of the principal to a random value. Do not use this while creating InterRealm principals.
-pw	Sets the key of the principal to the specified string and does not prompt for a password. WARNING:  Using this option at the shell prompt can be risky if unauthorized users gain read access to the script.
-maxrenewlife	Specifies the maximum renewable life of tickets for the principal.
-e	Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2. NOTE:  If universal password integration is enabled, refer to .
-clearpolicy	Prevents the policy "default" from being assigned when (-) policy is not specified. This option has no effect if the policy "default" does not exist.
{-|+}allow_postdated	(-) allow_postdated prohibits this principal from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) (+) allow_postdated clears this flag.
{-|+}allow_forwardable	(-) allow_forwardable prohibits this principal from obtaining forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FORWARDÂABLE flag.) (+) allow_forwardable clears this flag.
{-|+}allow_renewable	(-) allow_renewable prohibits this principal from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) (+) allow_renewable clears this flag.
{-|+}allow_proxiable	(-) allow_proxiable prohibits this principal from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) (+) allow_proxiable clears this flag.
{-|+}allow_dup_skey	(-) allow_dup_skey disables user-to-user authentication for this principal by prohibiting this principal from obtaining a session key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) (+) allow_dup_skey clears this flag.
{-|+}requires_preauth	(+) requires_preauth requires this principal to preauthenticate before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) (-) requires_preauth clears this flag.
{-|+}requires_hwauth	(+) requires_hwauth requires this principal to preauthenticate using a hardware device before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) (-) requires_hwauth clears this flag.
{-|+}allow_svr	(-) allow_svr prohibits the issuance of service tickets for this principal. (Sets the KRB5_KDB_DISALLOW_SVR flag.) (+) allow_svr clears this flag.
{-|+}allow_tgs_req	(-) allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. (+) allow_tgs_req clears this flag. The default is (+) allow_tgs_req . In effect, (-) allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.
{-|+}allow_tix	(-) allow_tix forbids the issuance of any tickets for this principal. (+) allow_tix clears this flag. The default is (+) allow_tix . In effect, (-) allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database.
{-|+}needchange	(+) needchange sets a flag in attributes field to force a password change; (-) needchange clears it. The default is (-) needÂchange . In effect, (+) needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.
{-|+}password_changing_service	(+) password_changing_service sets a flag in the attributes field marking this as a password change service principal. (-) password_changing_service clears the flag. This flag intentionally has a long name. The default is (-) password_changing_service. In effect, (+) password_changing_service sets the KDB_PWCHANGE_SERVICE flag on the principal in the database.

Creating User Principal

Every Kerberos user principal is associated with the eDirectory object. Therefore, while creating a Kerberos user principal, the associated eDirectory user object must be mentioned.

To create a user principal, enter the following at the kadmin prompt:

add_principal -x up=on -x userdn=cn=user1,o=org user_princ

If the userdn is not present in eDirectory, it creates a new one with the specified name.

The output of the above command is similar to the following:

WARNING: no policy specified for user_princ@MYREALM; defaulting to no policy 
Enter password for principal "user_princ@MYREALM": 
Re-enter password for principal "user_princ@MYREALM": 
Principal "user_princ@MYREALM" created.

Creating a Service Principal

To create a service principal, enter the following:

add_principal -x containerdn=ou=sales,o=org service_princ

The output of the above command is similar to the following:

WARNING: no policy specified for service_princ@MYREALM; defaulting to no policy 
Enter password for principal "service_princ@MYREALM": 
Re-enter password for principal "service_princ@MYREALM": 
Principal "service_princ@MYREALM" created.

iManager

1. In Novell iManager, click the Roles and Tasks button .

2. Select Kerberos Management > New Principal.

Refer to the iManager online help for more information.

Associating a Ticket Policy to the Kerberos Principal

A ticket policy object can be associated with a Kerberos principal using the add_principal command of the kadmin utility.

For example:

add_principal -x tktpolicydn=cn=tktpolicy,o=org serviceuser

Command Line

To modify principals, enter the following at the kadmin command prompt:

modify_principal [options] principal 
 
 options are: 
       [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife 
        maxtixlife] 
       [-kvno kvno] [-policy policy] [-clearpolicy] 
       [-maxrenewlife maxrenewlife] [{+|-}attribute] 
 
attributes are: 
               allow_postdated allow_forwardable allow_tgs_req allow_renewable 
             allow_proxiable allow_dup_skey allow_tix requires_preauth 
             requires_hwauth needchange allow_svr password_changing_service

For details about the parameters, refer to Table 25, add_principal Parameter Description.

For example:

modify_principal -x up=off -policy cn=realm_policy,o=org +requires_preauth princ

The output of the above command is similar to the following:

Principal "princ@MYREALM" modified.

iManager

1. In Novell iManager, click the Roles and Tasks button .

2. Select Kerberos Management > Edit Principal.

Refer to the iManager online help for more information.

Associating a Ticket Policy to the Kerberos Principal

If the principal is already created, use the modify_principal command of kadmin utility.

For example:

modify_principal -x tktpolicydn=cn=tktpolicy,o=org serviceuser

Command Line

To delete a principal, enter the following at the kadmin command prompt:

delete_principal [-force] principal

If the -force option is not specified, you are prompted to confirm the deletion. The delete_ principal command will not delete the user but only the Kerberos attribute.

For example:

delete_principal princ1

The output of the above command is similar to the following:

Are you sure you want to delete the principal "princ1@MYREALM"? (yes/no): yes 
Principal "princ1@MYREALM" deleted. 
Make sure that you have removed this principal from all ACLs before reusing.

iManager

1. In Novell iManager, click the Roles and Tasks button .

2. Select Kerberos Management > Delete Principal.

Refer to the iManager online help for more information.

Command Line

To change the password of a principal, enter the following at the kadmin prompt:

change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] principal

Table 26. change_password Parameter Description

Parameter	Description
-randkey	Sets the key of the principal to a random value.
-keepold	Keeps the previous kvno's keys. There is no easy way to delete the old keys, and this flag is usually not necessary except perhaps for TGS keys. Don't use this flag unless you are sure you want to use it.
-e	Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. NOTE:  If universal password integration is enabled, refer to .
-pw	Sets the password to the specified string. We do not recommend you to use it.

For example:

change_password princ2

The output of the above command is similar to the following:

Enter password for principal "princ2": 
Re-enter password for principal "princ2": 
Password for "princ2@MYREALM" changed.

change_password -pw secret princ2

The output of the above command is similar to the following:

Password for "princ2@MYREALM" changed.

iManager

1. In Novell iManager, click the Roles and Tasks button .

2. Select Kerberos Management > Set Principal Password.

Refer to the iManager online help for more information.