System Administration Guide: Security Services

Chapter 25 Administering Kerberos Principals and Policies (Tasks)

This chapter provides procedures for administering principals and the policies that are associated with them. This chapter also shows how to administer a host's keytab file.

This chapter should be used by anyone who needs to administer principals and policies. Before you use this chapter, you should be familiar with principals and policies, including any planning considerations. Refer to Chapter 21, Introduction to the Kerberos Service and Chapter 22, Planning for the Kerberos Service, respectively.

This is a list of the information in this chapter.

Ways to Administer Kerberos Principals and Policies

The Kerberos database on the master KDC contains all of your realm's Kerberos principals, their passwords, policies, and other administrative information. To create and delete principals, and to modify their attributes, you can use either the kadmin or gkadmin command.

The kadmin command provides an interactive command-line interface that enables you to maintain Kerberos principals, policies, and keytab files. There are two versions of the kadmin command:

kadmin – Uses Kerberos authentication to operate securely from anywhere on the network
kadmin.local – Must be run directly on the master KDC

Other than kadmin using Kerberos to authenticate the user, the capabilities of the two versions are identical. The local version is necessary to enable you to set up enough of the database so that you can use the remote version.

Also, the Solaris release provides the SEAM Administration Tool, gkadmin, which is an interactive graphical user interface (GUI) that provides essentially the same capabilities as the kadmin command. See SEAM Administration Tool for more information.

SEAM Administration Tool

The SEAM Administration Tool (SEAM Tool) is an interactive graphical user interface (GUI) that enables you to maintain Kerberos principals and policies. This tool provides much the same capabilities as the kadmin command. However, this tool does not support the management of keytab files. You must use the kadmin command to administer keytab files, which is described in Administering Keytab Files.

Similar to the kadmin command, the SEAM Tool uses Kerberos authentication and encrypted RPC to operate securely from anywhere on the network. The SEAM Tool enables you to do the following:

Create new principals that are based on default values or existing principals.
Create new policies that are based on existing policies.
Add comments for principals.
Set up default values for creating new principals.
Log in as another principal without exiting the tool.
Print or save principal lists and policy lists.
View and search principal lists and policy lists.

The SEAM Tool also provides context-sensitive help and general online help.

The following task maps provide pointers to the various tasks that you can do with the SEAM Tool:

Also, go to SEAM Tool Panel Descriptions for descriptions of all the principal attributes and policy attributes that you can either specify or view in the SEAM Tool.

Command-Line Equivalents of the SEAM Tool

This section lists the kadmin commands that provide the same capabilities as the SEAM Tool. These commands can be used without running an X Window system. Even though most procedures in this chapter use the SEAM Tool, many procedures also provide corresponding examples that use the command-line equivalents.

Table 25–1 Command-Line Equivalents of the SEAM Tool


SEAM Tool Procedure	Equivalent `kadmin` Command
View the list of principals.	`list_principals` or `get_principals`
View a principal's attributes.	`get_principal`
Create a new principal.	`add_principal`
Duplicate a principal.	No command-line equivalent
Modify a principal.	`modify_principal` or `change_password`
Delete a principal.	`delete_principal`
Set up defaults for creating new principals.	No command-line equivalent
View the list of policies.	`list_policies` or `get_policies`
View a policy's attributes.	`get_policy`
Create a new policy.	`add_policy`
Duplicate a policy.	No command-line equivalent
Modify a policy.	`modify_policy`
Delete a policy.	`delete_policy`

The Only File Modified by the SEAM Tool

The only file that the SEAM Tool modifies is the $HOME/.gkadmin file. This file contains the default values for creating new principals. You can update this file by choosing Properties from the Edit menu.

Print and Online Help Features of the SEAM Tool

The SEAM Tool provides both print features and online help features. From the Print menu, you can send the following to a printer or a file:

List of available principals on the specified master KDC
List of available policies on the specified master KDC
The currently selected principal or the loaded principal
The currently selected policy or the loaded policy

From the Help menu, you can access context-sensitive help and general help. When you choose Context-Sensitive Help from the Help menu, the Context-Sensitive Help window is displayed and the tool is switched to help mode. In help mode, when you click on any fields, labels, or buttons on the window, help on that item is displayed in the Help window. To switch back to the tool's normal mode, click Dismiss in the Help window.

You can also choose Help Contents, which opens an HTML browser that provides pointers to the general overview and task information that is provided in this chapter.

Working With Large Lists in the SEAM Tool

As your site starts to accumulate a large number of principals and policies, the time it takes the SEAM Tool to load and display the principal and policy lists will become increasingly longer. Thus, your productivity with the tool will decrease. There are several ways to work around this problem.

