Sun Enterprise Authentication Mechanism 1.0.1 Guide

SEAM Tool Reference

This section provides reference information for the SEAM Tool.

SEAM Tool Panel Descriptions

This section provides descriptions for each of the principal and policy attributes that you can either specify or view in the SEAM Tool. The attributes are organized by the panel in which they are displayed.

Table 5-4 Principal Basic Panel Attributes


Attribute	Description
Principal Name	The name of the principal (the `primary`/`instance` part of a fully-qualified principal name). A principal is a unique identity to which the KDC can assign tickets. If you are modifying a principal, you cannot edit a principal's name.
Password	The password for the principal. You can use the Generate Random Password button to create a random password for the principal.
Policy	A menu of available policies for the principal.
Account Expires	The date and time on which the principal's account expires. When the account expires, the principal can no longer get a ticket-granting ticket (TGT) and may not be able to log in.
Last Principal Change	The date on which information for the principal was last modified. (Read-only)
Last Changed By	The name of the principal that last modified the account for this principal. (Read-only)
Comments	Comments related to the principal (for example, 'Temporary Account')

Table 5-5 Principal Details Panel Attributes


Attribute	Description
Last Success	The date and time when the principal last logged in successfully. (Read-only)
Last Failure	The date and time when the last login failure for the principal occurred. (Read-only)
Failure Count	The number of times that there has been a login failure for the principal. (Read-only)
Last Password Change	The date and time when the principal's password was last changed. (Read-only)
Password Expires	The date and time when the principal's current password will expire.
Key Version	The key version number for the principal; this is normally changed only when a password has been compromised.
Maximum Lifetime (seconds)	The maximum length of time for which a ticket can be granted for the principal (without renewal).
Maximum Renewal (seconds)	The maximum length of time for which an existing ticket can be renewed for the principal.

Table 5-6 Principal Flags Panel Attributes


Attribute (Radio Buttons)	Description
Disable Account	When checked, prevents the principal from logging in. This is an easy way to freeze a principal account temporarily for any reason.
Require Password Change	When checked, expires the principal's current password, forcing the user to use the `kpasswd` command to create a new password. This is useful if there is a security breach and you need to make sure that old passwords are replaced.
Allow Postdated Tickets	When checked, allows the principal to obtain postdated tickets. For example, you may need to use postdated tickets for cron jobs that must run after hours and can't obtain tickets in advance because of short ticket lifetimes.
Allow Forwardable Tickets	When checked, allows the principal to obtain forwardable tickets. Forwardable tickets are tickets that are forwarded to the remote host to provide a single-sign-on session. For example, if you are using forwardable tickets and you authenticate yourself through `ftp` or `rsh`, other services, such as NFS services, are available without your being prompted for another password.
Allow Renewable Tickets	When checked, allows the principal to obtain renewable tickets. A principal can automatically extend the expiration date or time of a ticket that is renewable (rather than having to get a new ticket after the first one expires). Currently, the NFS service is the only service that can renew tickets.
Allow Proxiable Tickets	When checked, allows the principal to obtain proxiable tickets. A proxiable ticket is a ticket that can be used by a service on behalf of a client to perform an operation for the client. With a proxiable ticket, a service can take on the identity of a client and obtain a ticket for another service, but it cannot obtain a ticket-granting ticket.
Allow Service Tickets	When checked, allows service tickets to be issued for the principal. You should not allow service tickets to be issued for the `kadmin/hostname` and `changepw/hostname` principals. This ensures that these principals can only update the KDC database.
Allow TGT-Based Authentication	When checked, allows the service principal to provide services to another principal. More specifically, it allows the KDC to issue a service ticket for the service principal. This attribute is valid only for service principals. When not checked, service tickets cannot be issued for the service principal.
Allow Duplicate Autentication	When checked, allows the user principal to obtain service tickets for other user principals. This attribute is valid only for user principals. When not checked, the user principal can still obtain service tickets for service principals, but not for other user principals.
Required Preauthentication	When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until it can authenticate (through software) that it is really the principal requesting the TGT. This preauthentication is usually done through an extra password, for example, from a DES card. When not checked, the KDC does not need to preauthenticate the principal before it sends a requested TGT to it.
Required Hardward Authentication	When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until it can authenticate (through hardware) that it is really the principal requesting the TGT. Hardware preauthentication can be something like a Java ring reader. When not checked, the KDC does not need to preauthenticate the principal before it sends a requested TGT to it.

