This chapter provides procedures for managing principals and the policies that are associated with them. This chapter also shows how to manage a host's keytab file.
This chapter should be used by anyone who needs to administer principals and policies. Before you use this chapter, you should be familiar with principals and policies, including any planning considerations. Refer to Chapter 7, Introduction to SEAM and Chapter 8, Planning for SEAM, respectively.
This is a list of the information in this chapter.
The Kerberos database on the master KDC contains all of your realm's Kerberos principals, their passwords, policies, and other administrative information. To create and delete principals, and to modify their attributes, you can use the kadmin or gkadmin commands.
The kadmin command provides an interactive command-line interface that enables you to maintain Kerberos principals, policies, and keytab files. There are two versions of the kadmin command:
kadmin, which uses Kerberos authentication to operate securely from anywhere on the network
kadmin.local, which must be run directly on the master KDC
Also, SEAM provides the SEAM Administration Tool, gkadmin, which is an interactive graphical user interface (GUI) that provides essentially the same capabilities as the kadmin command. See SEAM Administration Tool for more information.
The SEAM Administration Tool is an interactive graphical user interface (GUI) that enables you to maintain Kerberos principals and policies. This tool provides much the same capabilities as the kadmin command. However, this tool does not support the management of keytab files. You must use the kadmin command to administer keytab files, which is described in Administering Keytab Files.
Similar to the kadmin command, the SEAM Tool uses Kerberos authentication and encrypted RPC to operate securely from anywhere on the network. The SEAM Tool enables you to do the following:
Create new principals that are based on default values or existing principals
Create new policies that are based on existing policies
Add comments for principals
Set up default values for creating new principals
Log in as another principal without exiting the tool
Print or save principal lists and policy lists
View and search principal lists and policy lists
The SEAM Tool also provides context-sensitive help and general online help.
The following task maps provide pointers to the various tasks that you can do with the SEAM Tool:
Also, go to SEAM Tool Panel Descriptions for descriptions of all the principal attributes and policy attributes that you can either specify or view in the SEAM Tool.
This section lists the kadmin commands that provide the same capabilities as the SEAM Tool. These commands can be used without running an X Window system. Even though most procedures in this chapter use the SEAM Tool, many procedures also provide corresponding examples that use the command-line equivalents.
Table 11–1 Command-Line Equivalents of the SEAM Tool
SEAM Tool Procedure |
Equivalent kadmin Command |
---|---|
View the list of principals |
list_principals or get_principals |
View a principal's attributes |
get_principal |
Create a new principal |
add_principal |
Duplicate a principal |
No command-line equivalent |
Modify a principal |
modify_principal or change_password |
Delete a principal |
delete_principal |
Set up defaults for creating new principals |
No command-line equivalent |
View the list of policies |
list_policies or get_policies |
View a policy's attributes |
get_policy |
Create a new policy |
add_policy |
Duplicate a policy |
No command-line equivalent |
Modify a policy |
modify_policy |
Delete a policy |
delete_policy |
The only file that the SEAM Tool modifies is the $HOME/.gkadmin file. This file contains the default values for creating new principals. You can update this file by choosing Properties from the Edit menu.
The SEAM Tool provides both print features and online help features. From the Print menu, you can send the following to a printer or a file:
List of available principals on the specified master KDC
List of available policies on the specified master KDC
The currently selected principal or the loaded principal
The currently selected policy or the loaded policy
From the Help menu, you can access context-sensitive help and general help. When you choose Context-Sensitive Help from the Help menu, the Context-Sensitive Help window is displayed and the tool is switched to help mode. In help mode, when you click on any fields, labels, or buttons on the window, help on that item is displayed in the Help window. To switch back to the tool's normal mode, click Dismiss in the Help window.
You can also choose Help Contents, which opens an HTML browser that provides pointers to the general overview and task information that is provided in this chapter.
As your site starts to accumulate a large number of principals and policies, the time it takes the SEAM Tool to load and display the principal and policy lists will become increasingly longer. Thus, your our productivity with the tool will increase. There are several ways to work around this problem.
First, you can completely eliminate the time to load the lists by not having the SEAM Tool load the lists. You can set this option by choosing Properties from the Edit menu, and unchecking the Show Lists field. Of course, when the tool doesn't load the lists, it can't display the lists, and you can no longer use the list panels to select principals or policies. Instead, you must type a principal or policy name in the new Name field that is provided, then select the operation that you want to perform on it. In effect, typing a name is equivalent to selecting an item from the list.
Another way to work with large lists is to cache them. In fact, caching the lists for a limited time is set as the default behavior for the SEAM Tool. The SEAM Tool must still initially load the lists into the cache, but after that, the tool can use the cache rather than retrieve the lists again. This option eliminates the need to keep loading the lists from the server, which is what takes so long.
You can set list caching by choosing Properties from the Edit menu. There are two cache settings. You can choose to cache the list forever, or you can specify a time limit when the tool must reload the lists from the server into the cache.
Caching the lists still enables you to use the list panels to select principals and policies, so it doesn't affect how you use the SEAM Tool as the first option does. Also, even though caching doesn't enable you to see the changes of others, you can still see the latest list information based on your changes, since your changes update the lists both on the server and in the cache. And, if you want to update the cache to see other changes and get the lastest copy of the lists, you can use the Refresh menu whenever you want to refresh the cache from the server.
Start the SEAM Tool by using the gkadmin command.
$ /usr/sbin/gkadmin |
If you don't want to use the default values, specify new default values.
