To be able to add and remove principals from the Kerberos database without accessing the KDC's console directly, tell the Kerberos administration server which principals are allowed to do what. Do this by editing the file /var/lib/kerberos/krb5kdc/kadm5.acl. The ACL (access control list) file allows you to specify privileges with a fine degree of control. For details, refer to the manual page with man 8 kadmind.
Right now, just grant yourself the privilege to do anything you want with the database by putting the following line into the file:
newbie/admin *
Replace the username newbie with your own. Restart kadmind for the change to take effect.
You should now be able to perform Kerberos administration tasks remotely using the kadmin tool. First, obtain a ticket for your admin role and use that ticket when connecting to the kadmin server:
kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password. Password for newbie/admin@EXAMPLE.COM: kadmin: getprivs current privileges: GET ADD MODIFY DELETE kadmin:
Using the getprivs command, verify which privileges you have. The list shown above is the full set of privileges.
As an example, modify the principal newbie:
kadmin -p newbie/admin Authenticating as principal newbie/admin@EXAMPLE.COM with password. Password for newbie/admin@EXAMPLE.COM: kadmin: getprinc newbie Principal: newbie@EXAMPLE.COM Expiration date: [never] Last password change: Wed Jan 12 17:28:46 CET 2005 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Jan 12 17:47:17 CET 2005 (admin/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: Policy: [none] kadmin: modify_principal -maxlife "8 hours" newbie Principal "newbie@EXAMPLE.COM" modified. kadmin: getprinc joe Principal: newbie@EXAMPLE.COM Expiration date: [never] Last password change: Wed Jan 12 17:28:46 CET 2005 Password expiration date: [none] Maximum ticket life: 0 days 08:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Wed Jan 12 17:59:49 CET 2005 (newbie/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2 Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: Policy: [none] kadmin:
This changes the maximum ticket life time to eight hours. For more information about the kadmin command and the options available, refer to http://web.mit.edu/kerberos/www/krb5-1.4/krb5-1.4/doc/krb5-admin.html#Kadmin%20Options or look at man 8 kadmin.