Table 5-7 Policy Basics Panel Attributes


Attribute	Description
Policy Name	The name of the policy. A policy is a set of rules governing a principal's password and tickets. If you are modifying a policy, you cannot edit a policy's name.
Minimum Password Length	The minimum length for the principal's password.
Minimum Password Classes	The minimum number of different character types required in the principal's password. For example, a minimum classes value of 2 means that the password must have at least two different character types, such as letters and numbers (hi2mom). A value of 3 means that the password must have at least three different character types, such as letters, numbers, and punctuation (hi2mom!). And so on. A value of 1 basically sets no restriction on the number of password character types.
Saved Password History	The number of previous passwords that have been used by the principal and cannot be reused.
Minimum Password Lifetime (seconds)	The minimum time that the password must be used before it can be changed.
Maximum Password Lifetime (seconds)	The maximum time that the password can be used before it must be changed.
Principals Using This Policy	The number of principals to which this policy currently applies. (Read-only)

Using the SEAM Tool With Limited Kerberos Administration Privileges

All the features of the SEAM Administration Tool are available if your admin principal has all the privileges to administer the Kerberos database. But it is possible to have limited privileges, such as being allowed to view only the list of principals or to change a principal's password. With limited Kerberos administration privileges, you can still use the SEAM Administration Tool; however, various parts of the SEAM Tool will change based on what Kerberos administration privileges you do not have. Table 5-8 shows how the SEAM Tool changes based on your Kerberos administration privileges.

The most visual change to the SEAM Tool is when you don't have the list privilege. Without the list privilege, the List panels do not display the list of principals and polices for you to manipulate. Instead, you must use the Name field in the List panels to specify a principal or policy you want to work on.

If you log on to the SEAM Tool and you don't have sufficient privileges to perform useful tasks with it, the following message will display and you will be sent back to the Login window:

Insufficient privileges to use gkadmin: ADMCIL. Please try using another principal.

To change the privileges for a principal to administer the Kerberos database, go to "How to Modify the Kerberos Administration Privileges".

Table 5-8 Using SEAM Tool With Limited Kerberos Administration Privileges


If You Don't Have This Privilege ...	Then the SEAM Tool Changes as Follows ...
`a` (add)	The Create New and Duplicate buttons are not available in the Principal and Policy List panels. Without the add privilege, you can't create new or duplicate principal or policies.
`d` (delete)	The Delete button is not available in the Principal and Policy List panels. Without the delete privilege, you can't delete principal or policies.
`m` (modify)	The Modify button is not available in the Principal and Policy List panels. Without the modify privilege, you can't modify principal or policies. Also, with the Modify button unavailable, you can't modify a principal's password, even if you have the change password privilege.
`c` (change password)	The Password field in the Principal Basics panel is read-only and cannot be changed. Without the change password privilege, you can't modify a principal's password. Note that even if you have the change password privilege, you must also have the modify privilege to change a principal's password.
`i` (inquiry to database)	The Modify and Duplicate buttons are not available in the Principal and Policy List panels. Without the inquiry privilege, you can't modify or duplicate a principal or policy. Also, with the Modify button unavailable, you can't modify a principal's password, even if you have the change password privilege.
`l` (list)	The list of principals and policies in the List panels are unavailable. Without the list privilege, you must use the Name field in the List panels to specify the principal or policy you want to work on.