First, you can completely eliminate the time to load the lists by not having the SEAM Tool load the lists. You can set this option by choosing Properties from the Edit menu, and unchecking the Show Lists field. Of course, when the tool doesn't load the lists, it can't display the lists, and you can no longer use the list panels to select principals or policies. Instead, you must type a principal or policy name in the new Name field that is provided, then select the operation that you want to perform on it. In effect, typing a name is equivalent to selecting an item from the list.

Another way to work with large lists is to cache them. In fact, caching the lists for a limited time is set as the default behavior for the SEAM Tool. The SEAM Tool must still initially load the lists into the cache. But after that, the tool can use the cache rather than retrieve the lists again. This option eliminates the need to keep loading the lists from the server, which is what takes so long.

You can set list caching by choosing Properties from the Edit menu. There are two cache settings. You can choose to cache the list forever, or you can specify a time limit when the tool must reload the lists from the server into the cache.

Caching the lists still enables you to use the list panels to select principals and policies, so it doesn't affect how you use the SEAM Tool as the first option does. Also, even though caching doesn't enable you to see the changes of other users, you can still see the latest list information based on your changes, because your changes update the lists both on the server and in the cache. And, if you want to update the cache to see other changes and get the lastest copy of the lists, you can use the Refresh menu whenever you want to refresh the cache from the server.

How to Start the SEAM Tool

Start the SEAM Tool by using the gkadmin command.
$ /usr/sbin/gkadmin
The SEAM Administration Login window is displayed.

If you don't want to use the default values, specify new default values.

The window automatically fills in with default values. The default principal name is determined by taking your current identity from the USER environment variable and appending /admin to it (username/admin). The default Realm and Master KDC fields are selected from the /etc/krb5/krb5.conf file. If you ever want to retrieve the default values, click Start Over.

Note –
The administration operations that each Principal Name can perform are dictated by the Kerberos ACL file, /etc/krb5/kadm5.acl. For information about limited privileges, see Using the SEAM Tool With Limited Kerberos Administration Privileges.

Type a password for the specified principal name.

Click OK.

A window showing all of the principals is displayed.

Administering Kerberos Principals

This section provides the step-by-step instructions used to administer principals with the SEAM Tool. This section also provides examples of command-line equivalents, when available.

Administering Kerberos Principals (Task Map)

Task	Description	For Instructions
View the list of principals.	View the list of principals by clicking the Principals tab.	How to View the List of Kerberos Principals
View a principal's attributes.	View a principal's attributes by selecting the Principal in the Principal List, then clicking the Modify button.	How to View a Kerberos Principal's Attributes
Create a new principal.	Create a new principal by clicking the Create New button in the Principal List panel.	How to Create a New Kerberos Principal
Duplicate a principal.	Duplicate a principal by selecting the principal to duplicate in the Principal List, then clicking the Duplicate button.	How to Duplicate a Kerberos Principal
Modify a principal.	Modify a principal by selecting the principal to modify in the Principal List, then clicking the Modify button. Note that you cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal.	How to Modify a Kerberos Principal
Delete a principal.	Delete a principal by selecting the principal to delete in the Principal List, then clicking the Delete button.	How to Delete a Kerberos Principal
Set up defaults for creating new principals.	Set up defaults for creating new principals by choosing Properties from the Edit menu.	How to Set Up Defaults for Creating New Kerberos Principals
Modify the Kerberos administration privileges (`kadm5.acl` file).	Command-line only. The Kerberos administration privileges determine what operations a principal can perform on the Kerberos database, such as add and modify. You need to edit the `/etc/krb5/kadm5.acl` file to modify the Kerberos administration privileges for each principal.	How to Modify the Kerberos Administration Privileges

Automating the Creation of New Kerberos Principals

Even though the SEAM Tool provides ease-of-use, it doesn't provide a way to automate the creation of new principals. Automation is especially useful if you need to add 10 or even 100 new principals in a short time. However, by using the kadmin.local command in a Bourne shell script, you can do just that.

The following shell script line is an example of how to automate the creation of new principals:

awk '{ print "ank +needchange -pw", $2, $1 }' < /tmp/princnames | 
        time /usr/sbin/kadmin.local> /dev/null

This example is split over two lines for readability. The script reads in a file called princnames that contains principal names and their passwords, and adds them to the Kerberos database. You would have to create the princnames file, which contains a principal name and its password on each line, separated by one or more spaces. The +needchange option configures the principal so that the user is prompted for a new password during login with the principal for the first time. This practice helps to ensure that the passwords in the princnames file are not a security risk.

You can build more elaborate scripts. For example, your script could use the information in the name service to obtain the list of user names for the principal names. What you do and how you do it is determined by your site's needs and your scripting expertise.

