Managing Principals

You can manage principals through kadmin. This section explains the following:


Adding a Principal

User and the service principals can be created only within the realm subtree and its sub-containers. However, the service principals can even be created within the realm container by specifying the container DN option with the realm container while creation of the service principal.

You can add a principal using either of the following methods:


Command Line

To create a principal, enter the following at the kadmin prompt:

add_principal [options] principal 
options are:
[-x db_princ_args] [-expire expdate] [-pwexpire pwexpdate] [-maxlife
maxtixlife]
[-kvno kvno] [-policy policy] [-randkey] [-pw password]
[-maxrenewlife maxrenewlife]
[-e keysaltlist]
[{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service


Table 25. add_principal Parameter Description

Parameter Description

-x

Denotes the database-specific options. The following are the options for LDAP as the backend:

  • -x userdn=<userdn>

    Specifies the associated eDirectory user object while creating a Kerberos user principal.

  • -x up=<on|off|clr>

    Specifies if the Kerberos User Principal associated with the eDirectory user object will make use of the universal password.

  • -x tktpolicydn

    Associates a ticket policy object to the Kerberos principal.

  • -x containerdn=<container_dn>

    Specifies the eDirectory container under which the Kerberos service principal is to be created.

-expire

Specifies the expiration date of the principal

-pwexpire

Specifies the password expiration date

-maxlife

Specifies the maximum ticket life for the principal

-kvno

Explicity sets the key version number.

-policy

Specifies the password policy used by this principal. If no policy is supplied, then if the policy "default" exists and the -clearpolicy is also not specified, then the policy "default" is used; otherwise, the principal will have no password policy, and a warning message will be printed.

-randkey

Sets the key of the principal to a random value. Do not use this while creating InterRealm principals.

-pw

Sets the key of the principal to the specified string and does not prompt for a password.

WARNING:  Using this option at the shell prompt can be risky if unauthorized users gain read access to the script.

-maxrenewlife

Specifies the maximum renewable life of tickets for the principal.

-e

Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs. This will not function against kadmin daemons earlier than krb5-1.2.

NOTE:  If universal password integration is enabled, refer to .

-clearpolicy

Prevents the policy "default" from being assigned when (-) policy is not specified. This option has no effect if the policy "default" does not exist.

{-|+}allow_postdated

(-) allow_postdated prohibits this principal from obtaining postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)
(+) allow_postdated clears this flag.

{-|+}allow_forwardable

(-) allow_forwardable prohibits this principal from obtaining forwardable tickets. (Sets the KRB5_KDB_DISALLOW_FORWARDÂABLE flag.)
(+) allow_forwardable clears this flag.

{-|+}allow_renewable

(-) allow_renewable prohibits this principal from obtaining renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)
(+) allow_renewable clears this flag.

{-|+}allow_proxiable

(-) allow_proxiable prohibits this principal from obtaining proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)
(+) allow_proxiable clears this flag.

{-|+}allow_dup_skey

(-) allow_dup_skey disables user-to-user authentication for this principal by prohibiting this principal from obtaining a session key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY flag.)
(+) allow_dup_skey clears this flag.

{-|+}requires_preauth

(+) requires_preauth requires this principal to preauthenticate before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.)
(-) requires_preauth clears this flag.

{-|+}requires_hwauth

(+) requires_hwauth requires this principal to preauthenticate using a hardware device before being allowed to kinit. (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
(-) requires_hwauth clears this flag.

{-|+}allow_svr

(-) allow_svr prohibits the issuance of service tickets for this principal. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
(+) allow_svr clears this flag.

{-|+}allow_tgs_req

(-) allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted.
(+) allow_tgs_req clears this flag. The default is (+) allow_tgs_req . In effect,
(-) allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.

{-|+}allow_tix

(-) allow_tix forbids the issuance of any tickets for this principal.
(+) allow_tix clears this flag. The default is (+) allow_tix . In effect, (-) allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database.

{-|+}needchange

(+) needchange sets a flag in attributes field to force a password change;
(-) needchange clears it. The default is (-) needÂchange . In effect, (+) needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.

{-|+}password_changing_service

(+) password_changing_service sets a flag in the attributes field marking this as a password change service principal.
(-) password_changing_service clears the flag. This flag intentionally has a long name. The default is (-) password_changing_service. In effect, (+) password_changing_service sets the KDB_PWCHANGE_SERVICE flag on the principal in the database.


Creating User Principal

Every Kerberos user principal is associated with the eDirectory object. Therefore, while creating a Kerberos user principal, the associated eDirectory user object must be mentioned.

To create a user principal, enter the following at the kadmin prompt:

add_principal -x up=on -x userdn=cn=user1,o=org user_princ

If the userdn is not present in eDirectory, it creates a new one with the specified name.

The output of the above command is similar to the following:

WARNING: no policy specified for user_princ@MYREALM; defaulting to no policy 
Enter password for principal "user_princ@MYREALM":
Re-enter password for principal "user_princ@MYREALM":
Principal "user_princ@MYREALM" created.


