3.8 Managing Principals

You can manage principals through kadmin. This section explains the following:

3.8.1 Adding a Principal

Principals can be created under the realm subtrees, principal container, or realm container. Prinicipals can be created in any of the following ways:

  • Attached to an existing LDAP object. The LDAP object should exist within the subtree or principal container.

  • Created as a separate principal object, which can be optionally linked to an LDAP object. The principal can be created under a specific container by providing the option during principal creation. Otherwise, it is created under principal container (if it is configured) or the realm container. If a container is provided, it must be within the subtree or principal container.

You can use one of the following methods to add a principal :

Command Line

To create a principal, enter the following at the kadmin prompt: 

add_principal [options] principal

options are: 

[-x db_princ_args] [-expire expdate] [-pwexpire pwexpdate] [-maxlife
maxlife] [-maxrenewlife maxrenewlife] [-kvno kvno] [-policy policy] [{+|-}attribute]

attributes are:

allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service

Table 3-22 add_principal Parameters

Parameter

Description

-x

Denotes the database-specific options. The following are the options for LDAP as the back end:

  • -x dn=<dn>

    LDAP object that will contain the Kerberos principal being created.

  • -x linkdn=<linkdn>

    LDAP object to which the newly created Kerberos principal object will point to.

  • -x containerdn=<container_dn>

    Container under which the Kerberos principal is to be created.

  • -x tktpolicy=<policyname>

    Associates a ticket policy object to the Kerberos principal.

  • -x up=<on|off>

    Specifies if the Kerberos User Principal associated with the eDirectory user object will make use of the Universal Password.

-expire

Expiration date of the principal

-pwexpire

Password expiration date

-maxlife

Maximum ticket life for the principal

-maxrenewlife

Maximum renewable life of tickets for the principal.

-kvno

Explicitly sets the key version number.

-policy

Password policy used by this principal. If no policy is supplied, and if the default policy exists and the -clearpolicy is also not specified, then the default policy is used; otherwise, the principal has no password policy, and a warning message will be printed.

-clearpolicy

Prevents the default policy from being assigned when (-) policy is not specified. This option has no effect if the default policy does not exist.

{-|+}allow_postdated

(-) allow_postdated prohibits this principal from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.) (+) allow_postdated clears this flag.

{-|+}allow_forwardable

(-) allow_forwardable prohibits this principal from obtaining forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FORWARDÂABLE flag.) (+) allow_forwardable clears this flag.

{-|+}allow_renewable

(-) allow_renewable prohibits this principal from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.) (+) allow_renewable clears this flag.

{-|+}allow_proxiable

(-) allow_proxiable prohibits this principal from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.) (+) allow_proxiable clears this flag.

{-|+}allow_dup_skey

(-) allow_dup_skey disables user-to-user authentication for this principal by prohibiting this principal from obtaining a session key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.) (+) allow_dup_skey clears this flag.

{-|+}requires_preauth

(+) requires_preauth requires this principal to preauthenticate before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.) (-) requires_preauth clears this flag.

{-|+}requires_hwauth

(+) requires_hwauth requires this principal to preauthenticate by using a hardware device before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.) (-) requires_hwauth clears this flag.

{-|+}allow_svr

(-) allow_svr prohibits the issuance of service tickets for this principal. (Sets the KRB5_KDB_DISALLOW_SVR flag.) (+) allow_svr clears this flag.

{-|+}allow_tgs_req

(-) allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. (+) allow_tgs_req clears this flag. The default is (+) allow_tgs_req . In effect, (-) allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.

{-|+}allow_tix

(-) allow_tix forbids the issuance of any tickets for this principal. (+) allow_tix clears this flag. The default is (+) allow_tix . In effect, (-) allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database.

{-|+}needchange

(+) needchange sets a flag in attributes field to force a password change; (-) needchange clears it. The default is (-) needchange . In effect, (+) needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.

{-|+}password_changing_service

(+) password_changing_service sets a flag in the attributes field marking this as a password change service principal. (-) password_changing_service clears the flag. This flag intentionally has a long name. The default is (-) password_changing_service. In effect, (+) password_changing_service sets the KDB_PWCHANGE_SERVICE flag on the principal in the database.

Creating a Principal

To create a user principal with default values, enter the following at the kadmin prompt:

kadmin: addprinc jennifer

The output of the above command is similar to the following:

WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy.Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.Principal "jennifer@ATHENA.MIT.EDU" created.kadmin:

To create a principal that is contained by an LDAP object, enter the following at the kadmin prompt: kadmin: addprinc -x dn=cn=jennifer,o=mit jennifer.

The object cn=jennifer,o=mit must exist in the directory.

The output of the above command is similar to the following:

WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";defaulting to no policy.Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.Principal "jennifer@ATHENA.MIT.EDU" created.kadmin:

To create a principal under a specific LDAP container and link to an existing LDAP object, enter the following at the kadmin prompt:

kadmin: addprinc -x containerdn=o=mit -x linkdn=cn=david,o=mit david

The output of the above command is similar to the following:

WARNING: no policy specified for "david@ATHENA.MIT.EDU"; defaulting to no policy.Enter password for principal david@ATHENA.MIT.EDU: <= Type the password.Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again.Principal "david@ATHENA.MIT.EDU" created.kadmin:

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Principal.