How to View the List of Kerberos Principals

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Principals tab.

The list of principals is displayed.

Display a specific principal or a sublist of principals.

Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of principals that match the filter is displayed.

The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the principals with the ge string in them (for example, george or edge).

If you want to display the entire list of principals, click Clear Filter.

Example 25–1 Viewing the List of Kerberos Principals (Command Line)

In the following example, the list_principals command of kadmin is used to list all the principals that match kadmin*. Wildcards can be used with the list_principals command.

kadmin: list_principals kadmin*
kadmin/changepw@EXAMPLE.COM
kadmin/kdc1.example.con@EXAMPLE.COM
kadmin/history@EXAMPLE.COM
kadmin: quit

How to View a Kerberos Principal's Attributes

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Principals tab.

Select the principal in the list that you want to view, then click Modify.

The Principal Basics panel that contains some of the principal's attributes is displayed.

Continue to click Next to view all the principal's attributes.

Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

When you are finished viewing, click Cancel.

Example 25–2 Viewing a Kerberos Principal's Attributes

The following example shows the first window when you are viewing the jdb/admin principal.

Dialog box titled SEAM Administration Tool shows account
data for the jdb/admin principal. Shows account expiration date and comments.

Example 25–3 Viewing a Kerberos Principal's Attributes (Command Line)

In the following example, the get_principal command of kadmin is used to view the attributes of the jdb/admin principal.

kadmin: getprinc jdb/admin
Principal: jdb/admin@EXAMPLE.COM
Expiration date: [never]
Last password change: [never]
Password expiration date: Wed Apr 14 11:53:10 PDT 2011
Maximum ticket life: 1 day 16:00:00
Maximum renewable life: 1 day 16:00:00
Last modified: Mon Sep 28 13:32:23 PST 2009 (host/admin@EXAMPLE.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno 1, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
Key: vno 1, Triple DES with HMAC/sha1, no salt
Key: vno 1, ArcFour with HMAC/md5, no salt
Key: vno 1, DES cbc mode with RSA-MD5, no salt
Attributes: REQUIRES_HW_AUTH
Policy: [none]
kadmin: quit

How to Create a New Kerberos Principal

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.

Note –
If you are creating a new principal that might need a new policy, you should create the new policy before you create the new principal. Go to How to Create a New Kerberos Policy.
$ /usr/sbin/gkadmin

Click the Principals tab.

Click New.

The Principal Basics panel that contains some attributes for a principal is displayed.

Specify a principal name and a password.

Both the principal name and the password are mandatory.

Specify the encryption types for the principal.

Click on the box to the right of the encryption key types field to open a new window that displays all of the encryption key types available. Click OK after selecting the required encryption types.

Specify the policy for the principal.

Specify values for the principal's attributes, and continue to click Next to specify more attributes.

Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

Click Save to save the principal, or click Done on the last panel.

If needed, set up Kerberos administration privileges for the new principal in the /etc/krb5/kadm5.acl file.

See How to Modify the Kerberos Administration Privileges for more details.

Example 25–4 Creating a New Kerberos Principal

The following example shows the Principal Basics panel when a new principal called pak is created. The policy is set to testuser.

Dialog box titled SEAM Administration Tool shows account
data for the pak principal. Shows password, account expiration date, and
testuser policy.

Example 25–5 Creating a New Kerberos Principal (Command Line)

In the following example, the add_principal command of kadmin is used to create a new principal called pak. The principal's policy is set to testuser.

kadmin: add_principal -policy testuser pak
Enter password for principal "pak@EXAMPLE.COM": <Type the password>
Re-enter password for principal "pak@EXAMPLE.COM": <Type the password again>
Principal "pak@EXAMPLE.COM" created.
kadmin: quit

How to Duplicate a Kerberos Principal

This procedure explains how to use all or some of the attributes of an existing principal to create a new principal. No command-line equivalent exists for this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Principals tab.

Select the principal in the list that you want to duplicate, then click Duplicate.

The Principal Basics panel is displayed. All the attributes of the selected principal are duplicated, except for the Principal Name and Password fields, which are empty.

Specify a principal name and a password.

Both the principal name and the password are mandatory. To make an exact duplicate of the principal you selected, click Save and skip to Step 7.

Specify different values for the principal's attributes, and continue to click Next to specify more attributes.

Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

Click Save to save the principal, or click Done on the last panel.

If needed, set up Kerberos administration privileges for the principal in /etc/krb5/kadm5.acl file.

See How to Modify the Kerberos Administration Privileges for more details.

How to Modify a Kerberos Principal

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Principals tab.

