Novell Doc: Novell Kerberos KDC 1.5 Administration Guide - Configuration and Administration Utilities

3.2 Configuration and Administration Utilities

Use the kdb5_ldap_util utility to manage realms, Kerberos services, and ticket policies.

Use the kadmin utility to manage principals, password policies, and keytab entries.

You can also use iManager to configure and administer the Novell Kerberos KDC.

3.2.1 The kdb5_ldap_util Utility

This utility has the following syntax:

kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri][-t trusted_cert] cmd [cmd_options]

The kdb5_ldap_util parameters are described below:

Table 3-2 kdb5_ldap_util Parameters

Parameter	Description
-D	Distinguished name of the user who has sufficient rights to authenticate to the LDAP server and configure Kerberos services.
-w	Userdn password. We do not recommend that you use this option because the password is visible when you enter it through command line.
-H	URI of the LDAP server.
-t	Filename that contains the trusted root certificate of the LDAP server.

The command options include the following:

Table 3-3 kdb5_ldap_util Command Options

Command	Description
create	Creates a realm.
modify	Modifies a realm.
view	Displays the attributes of a realm.
destroy	Destroys a realm.
list	Lists all the realms.
create_service	Creates a KDC, Administration, or Password service.
modify_service	Modifies a KDC, Administration, or Password service.
view_service	Displays the service details.
destroy_service	Deletes the service.
list_service	Lists all the services.
create_policy	Creates a ticket policy.
modify_policy	Modifies a ticket policy.
view_policy	Displays the ticket policy details.
destroy_policy	Deletes a ticket policy.
list_policy	Lists all the ticket policies.
setsrvpw	Sets a password for the service objects such as KDC, Administration, and Password server in the stash file and eDirectory™.
setsrvcert	Configures the service to use the issued certificate instead of the password for authentication to the LDAP server.
ldapxtn_info	Updates the ldapExtensionInfo attribute on the LDAP server object.
setmasterkey	Sets the master key password.

3.2.2 The kadmin Utility

You can use the kadmin or kadmin.local utilities to manage principals, keys, and password policies. In the Novell Kerberos KDC, kadmin.local is used to access the database (eDirectory) remotely, unlike MIT Kerberos.

kadmin is a client utility and contacts the Administration server, which in turn contacts eDirectory for any administration request.

kadmin.local directly contacts eDirectory for completing the administration request.

The syntax for using this utility is as follows:

kadmin [-r realm] [-p principal] [-q query] [-s admin_server[:port]] [-w password] [[-c ccache]|[-k [-t keytab]]]

kadmin.local [-r realm] [-p principal] [-q query] [-x db_args]  [-e "enc:salt ..."] [-m]

cmd [cmd_options]

The kadmin and kadmin.local parameters are described below:

Table 3-4 kadmin and kadmin.local Parameters

Parameter	Description
-r	Kerberos realm of the database. By default, the default_realm parameter of the krb5.conf file is used.
-p	Principal to authenticate to the administration server.
-q	Passes the query directly to kadmin, which performs the query and then exits.
-s	The admin server that kadmin should contact.
-c	Indicates to use credentials_cache as the credentials cache. The credentials_cache should contain a service ticket for the kadmin/admin service; it can be acquired with the kinit(1) program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache.
-k	Uses a keytab to decrypt the KDC response instead of prompting for a password on the keyboard. In this case, the default principal is host/hostname. If there is not a keytab specified with the t option, then the default keytab is used.
-t	Uses a keytab to decrypt the KDC response. This can only be used with the -k option.
-x	Database-specific parameters. -x host=<hostname> Specifies the LDAP server to connect to by a LDAP URI. The same as the ldap_servers parameter in the configuration file. -x binddn=<bind_dn> DN of the object used by the administration server to bind to the LDAP server. The object should have the read and write rights on the realm container, subtrees, and principal container configured for the realm. The binddn equates to ldap_kadmin_dn in the configuration file. -x bindpwd=<bind_password> Password for the binddn. You are recommended not to use this option. Instead, you can securely store the password in a file by using the setsrvpw command of kdb5_ldap_util. This option overrides the password that is read from the ldap_service_password_file. -x cert=<certificate_file> The trusted root certificate file for the LDAP server. The same as the ldap_root_certificate_file parameter from the configuration file.
-e	Sets the list of encryption types and salt types to be used for any new keys created.
-m	Do not authenticate using a keytab. This option causes kadmin to prompt for the master database password.
-w	Uses the password specified and does not prompt for it. NOTE:Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if unauthorized users get read access to the script.

The command options include the following:

Table 3-5 kadmin and kadmin.local Command Options

Command Option	Description
add_principal, addprinc, ank	Adds a principal.
delete_principal, delprinc	Deletes a principal.
modify_principal, modprinc	Modifies a principal.
change_password, cpw	Sets the principal password.
get_principal, getprinc	Displays the attributes of a principal.
list_principals, listprincs, get_principals, getprincs	Lists all the principals.
add_policy, addpol	Adds a password policy.
modify_policy, modpol	Modifies a password policy.
delete_policy, delpol	Deletes a password policy.
get_policy, getpol	Displays the attributes of a password policy.
list_policies, listpols, get_policies, getpols	Lists the password policies.
ktadd	Adds entries to a keytab.
ktremove	Removes entries from a keytab.