You can manage principals through kadmin. This section explains the following:
User and the service principals can be created only within the realm subtree and its sub-containers. However, the service principals can even be created within the realm container by specifying the container DN option with the realm container while creation of the service principal.
You can add a principal using either of the following methods:
To create a principal, enter the following at the kadmin prompt:
add_principal [options] principal
options are:
[-x db_princ_args] [-expire expdate] [-pwexpire pwexpdate] [-maxlife
maxtixlife]
[-kvno kvno] [-policy policy] [-randkey] [-pw password]
[-maxrenewlife maxrenewlife]
[-e keysaltlist]
[{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
Table 25. add_principal Parameter Description
Every Kerberos user principal is associated with the eDirectory object. Therefore, while creating a Kerberos user principal, the associated eDirectory user object must be mentioned.
To create a user principal, enter the following at the kadmin prompt:
add_principal -x up=on -x userdn=cn=user1,o=org user_princ
If the userdn is not present in eDirectory, it creates a new one with the specified name.
The output of the above command is similar to the following:
WARNING: no policy specified for user_princ@MYREALM; defaulting to no policy
Enter password for principal "user_princ@MYREALM":
Re-enter password for principal "user_princ@MYREALM":
Principal "user_princ@MYREALM" created.
To create a service principal, enter the following:
add_principal -x containerdn=ou=sales,o=org service_princ
The output of the above command is similar to the following:
WARNING: no policy specified for service_princ@MYREALM; defaulting to no policy
Enter password for principal "service_princ@MYREALM":
Re-enter password for principal "service_princ@MYREALM":
Principal "service_princ@MYREALM" created.
You can modify a principal using either of the following methods:
To modify principals, enter the following at the kadmin command prompt:
modify_principal [options] principal
options are:
[-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife
maxtixlife]
[-kvno kvno] [-policy policy] [-clearpolicy]
[-maxrenewlife maxrenewlife] [{+|-}attribute]
attributes are:
allow_postdated allow_forwardable allow_tgs_req allow_renewable
allow_proxiable allow_dup_skey allow_tix requires_preauth
requires_hwauth needchange allow_svr password_changing_service
For details about the parameters, refer to Table 25, add_principal Parameter Description.
For example:
modify_principal -x up=off -policy cn=realm_policy,o=org +requires_preauth princ
The output of the above command is similar to the following:
Principal "princ@MYREALM" modified.
You can delete a principal using either of the following methods:
To delete a principal, enter the following at the kadmin command prompt:
delete_principal [-force] principal
If the -force option is not specified, you are prompted to confirm the deletion. The delete_ principal command will not delete the user but only the Kerberos attribute.
For example:
delete_principal princ1
The output of the above command is similar to the following:
Are you sure you want to delete the principal "princ1@MYREALM"? (yes/no): yes
Principal "princ1@MYREALM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
To list principals, enter the following at the kadmin prompt:
list_principals [expression]
For example:
list_principals princ*
The output of the above command is similar to the following:
princ@MYREALM
princ1@MYREALM
princ2@MYREALM
To get the attributes of a principal, enter the following at the kadmin command prompt:
get_principal [-terse] principal
For example:
get_principal user_princ
The output of the above command is similar to the following:
Principal: user_princ@MYREALM
Expiration date: [never]
Last password change: Tue May 31 13:55:24 IST 2005
Password expiration date: [none]
Maximum ticket life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Tue May 31 14:05:06 IST 2005 (CN=service-adm,O=org@MYREALM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, Triple DES cbc mode with HMAC/sha1, no salt
Attributes: REQUIRES_PRE_AUTH
Policy: [none]
You can set principal password using either of the following methods:
To change the password of a principal, enter the following at the kadmin prompt:
change_password [-randkey] [-keepold] [-e keysaltlist] [-pw password] principal
Table 26. change_password Parameter Description
For example:
change_password princ2
The output of the above command is similar to the following:
Enter password for principal "princ2":
Re-enter password for principal "princ2":
Password for "princ2@MYREALM" changed.
change_password -pw secret princ2
The output of the above command is similar to the following:
Password for "princ2@MYREALM" changed.
To extract the principal key to a keytab file, enter the following command at the kadmin prompt:
ktadd [-keytab keytab] [-q] [-e keysaltlist] [principal | -glob princ-exp] [...]
Table 27. ktadd Parameter Description
For example:
ktadd -k /etc/key-tab user_princ
The output of the above command is similar to the following:
Entry for principal user_princ with kvno 2, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/key-tab.
To remove entries from a keytab, enter the following command at the kadmin prompt:
ktremove [-keytab keytab] [-q] principal [kvno|"all"|"old"]
Table 28. ktremove Parameter Description
Parameter | Description |
---|---|
-keytab |
Specifies the keytab file path. |
-q |
Displays less verbose status information. |
For example:
ktremove -k /etc/key-tab user_princ all
The output of the above command is similar to the following:
Entry for principal user_princ with kvno 2 removed from keytab WRFILE:/etc/key-tab.