Select the principal in the list that you want to modify, then click Modify.

The Principal Basics panel that contains some of the attributes for the principal is displayed.

Modify the principal's attributes, and continue to click Next to modify more attributes.

Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.

Note –
You cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal.

Click Save to save the principal, or click Done on the last panel.

Modify the Kerberos administration privileges for the principal in the /etc/krb5/kadm5.acl file.

See How to Modify the Kerberos Administration Privileges for more details.

Example 25–6 Modifying a Kerberos Principal's Password (Command Line)

In the following example, the change_password command of kadmin is used to modify the password for the jdb principal. The change_password command does not let you change the password to a password that is in the principal's password history.

kadmin: change_password jdb
Enter password for principal "jdb": <Type the new password>
Re-enter password for principal "jdb": <Type the password again>
Password for "jdb@EXAMPLE.COM" changed.
kadmin: quit

To modify other attributes for a principal, you must use the modify_principal command of kadmin.

How to Delete a Kerberos Principal

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Principals tab.

Select the principal in the list that you want to delete, then click Delete.

After you confirm the deletion, the principal is deleted.

Remove the principal from the Kerberos access control list (ACL) file, /etc/krb5/kadm5.acl.

See How to Modify the Kerberos Administration Privileges for more details.

Example 25–7 Deleting a Kerberos Principal (Command Line)

In the following example, the delete_principal command of kadmin is used to delete the jdb principal.

kadmin: delete_principal pak
Are you sure you want to delete the principal "pak@EXAMPLE.COM"? (yes/no): yes
Principal "pak@EXAMPLE.COM" deleted.
Make sure that you have removed this principal from all ACLs before reusing.
kadmin: quit

How to Set Up Defaults for Creating New Kerberos Principals

No command-line equivalent exists for this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Choose Properties from the Edit Menu.

The Properties window is displayed.

Select the defaults that you want to use when you create new principals.

Choose Context-Sensitive Help from the Help menu for information about the various attributes in each window.

Click Save.

How to Modify the Kerberos Administration Privileges

Even though your site probably has many user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos access control list (ACL) file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for individual principals. Or, you can use the '*' wildcard in the principal name to specify privileges for groups of principals.

Become superuser on the master KDC.

Edit the /etc/krb5/kadm5.acl file.

An entry in the kadm5.acl file must have the following format:

principal privileges [principal-target]

`principal`	Specifies the principal to which the privileges are granted. Any part of the principal name can include the '' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the `admin` instance, you would use `/admin@realm`. Note that a common use of an `admin` instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user `jdb` might have a principal for his administrative use, called `jdb/admin`. This way, the user `jdb` obtains `jdb/admin` tickets only when he or she actually needs to use those privileges.
`privileges`	Specifies which operations can or cannot be performed by the principal. This field consists of a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted.
	`a`	[Dis]allows the addition of principals or policies.
	`d`	[Dis]allows the deletion of principals or policies.
	`m`	[Dis]allows the modification of principals or polices.
	`c`	[Dis]allows the changing of passwords for principals.
	`i`	[Dis]allows inquiries to the Kerberos database.
	`l`	[Dis]allows the listing of principals or policies in the Kerberos database.
	`x` or `*`	Allows all privileges (`admcil`).
`principal-target`	When a principal is specified in this field, the `privileges` apply to the `principal` only when the `principal` operates on the `principal-target`. Any part of the principal name can include the '*' wildcard, which is useful to group principals.

Example 25–8 Modifying the Kerberos Administration Privileges

The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database:

*/admin@EXAMPLE.COM *

The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privileges to add, list, and inquire about any principal that has the root instance.

jdb@EXAMPLE.COM ali */root@EXAMPLE.COM

Administering Kerberos Policies

This section provides step-by-step instructions used to administer policies with the SEAM Tool. This section also provides examples of command-line equivalents, when available.

Administering Kerberos Policies (Task Map)

Task	Description	For Instructions
View the list of policies.	View the list of policies by clicking the Policies tab.	How to View the List of Kerberos Policies
View a policy's attributes.	View a policy's attributes by selecting the policy in the Policy List, then clicking the Modify button.	How to View a Kerberos Policy's Attributes
Create a new policy.	Create a new policy by clicking the Create New button in the Policy List panel.	How to Create a New Kerberos Policy
Duplicate a policy.	Duplicate a policy by selecting the policy to duplicate in the Policy List, then clicking the Duplicate button.	How to Duplicate a Kerberos Policy
Modify a policy.	Modify a policy by selecting the policy to modify in the Policy List, then clicking the Modify button. Note that you cannot modify a policy's name. To rename a policy, you must duplicate the policy, specify a new name for it, save it, and then delete the old policy.	How to Modify a Kerberos Policy
Delete a policy.	Delete a policy by selecting the policy to delete in the Policy List, then clicking the Delete button.	How to Delete a Kerberos Policy

How to View the List of Kerberos Policies

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Policies tab.

