JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris Administration: Security Services     Oracle Solaris 11 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Using the Basic Audit Reporting Tool (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Network Services Authentication (Tasks)

15.  Using PAM

16.  Using SASL

17.  Using Secure Shell (Tasks)

18.  Secure Shell (Reference)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

Ways to Administer Kerberos Principals and Policies

SEAM Tool

Command-Line Equivalents of the SEAM Tool

The Only File Modified by the SEAM Tool

Print and Online Help Features of the SEAM Tool

Working With Large Lists in the SEAM Tool

How to Start the SEAM Tool

Administering Kerberos Principals

Administering Kerberos Principals (Task Map)

Automating the Creation of New Kerberos Principals

How to View the List of Kerberos Principals

How to View a Kerberos Principal's Attributes

How to Create a New Kerberos Principal

How to Duplicate a Kerberos Principal

How to Modify a Kerberos Principal

How to Delete a Kerberos Principal

How to Set Up Defaults for Creating New Kerberos Principals

How to Modify the Kerberos Administration Privileges

Administering Kerberos Policies

Administering Kerberos Policies (Task Map)

How to View the List of Kerberos Policies

How to View a Kerberos Policy's Attributes

How to Create a New Kerberos Policy

How to Duplicate a Kerberos Policy

How to Modify a Kerberos Policy

How to Delete a Kerberos Policy

SEAM Tool Reference

SEAM Tool Panel Descriptions

Using the SEAM Tool With Limited Kerberos Administration Privileges

Administering Keytab Files

Administering Keytab Files (Task Map)

How to Add a Kerberos Service Principal to a Keytab File

How to Remove a Service Principal From a Keytab File

How to Display the Keylist (Principals) in a Keytab File

How to Temporarily Disable Authentication for a Service on a Host

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

Administering Kerberos Principals

This section provides the step-by-step instructions used to administer principals with the SEAM Tool. This section also provides examples of command-line equivalents, when available.

Administering Kerberos Principals (Task Map)

Task
Description
For Instructions
View the list of principals.
View the list of principals by clicking the Principals tab.
View a principal's attributes.
View a principal's attributes by selecting the Principal in the Principal List, then clicking the Modify button.
Create a new principal.
Create a new principal by clicking the Create New button in the Principal List panel.
Duplicate a principal.
Duplicate a principal by selecting the principal to duplicate in the Principal List, then clicking the Duplicate button.
Modify a principal.
Modify a principal by selecting the principal to modify in the Principal List, then clicking the Modify button.

Note that you cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal.

Delete a principal.
Delete a principal by selecting the principal to delete in the Principal List, then clicking the Delete button.
Set up defaults for creating new principals.
Set up defaults for creating new principals by choosing Properties from the Edit menu.
Modify the Kerberos administration privileges (kadm5.acl file).
Command-line only. The Kerberos administration privileges determine what operations a principal can perform on the Kerberos database, such as add and modify.

You need to edit the /etc/krb5/kadm5.acl file to modify the Kerberos administration privileges for each principal.

Automating the Creation of New Kerberos Principals

Even though the SEAM Tool provides ease-of-use, it doesn't provide a way to automate the creation of new principals. Automation is especially useful if you need to add 10 or even 100 new principals in a short time. However, by using the kadmin.local command in a Bourne shell script, you can do just that.

The following shell script line is an example of how to automate the creation of new principals:

awk '{ print "ank +needchange -pw", $2, $1 }' < /tmp/princnames | 
        time /usr/sbin/kadmin.local> /dev/null

This example is split over two lines for readability. The script reads in a file called princnames that contains principal names and their passwords, and adds them to the Kerberos database. You would have to create the princnames file, which contains a principal name and its password on each line, separated by one or more spaces. The +needchange option configures the principal so that the user is prompted for a new password during login with the principal for the first time. This practice helps to ensure that the passwords in the princnames file are not a security risk.

You can build more elaborate scripts. For example, your script could use the information in the name service to obtain the list of user names for the principal names. What you do and how you do it is determined by your site's needs and your scripting expertise.