Refer to the iManager online help for more information.

3.8.2 Modifying a Principal

You can use one of the following methods to modify a principal:

Command Line

To modify principals, enter the following at the kadmin command prompt:

modify_principal [options] principal

options are:

[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife] [-maxrenewlife maxrenewlife] [-kvno kvno] [-policy policy] [-clearpolicy] [{+|-}attribute]

attributes are:

allow_postdated allow_forwardable allow_tgs_req allow_renewable allow_proxiable allow_dup_skey allow_tix requires_preauth requires_hwauth needchange allow_svr password_changing_service

For details about the parameters, refer to Table 3-22.

For example:

modify_principal -x up=off -x tktpolicy=usertktpolicy -policy pwdpolicy +requires_preauth Jennifer

The output of the above command is similar to the following:

Principal "Jennifer@MYREALM" modified.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Principal.

Refer to the iManager online help for more information.

3.8.3 Deleting a Principal

You can use one of the following methods to delete a principal:

Command Line

To delete a principal, enter the following at the kadmin command prompt:

delete_principal [-force] principal

If the -force option is not specified, you are prompted to confirm the deletion. If the Kerberos principal is attached to the LDAP object, the delete_principal command does not delete the LDAP object but only deletes the Kerberos attributes.

For example: 

delete_principal David

The output of the above command is similar to the following:

Are you sure you want to delete the principal "David@MYREALM"? (yes/no): yes
Principal "David@MYREALM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Delete Principal.

Refer to the iManager online help for more information.

3.8.4 Listing Principals

To list principals, enter the following at the kadmin prompt:

list_principals [expression]

Expression is a shell-style glob expression that can contain the characters *, ?, [, and ]. All policy names matching the expression are displayed. The list_principals command has the aliases listprincs, get_principals, and getprincs.

For example:

list_principals princ*

The output of the above command is similar to the following:

princ@MYREALM
princ1@MYREALM
princ2@MYREALM

3.8.5 Getting Principal Information

To get the attributes of a principal, enter the following at the kadmin command prompt: 

get_principal [-terse] principal

For example: 

get_principal jennifer/root

The output of the above command is similar to the following:

Principal: jennifer/root@ATHENA.MIT.EDUExpiration date: [never]Last password change: Mon Jan 31 02:06:40 EDT 2002Password Expiration date: [none]Maximum ticket life: 0 days 10:00:00Maximum renewable life: 7 days 00:00:00Last modified: Wed Jul 24 14:46:25 EDT 2002 (joeadmin/admin@ATHENA.MIT.EDU)Last successful authentication: Mon Jul 29 18:20:17 EDT 2002Last failed authentication: Mon Jul 29 18:18:54 EDT 2002Failed password attempts: 3Number of keys: 2Key: vno 2, Triple DES cbc mode with HMAC/sha1, no saltKey: vno 2, DES cbc mode with CRC-32, no saltAttributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLEPolicy: [none]kadmin:

3.8.6 Setting Principal Password

You can use one of the following methods to set principal password:

Command Line

To change the password of a principal, enter the following at the kadmin prompt:

change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] principal

Table 3-23 change_password Parameters

Parameter

Description

-randkey

Sets the key of the principal to a random value.

-keepold

Keeps the previous kvno’s keys. There is no easy way to delete the old keys, and this flag is usually not necessary except perhaps for TGS keys. Don’t use this flag unless you are sure you want to use it. This option is not supported for this release.

-e

Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs.

-pw

Sets the password to the specified string. We do not recommend that you use it.

For example:

change_password Jennifer

The output of the above command is similar to the following:

Enter password for principal "Jennifer":
Re-enter password for principal "Jennifer":
Password for "Jennifer@MYREALM" changed.

change_password -pw secret Jennifer

The output of the above command is similar to the following:

Password for "Jennifer@MYREALM" changed.

iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Set Principal Password.

Refer to the iManager online help for more information.

3.8.7 Extracting a Principal Key to a Keytab File

To extract the principal key to a keytab file, enter the following command at the kadmin prompt:

ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] principal | -glob princ-exp [...]

Table 3-24 ktadd Parameters

Parameter

Description

-keytab

Specifies the keytab file path.

-q

Displays less verbose status information.

-e

Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs.

-principal|-glob

Add a principal or all principals matching the principal expression to the keytab.

For example:

ktadd -k /etc/key-tab David

The output of the above command is similar to the following:

Entry for principal David with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/key-tab.

3.8.8 Removing a Keytab Entry

To remove entries from a keytab, enter the following command at the kadmin prompt:

ktremove [-keytab keytab] [-q] principal [kvno|"all"|"old"]

Table 3-25 ktremove Parameters

Parameter

Description

-keytab

Specifies the keytab file path.

-q

Displays less verbose status information.

kvno

Removes all entries for the specified principal whose key version numbers match kvno.

all

Removes all entries for the specified principal.

old

Removes all entries for the specified principal, except those with the highest kvno.

For example:

ktremove -k /etc/key-tab user_Davud all

The output of the above command is similar to the following:

Entry for principal user_David with kvno 2 removed from keytab WRFILE:/etc/key-tab.