The list of policies is displayed.

Display a specific policy or a sublist of policies.

Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of policies that match the filter is displayed.

The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the policies with the ge string in them (for example, george or edge).

If you want to display the entire list of policies, click Clear Filter.

Example 25–9 Viewing the List of Kerberos Policies (Command Line)

In the following example, the list_policies command of kadmin is used to list all the policies that match *user*. Wildcards can be used with the list_policies command.

kadmin: list_policies *user*
testuser
enguser
kadmin: quit

How to View a Kerberos Policy's Attributes

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Policies tab.

Select the policy in the list that you want to view, then click Modify.

The Policy Details panel is displayed.

When you are finished viewing, click Cancel.

Example 25–10 Viewing a Kerberos Policy's Attributes

The following example shows the Policy Details panel when you are viewing the test policy.

Dialog box titled SEAM Administration Tool shows policy
details of the enguser policy. Shows Save, Previous, Done, and Cancel buttons

Example 25–11 Viewing a Kerberos Policy's Attributes (Command Line)

In the following example, the get_policy command of kadmin is used to view the attributes of the enguser policy.

kadmin: get_policy enguser
Policy: enguser
Maximum password life: 2592000
Minimum password life: 0
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 3
Reference count: 0
kadmin: quit

The Reference count is the number of principals that use this policy.

How to Create a New Kerberos Policy

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Policies tab.

Click New.

The Policy Details panel is displayed.

Specify a name for the policy in the Policy Name field.

The policy name is mandatory.

Specify values for the policy's attributes.

Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 25–5 for all the policy attribute descriptions.

Click Save to save the policy, or click Done.

Example 25–12 Creating a New Kerberos Policy

In the following example, a new policy called build11 is created. The Minimum Password Classes is set to 3.

Dialog box titled SEAM Administration Tool shows policy
details of the build11 policy. Shows Save, Previous, Done, and Cancel buttons.

Example 25–13 Creating a New Kerberos Policy (Command Line)

In the following example, the add_policy command of kadmin is used to create the build11 policy. This policy requires at least 3 character classes in a password.

$ kadmin
kadmin: add_policy -minclasses 3 build11
kadmin: quit

How to Duplicate a Kerberos Policy

This procedure explains how to use all or some of the attributes of an existing policy to create a new policy. No command-line equivalent exists for this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Policies tab.

Select the policy in the list that you want to duplicate, then click Duplicate.

The Policy Details panel is displayed. All the attributes of the selected policy are duplicated, except for the Policy Name field, which is empty.

Specify a name for the duplicated policy in the Policy Name field.

The policy name is mandatory. To make an exact duplicate of the policy you selected, skip to Step 6.

Specify different values for the policy's attributes.

Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 25–5 for all the policy attribute descriptions.

Click Save to save the policy, or click Done.

How to Modify a Kerberos Policy

An example of the command-line equivalent follows this procedure.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for details.
$ /usr/sbin/gkadmin

Click the Policies tab.

Select the policy in the list that you want to modify, then click Modify.

The Policy Details panel is displayed.

Modify the policy's attributes.

Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 25–5 for all the policy attribute descriptions.

Note –
You cannot modify a policy's name. To rename a policy, you must duplicate the policy, specify a new name for it, save it, and then delete the old policy.

Click Save to save the policy, or click Done.

Example 25–14 Modifying a Kerberos Policy (Command Line)

In the following example, the modify_policy command of kadmin is used to modify the minimum length of a password to five characters for the build11 policy.

$ kadmin
kadmin: modify_policy -minlength 5 build11
kadmin: quit

How to Delete a Kerberos Policy

An example of the command-line equivalent follows this procedure.

Note –

Before you delete a policy, you must cancel the policy from all principals that are currently using it. To do so, you need to modify the principals' Policy attribute. The policy cannot be deleted if any principal is using it.

If necessary, start the SEAM Tool.

See How to Start the SEAM Tool for more information.
$ /usr/sbin/gkadmin

Click the Policies tab.

Select the policy in the list that you want to delete, then click Delete.

After you confirm the deletion, the policy is deleted.

Example 25–15 Deleting a Kerberos Policy (Command Line)

In the following example, the delete_policy command of the kadmin command is used to delete the build11 policy.

kadmin: delete_policy build11 
Are you sure you want to delete the policy "build11"? (yes/no): yes
kadmin: quit

Before you delete a policy, you must cancel the policy from all principals that are currently using it. To do so, you need to use the modify_principal -policy command of kadmin on the affected principals. The delete_policy command fails if the policy is in use by a principal.