Creating a Service Principal

To create a service principal, enter the following:

add_principal -x containerdn=ou=sales,o=org service_princ

The output of the above command is similar to the following:

WARNING: no policy specified for service_princ@MYREALM; defaulting to no policy 
Enter password for principal "service_princ@MYREALM":
Re-enter password for principal "service_princ@MYREALM":
Principal "service_princ@MYREALM" created.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > New Principal.

Refer to the iManager online help for more information.


Associating a Ticket Policy to the Kerberos Principal

A ticket policy object can be associated with a Kerberos principal using the add_principal command of the kadmin utility.

For example:

add_principal -x tktpolicydn=cn=tktpolicy,o=org serviceuser


Modifying a Principal

You can modify a principal using either of the following methods:


Command Line

To modify principals, enter the following at the kadmin command prompt:

modify_principal [options] principal 

options are:
[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife
maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-maxrenewlife maxrenewlife] [{+|-}attribute]

attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service

For details about the parameters, refer to Table 25, add_principal Parameter Description.

For example:

modify_principal -x up=off -policy cn=realm_policy,o=org +requires_preauth princ

The output of the above command is similar to the following:

Principal "princ@MYREALM" modified.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Edit Principal.

Refer to the iManager online help for more information.


Associating a Ticket Policy to the Kerberos Principal

If the principal is already created, use the modify_principal command of kadmin utility.

For example:

modify_principal -x tktpolicydn=cn=tktpolicy,o=org serviceuser


Deleting a Principal

You can delete a principal using either of the following methods:


Command Line

To delete a principal, enter the following at the kadmin command prompt:

delete_principal [-force] principal

If the -force option is not specified, you are prompted to confirm the deletion. The delete_ principal command will not delete the user but only the Kerberos attribute.

For example:

delete_principal princ1

The output of the above command is similar to the following:

Are you sure you want to delete the principal "princ1@MYREALM"? (yes/no): yes 
Principal "princ1@MYREALM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Delete Principal.

Refer to the iManager online help for more information.


Listing Principals

To list principals, enter the following at the kadmin prompt:

list_principals [expression]

For example:

list_principals princ*

The output of the above command is similar to the following:

princ@MYREALM 
princ1@MYREALM
princ2@MYREALM


Getting Principal Information

To get the attributes of a principal, enter the following at the kadmin command prompt:

get_principal [-terse] principal

For example:

get_principal user_princ

The output of the above command is similar to the following:

Principal: user_princ@MYREALM 
Expiration date: [never]
Last password change: Tue May 31 13:55:24 IST 2005
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue May 31 14:05:06 IST 2005 (CN=service-adm,O=org@MYREALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]


Setting Principal Password

You can set principal password using either of the following methods:


Command Line

To change the password of a principal, enter the following at the kadmin prompt:

change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] principal


Table 26. change_password Parameter Description

Parameter Description

-randkey

Sets the key of the principal to a random value.

-keepold

Keeps the previous kvno's keys. There is no easy way to delete the old keys, and this flag is usually not necessary except perhaps for TGS keys. Don't use this flag unless you are sure you want to use it.

-e

Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs.

NOTE:  If universal password integration is enabled, refer to .

-pw

Sets the password to the specified string. We do not recommend you to use it.

For example:

change_password princ2

The output of the above command is similar to the following:

Enter password for principal "princ2": 
Re-enter password for principal "princ2":
Password for "princ2@MYREALM" changed.

change_password -pw secret princ2

The output of the above command is similar to the following:

Password for "princ2@MYREALM" changed.


iManager

  1. In Novell iManager, click the Roles and Tasks button Roles and Tasks Button.

  2. Select Kerberos Management > Set Principal Password.

Refer to the iManager online help for more information.


Extracting Principal Key to a Keytab File

To extract the principal key to a keytab file, enter the following command at the kadmin prompt:

ktadd [-keytab keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]


Table 27. ktadd Parameter Description

Parameter Description

-keytab

Specifies the keytab file path.

-q

Displays less verbose status information.

-e

Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if there are multiple enctype-salttype pairs.

NOTE:  If universal password integration is enabled, refer to .

For example:

ktadd -k /etc/key-tab user_princ

The output of the above command is similar to the following:

Entry for principal user_princ with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/key-tab.


Removing Keytab Entry

To remove entries from a keytab, enter the following command at the kadmin prompt:

ktremove [-keytab keytab] [-q] principal [kvno|"all"|"old"]


Table 28. ktremove Parameter Description

Parameter Description

-keytab

Specifies the keytab file path.

-q

Displays less verbose status information.

For example:

ktremove -k /etc/key-tab user_princ all

The output of the above command is similar to the following:

Entry for principal user_princ with kvno 2 removed from keytab WRFILE:/etc/key-tab.