How to View the List of Kerberos Principals

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.

    The list of principals is displayed.


    image:Dialog box titled Seam Tool shows a list of principals and a list filter. Shows Modify, Create New, Delete, and Duplicate buttons.
  3. Display a specific principal or a sublist of principals.

    Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of principals that match the filter is displayed.

    The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the principals with the ge string in them (for example, george or edge).

    If you want to display the entire list of principals, click Clear Filter.

Example 23-1 Viewing the List of Kerberos Principals (Command Line)

In the following example, the list_principals command of kadmin is used to list all the principals that match kadmin*. Wildcards can be used with the list_principals command.

kadmin: list_principals kadmin*
kadmin/changepw@EXAMPLE.COM
kadmin/kdc1.example.con@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin: quit

How to View a Kerberos Principal's Attributes

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to view, then click Modify.

    The Principal Basics panel that contains some of the principal's attributes is displayed.

  4. Continue to click Next to view all the principal's attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

  5. When you are finished viewing, click Cancel.

Example 23-2 Viewing a Kerberos Principal's Attributes

The following example shows the first window when you are viewing the jdb/admin principal.

image:Dialog box titled SEAM Tool shows account data for the jdb/admin principal. Shows account expiration date and comments.

Example 23-3 Viewing a Kerberos Principal's Attributes (Command Line)

In the following example, the get_principal command of kadmin is used to view the attributes of the jdb/admin principal.

kadmin: getprinc jdb/admin
Principal: jdb/admin@EXAMPLE.COM

Expiration date: [never]
Last password change: [never]

Password expiration date: Wed Apr 14 11:53:10 PDT 2011
Maximum ticket life: 1 day 16:00:00
Maximum renewable life: 1 day 16:00:00
Last modified: Mon Sep 28 13:32:23 PST 2009 (host/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_HW_AUTH
Policy: [none]
kadmin: quit

How to Create a New Kerberos Principal

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.


    Note - If you are creating a new principal that might need a new policy, you should create the new policy before you create the new principal. Go to How to Create a New Kerberos Policy.


    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Click New.

    The Principal Basics panel that contains some attributes for a principal is displayed.

  4. Specify a principal name and a password.

    Both the principal name and the password are mandatory.

  5. Specify the encryption types for the principal.

    Click on the box to the right of the encryption key types field to open a new window that displays all of the encryption key types available. Click OK after selecting the required encryption types.


    image:Dialog box titled SEAM Encryption Type List Helper lists all of the encryption types installed.
  6. Specify the policy for the principal.
  7. Specify values for the principal's attributes, and continue to click Next to specify more attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

  8. Click Save to save the principal, or click Done on the last panel.
  9. If needed, set up Kerberos administration privileges for the new principal in the /etc/krb5/kadm5.acl file.

    See How to Modify the Kerberos Administration Privileges for more details.

Example 23-4 Creating a New Kerberos Principal

The following example shows the Principal Basics panel when a new principal called pak is created. The policy is set to testuser.

image:Dialog box titled SEAM Tool shows account data for the pak principal. Shows password, account expiration date, and testuser policy.

Example 23-5 Creating a New Kerberos Principal (Command Line)

In the following example, the add_principal command of kadmin is used to create a new principal called pak. The principal's policy is set to testuser.

kadmin: add_principal -policy testuser pak
Enter password for principal "pak@EXAMPLE.COM": <Type the password>
Re-enter password for principal "pak@EXAMPLE.COM": <Type the password again>
Principal "pak@EXAMPLE.COM" created.
kadmin: quit

How to Duplicate a Kerberos Principal

This procedure explains how to use all or some of the attributes of an existing principal to create a new principal. No command-line equivalent exists for this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to duplicate, then click Duplicate.

    The Principal Basics panel is displayed. All the attributes of the selected principal are duplicated, except for the Principal Name and Password fields, which are empty.

  4. Specify a principal name and a password.

    Both the principal name and the password are mandatory. To make an exact duplicate of the principal you selected, click Save and skip to Step 7.