SEAM Tool Reference

This section provides descriptions of each panel in the SEAM Tool. Also, information about using limited privileges with SEAM Tool are provided.

SEAM Tool Panel Descriptions

This section provides descriptions for each principal and policy attribute that you can either specify or view in the SEAM Tool. The attributes are organized by the panel in which they are displayed.

Table 25–2 Attributes for the Principal Basics Panel of the SEAM Tool


Attribute	Description
Principal Name	The name of the principal (which is the `primary`/`instance` part of a fully qualified principal name). A principal is a unique identity to which the KDC can assign tickets. If you are modifying a principal, you cannot edit its name.
Password	The password for the principal. You can use the Generate Random Password button to create a random password for the principal.
Policy	A menu of available policies for the principal.
Account Expires	The date and time on which the principal's account expires. When the account expires, the principal can no longer get a ticket-granting ticket (TGT) and might be unable to log in.
Last Principal Change	The date on which information for the principal was last modified. (Read only)
Last Changed By	The name of the principal that last modified the account for this principal. (Read only)
Comments	Comments that are related to the principal (for example, “Temporary Account”).

Table 25–3 Attributes for the Principal Details Panel of the SEAM Tool


Attribute	Description
Last Success	The date and time when the principal last logged in successfully. (Read only)
Last Failure	The date and time when the last login failure for the principal occurred. (Read only)
Failure Count	The number of times a login failure has occurred for the principal. (Read only)
Last Password Change	The date and time when the principal's password was last changed. (Read only)
Password Expires	The date and time when the principal's current password expires.
Key Version	The key version number for the principal. This attribute is normally changed only when a password has been compromised.
Maximum Lifetime (seconds)	The maximum length of time for which a ticket can be granted for the principal (without renewal).
Maximum Renewal (seconds)	The maximum length of time for which an existing ticket can be renewed for the principal.

Table 25–4 Attributes of the Principal Flags Panel of the SEAM Tool


Attribute (Radio Buttons)	Description
Disable Account	When checked, prevents the principal from logging in. This attribute provides an easy way to temporarily freeze a principal account.
Require Password Change	When checked, expires the principal's current password, which forces the user to use the `kpasswd` command to create a new password. This attribute is useful if a security breach occurs, and you need to make sure that old passwords are replaced.
Allow Postdated Tickets	When checked, allows the principal to obtain postdated tickets. For example, you might need to use postdated tickets for `cron` jobs that must run after hours, but you cannot obtain tickets in advance because of short ticket lifetimes.
Allow Forwardable Tickets	When checked, allows the principal to obtain forwardable tickets. Forwardable tickets are tickets that are forwarded to the remote host to provide a single-sign-on session. For example, if you are using forwardable tickets and you authenticate yourself through `ftp` or `rsh`, then other services, such as NFS services, are available without your being prompted for another password.
Allow Renewable Tickets	When checked, allows the principal to obtain renewable tickets. A principal can automatically extend the expiration date or time of a ticket that is renewable (rather than having to get a new ticket after the first ticket expires). Currently, the NFS service is the ticket service that can renew tickets.
Allow Proxiable Tickets	When checked, allows the principal to obtain proxiable tickets. A proxiable ticket is a ticket that can be used by a service on behalf of a client to perform an operation for the client. With a proxiable ticket, a service can take on the identity of a client and obtain a ticket for another service. However, the service cannot obtain a ticket-granting ticket (TGT).
Allow Service Tickets	When checked, allows service tickets to be issued for the principal. You should not allow service tickets to be issued for the `kadmin/hostname` and `changepw/hostname` principals. This practice ensures that only these principals can update the KDC database.
Allow TGT-Based Authentication	When checked, allows the service principal to provide services to another principal. More specifically, this attribute allows the KDC to issue a service ticket for the service principal. This attribute is valid only for service principals. When unchecked, service tickets cannot be issued for the service principal.
Allow Duplicate Authentication	When checked, allows the user principal to obtain service tickets for other user principals. This attribute is valid only for user principals. When unchecked, the user principal can still obtain service tickets for service principals, but not for other user principals.
Required Preauthentication	When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through software) that the principal is really the principal that is requesting the TGT. This preauthentication is usually done through an extra password, for example, from a DES card. When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal.
Required Hardware Authentication	When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through hardware) that the principal is really the principal that is requesting the TGT. Hardware preauthentication can occur, for example, on a Java ring reader. When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal.

Table 25–5 Attributes for the Policy Basics Pane of the SEAM Tool


Attribute	Description
Policy Name	The name of the policy. A policy is a set of rules that govern a principal's password and tickets. If you are modifying a policy, you cannot edit its name.
Minimum Password Length	The minimum length for the principal's password.
Minimum Password Classes	The minimum number of different character types that are required in the principal's password. For example, a minimum classes value of 2 means that the password must have at least two different character types, such as letters and numbers (hi2mom). A value of 3 means that the password must have at least three different character types, such as letters, numbers, and punctuation (hi2mom!). And so on. A value of 1 sets no restriction on the number of password character types.
Saved Password History	The number of previous passwords that have been used by the principal, and a list of the previous passwords that cannot be reused.
Minimum Password Lifetime (seconds)	The minimum length of time that the password must be used before it can be changed.
Maximum Password Lifetime (seconds)	The maximum length of time that the password can be used before it must be changed.
Principals Using This Policy	The number of principals to which this policy currently applies. (Read only)

Using the SEAM Tool With Limited Kerberos Administration Privileges

All features of the SEAM Administration Tool are available if your admin principal has all the privileges to administer the Kerberos database. However, you might have limited privileges, such as only being allowed to view the list of principals or to change a principal's password. With limited Kerberos administration privileges, you can still use the SEAM Tool. However, various parts of the SEAM Tool change based on the Kerberos administration privileges that you do not have. Table 25–6 shows how the SEAM Tool changes based on your Kerberos administration privileges.

The most visual change to the SEAM Tool occurs when you don't have the list privilege. Without the list privilege, the List panels do not display the list of principals and polices for you to manipulate. Instead, you must use the Name field in the List panels to specify a principal or a policy that you want to manipulate.

If you log in to the SEAM Tool, and you do not have sufficient privileges to perform tasks with it, the following message displays and you are sent back to the SEAM Administration Login window:

Insufficient privileges to use gkadmin: ADMCIL. Please try using another principal.

To change the privileges for a principal so that it can administer the Kerberos database, go to How to Modify the Kerberos Administration Privileges.

Table 25–6 Using the SEAM Tool With Limited Kerberos Administration Privileges


Disallowed Privilege	How the SEAM Tool Changes
`a` (add)	The Create New and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the add privilege, you cannot create new principals or policies, or duplicate them.
`d` (delete)	The Delete button is unavailable in the Principal List and Policy List panels. Without the delete privilege, you cannot delete principals or policies.
`m` (modify)	The Modify button is unavailable in the Principal List and Policy List panels. Without the modify privilege, you cannot modify principals or policies. Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege.
`c` (change password)	The Password field in the Principal Basics panel is read only and cannot be changed. Without the change password privilege, you cannot modify a principal's password. Note that even if you have the change password privilege, you must also have the modify privilege to change a principal's password.
`i` (inquiry to database)	The Modify and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the inquiry privilege, you cannot modify or duplicate a principal or a policy. Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege.
`l` (list)	The list of principals and policies in the List panels are unavailable. Without the list privilege, you must use the Name field in the List panels to specify the principal or the policy that you want to manipulate.

Administering Keytab Files

Every host that provides a service must have a local file, called a keytab (short for “key table”). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains its nfs service principal.

To add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command of kadmin. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database so that kadmin can verify its existence. On the master KDC, the keytab file is located at /etc/krb5/kadm5.keytab, by default. On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.

A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network.

There is also a special instance in which to add a root principal to a host's keytab file. If you want a user on the Kerberos client to mount Kerberized NFS file systems that require root-equivalent access, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system with root access, even when they are using the automounter.

Note –

When you set up a master KDC, you need to add the kadmind and changepw principals to the kadm5.keytab file.

Another command that you can use to administer keytab files is the ktutil command. This interactive command enables you to manage a local host's keytab file without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database as kadmin does. So, after a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.

Note –

When you change a principal in a keytab file using the ktadd command in kadmin, a new key is generated and added to the keytab file.

Administering Keytab Files (Task Map)

Task	Description	For Instructions
Add a service principal to a keytab file.	Use the `ktadd` command of `kadmin` to add a service principal to a keytab file.	How to Add a Kerberos Service Principal to a Keytab File
Remove a service principal from a keytab file.	Use the `ktremove` command of `kadmin` to remove a service from a keytab file.	How to Remove a Service Principal From a Keytab File
Display the keylist (list of principals) in a keytab file.	Use the `ktutil` command to display the keylist in a keytab file.	How to Display the Keylist (Principals) in a Keytab File
Temporarily disable authentication for a service on a host.	This procedure is a quick way to temporarily disable authentication for a service on a host without requiring `kadmin` privileges. Before you use `ktutil` to delete the service principal from the server's keytab file, copy the original keytab file to a temporary location. When you want to enable the service again, copy the original keytab file back to its proper location.	How to Temporarily Disable Authentication for a Service on a Host

How to Add a Kerberos Service Principal to a Keytab File

Make sure that the principal already exists in the Kerberos database.