  5. Specify different values for the principal's attributes, and continue to click Next to specify more attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

  6. Click Save to save the principal, or click Done on the last panel.
  7. If needed, set up Kerberos administration privileges for the principal in /etc/krb5/kadm5.acl file.

    See How to Modify the Kerberos Administration Privileges for more details.

How to Modify a Kerberos Principal

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to modify, then click Modify.

    The Principal Basics panel that contains some of the attributes for the principal is displayed.

  4. Modify the principal's attributes, and continue to click Next to modify more attributes.

    Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.


    Note - You cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal.


  5. Click Save to save the principal, or click Done on the last panel.
  6. Modify the Kerberos administration privileges for the principal in the /etc/krb5/kadm5.acl file.

    See How to Modify the Kerberos Administration Privileges for more details.

Example 23-6 Modifying a Kerberos Principal's Password (Command Line)

In the following example, the change_password command of kadmin is used to modify the password for the jdb principal. The change_password command does not let you change the password to a password that is in the principal's password history.

kadmin: change_password jdb
Enter password for principal "jdb": <Type the new password>
Re-enter password for principal "jdb": <Type the password again>
Password for "jdb@EXAMPLE.COM" changed.
kadmin: quit

To modify other attributes for a principal, you must use the modify_principal command of kadmin.

How to Delete a Kerberos Principal

An example of the command-line equivalent follows this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Click the Principals tab.
  3. Select the principal in the list that you want to delete, then click Delete.

    After you confirm the deletion, the principal is deleted.

  4. Remove the principal from the Kerberos access control list (ACL) file, /etc/krb5/kadm5.acl.

    See How to Modify the Kerberos Administration Privileges for more details.

Example 23-7 Deleting a Kerberos Principal (Command Line)

In the following example, the delete_principal command of kadmin is used to delete the jdb principal.

kadmin: delete_principal pak
Are you sure you want to delete the principal "pak@EXAMPLE.COM"? (yes/no): yes
Principal "pak@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: quit

How to Set Up Defaults for Creating New Kerberos Principals

No command-line equivalent exists for this procedure.

  1. If necessary, start the SEAM Tool.

    See How to Start the SEAM Tool for more information.

    $ /usr/sbin/gkadmin
  2. Choose Properties from the Edit Menu.

    The Properties window is displayed.


    image:Dialog box titled Properties shows defaults for new principals and list controls. Defaults for principals cover security and other options.
  3. Select the defaults that you want to use when you create new principals.

    Choose Context-Sensitive Help from the Help menu for information about the various attributes in each window.

  4. Click Save.

How to Modify the Kerberos Administration Privileges

Even though your site probably has many user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos access control list (ACL) file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for individual principals. Or, you can use the '*' wildcard in the principal name to specify privileges for groups of principals.

  1. Become superuser on the master KDC.
  2. Edit the /etc/krb5/kadm5.acl file.

    An entry in the kadm5.acl file must have the following format:

    principal privileges [principal-target]

    principal
    Specifies the principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the admin instance, you would use */admin@realm.

    Note that a common use of an admin instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for his administrative use, called jdb/admin. This way, the user jdb obtains jdb/admin tickets only when he or she actually needs to use those privileges.

    privileges
    Specifies which operations can or cannot be performed by the principal. This field consists of a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted.
    a
    [Dis]allows the addition of principals or policies.
    d
    [Dis]allows the deletion of principals or policies.
    m
    [Dis]allows the modification of principals or polices.
    c
    [Dis]allows the changing of passwords for principals.
    i
    [Dis]allows inquiries to the Kerberos database.
    l
    [Dis]allows the listing of principals or policies in the Kerberos database.
    x or *
    Allows all privileges (admcil).
    principal-target
    When a principal is specified in this field, the privileges apply to the principal only when the principal operates on the principal-target. Any part of the principal name can include the '*' wildcard, which is useful to group principals.

Example 23-8 Modifying the Kerberos Administration Privileges

The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database:

*/admin@EXAMPLE.COM *

The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privileges to add, list, and inquire about any principal that has the root instance.

jdb@EXAMPLE.COM ali */root@EXAMPLE.COM