See How to View the List of Kerberos Principals for more information.

Become superuser on the host that needs a principal added to its keytab file.

Start the kadmin command.
# /usr/sbin/kadmin

Add a principal to a keytab file by using the ktadd command.
kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]
-e enctype

Overrides the list of encryption types defined in the krb5.conf file.

-k keytab

Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

-q

Displays less verbose information.

principal

Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp.

-glob principal-exp

Specifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin.

Quit the kadmin command.
kadmin: quit

Example 25–16 Adding a Service Principal to a Keytab File

In the following example, the kadmin/kdc1.example.com and changepw/kdc1.example.com principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.

kdc1 # /usr/sbin/kadmin.local
kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com changepw/kdc1.example.com
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode
with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-256 CTS
mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-128 CTS
mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type Triple DES cbc
mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type ArcFour
with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
Entry for principal changepw/kdc1.example.com with kvno 3, encryption type DES cbc mode
with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab.
kadmin.local: quit

In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.

denver # /usr/sbin/kadmin
kadmin: ktadd host/denver.example.com
Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS
          mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode
          with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode
          with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour
          with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode
          with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Remove a Service Principal From a Keytab File

Become superuser on the host with a service principal that must be removed from its keytab file.

Start the kadmin command.
# /usr/sbin/kadmin

(Optional) To display the current list of principals (keys) in the keytab file, use the ktutil command.

See How to Display the Keylist (Principals) in a Keytab File for detailed instructions.

Remove a principal from the keytab file by using the ktremove command.
kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]
-k keytab

Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used.

-q

Displays less verbose information.

principal

Specifies the principal to be removed from the keytab file.

kvno

Removes all entries for the specified principal whose key version number matches kvno.

all

Removes all entries for the specified principal.

old

Removes all entries for the specified principal, except those principals with the highest key version number.

Quit the kadmin command.
kadmin: quit

Example 25–17 Removing a Service Principal From a Keytab File

In the following example, denver's host principal is removed from denver's keytab file.

denver # /usr/sbin/kadmin
kadmin: ktremove host/denver.example.com@EXAMPLE.COM
kadmin: Entry for principal host/denver.example.com@EXAMPLE.COM with kvno 3
  removed from keytab WRFILE:/etc/krb5/krb5.keytab.
kadmin: quit

How to Display the Keylist (Principals) in a Keytab File

Become superuser on the host with the keytab file.

Note –
Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.

Start the ktutil command.
# /usr/bin/ktutil

Read the keytab file into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab

Display the keylist buffer by using the list command.
ktutil: list
The current keylist buffer is displayed.

Quit the ktutil command.
ktutil: quit

Example 25–18 Displaying the Keylist (Principals) in a Keytab File

The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.

denver # /usr/bin/ktutil
    ktutil: read_kt /etc/krb5/krb5.keytab
    ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------
   1    5 host/denver@EXAMPLE.COM
    ktutil: quit

How to Temporarily Disable Authentication for a Service on a Host

At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.

Note –

By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service still works, even if you disable authentication for the service.

Become superuser on the host with the keytab file.

Note –
Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership.

Save the current keytab file to a temporary file.

Start the ktutil command.
# /usr/bin/ktutil

Read the keytab file into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab

Display the keylist buffer by using the list command.
ktutil: list
The current keylist buffer is displayed. Note the slot number for the service that you want to disable.

To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.
ktutil: delete_entry slot-number
Where slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.

Write the keylist buffer to a new keytab file by using the write_kt command.
ktutil: write_kt new-keytab

Quit the ktutil command.
ktutil: quit

Move the new keytab file.
# mv new-keytab keytab

When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.

Example 25–19 Temporarily Disabling a Service on a Host

In the following example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.

denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp
denver # /usr/bin/ktutil
    ktutil:read_kt /etc/krb5/krb5.keytab
    ktutil:list
slot KVNO Principal
---- ---- ---------------------------------------
   1    8 root/denver@EXAMPLE.COM
   2    5 host/denver@EXAMPLE.COM
    ktutil:delete_entry 2
    ktutil:list
slot KVNO Principal
---- ---- --------------------------------------
   1    8 root/denver@EXAMPLE.COM
    ktutil:write_kt /etc/krb5/new.krb5.keytab
    ktutil: quit
denver # cp /etc/krb5/new.krb5.keytab /etc/krb5/krb5.keytab