The window automatically fills in with default values. The default principal name is determined by taking your current identity from the USER environment variable and appending /admin to it (username/admin). The default Realm and Master KDC fields are selected from the /etc/krb5/krb5.conf file. If you ever want to retrieve the default values, click Start Over.
The administration operations that each Principal Name can perform are dictated by the Kerberos ACL file, /etc/krb5/kadm5.acl. For information about limited privileges, see Using the SEAM Tool With Limited Kerberos Administration Privileges.
Enter a password for the specified principal name.
Click OK.
The following window is displayed.
This section provides the step-by-step instructions to administer principals with the SEAM Tool. This section also provides examples of equivalent command lines, when available.
Task |
Description |
For Instructions |
---|---|---|
View the list of principals |
View the list of principals by clicking the Principals tab. | |
View a principal's attributes |
View a principal's attributes by selecting the Principal in the Principal List, then clicking the Modify button. | |
Create a new principal |
Create a new principal by clicking the Create New button in the Principal List panel. | |
Duplicate a principal |
Duplicate a principal by selecting the principal to duplicate in the Principal List, then clicking the Duplicate button. | |
Modify a principal |
Modify a principal by selecting the principal to modify in the Principal List, then clicking the Modify button. Note that you cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal. | |
Delete a principal |
Delete a principal by selecting the principal to delete in the Principal List, then clicking the Delete button. | |
Set up defaults for creating new principals |
Set up defaults for creating new principals by choosing Properties from the Edit menu. | |
Modify the Kerberos administration privileges (kadm5.acl File) |
Command-line only. The Kerberos administration privileges determine what operations a principal can perform on the Kerberos database, such as add and modify. You need to edit the /etc/krb5/kadm5.acl file to modify the Kerberos administration privileges for each principal. |
Even though the SEAM Tool provides ease-of-use, it doesn't provide a way to automate the creation of new principals. Automation is especially useful if you need to add 10 or even 100 new principals in a short time. However, by using the kadmin.local command in a Bourne shell script, you can do just that.
The following shell script line is an example of how automate the creation of new principals:
sed -e 's/^\(.*\)$/ank +needchange -pw \1 \1/' < princnames | time /usr/sbin/kadmin.local> /dev/null
This example is split over two lines readability. The script reads in a file called princnames that contains principal names and their passwords, and adds them to the Kerberos database. You would have to create the princnames file, which contains a principal name and its password on each line, separated by one or more spaces. The +needchange option configures the principal so that the user is prompted for a new password during login with the principal for the first time. This practice helps to ensure that the passwords in the princnames file are not a security risk.
You can build more elaborate scripts. For example, your script could use the information in the name service to obtain the list of user names for the principal names. What you do and how you do it is determined by your site needs and your scripting expertise.
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Principals tab.
The list of principals is displayed.
Display a specific principal or a sublist of principals.
Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of principals that match the filter is displayed.
The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the principals with the ge string in them (for example, george or edge).
If you want to display the entire list of principals, click Clear Filter.
In the following example, the list_principals command of kadmin is used to list all the principals that match test*. Wildcards can be used with the list_principals command.
kadmin: list_principals test* test1@EXAMPLE.COM test2@EXAMPLE.COM kadmin: quit |
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Principals tab.
Select the principal in the list that you want to view, then click Modify.
The Principal Basics panel that contains some of the principal's attributes is displayed.
Continue to click Next to view all the principal's attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.
When you are finished viewing, click Cancel.
The following example shows the first window when you are viewing the jdb/admin principal.
In the following example, the get_principal command of kadmin is used to view the attributes of the jdb/admin principal.
kadmin: getprinc jdb/admin Principal: jdb/admin@EXAMPLE.COM Expiration date: Fri Aug 25 17:19:05 PDT 2000 Last password change: [never] Password expiration date: Wed Apr 14 11:53:10 PDT 1999 Maximum ticket life: 1 day 16:00:00 Maximum renewable life: 1 day 16:00:00 Last modified: Thu Jan 14 11:54:09 PST 1999 (admin/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: REQUIRES_HW_AUTH Policy: [none] kadmin: quit |
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
If you are creating a new principal that might need a new policy, you should create the new policy before you create the new principal. Go to How to Create a New Policy.
Click the Principals tab.
Click New.
The Principal Basics panel that contains some attributes for a principal is displayed.
Specify a principal name and a password.
Both the principal name and password are mandatory.
Specify values for the principal's attributes, and continue to click Next to specify more attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.
Click Save to save the principal, or click Done on the last panel.
If needed, set up Kerberos administration privileges for the new principal in the /etc/krb5/kadm5.acl file.
See How to Modify the Kerberos Administration Privileges for more details.
The following example shows the Principal Basics panel when a new principal called pak is created. The policy is set to testuser.
In the following example, the add_principal command of kadmin is used to create a new principal called pak. The principal's policy is set to testuser.
kadmin: add_principal -policy testuser pak Enter password for principal "pak@EXAMPLE.COM": <type the password> Re-enter password for principal "pak@EXAMPLE.COM": <type the password again> Principal "pak@EXAMPLE.COM" created. kadmin: quit |
This procedure explains how to use all or some of the attributes of an existing principal to create a new principal. No command-line equivalent exists for this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Principals tab.
Select the principal in the list that you want to duplicate, then click Duplicate.
The Principal Basics panel is displayed. All the attributes of the selected principal are duplicated except for the Principal Name and Password fields, which are empty.
Specify a principal name and a password.
Both the principal name and the password are mandatory. To make an exact duplicate of the principal you selected, click Save and skip to Step 7.
Specify different values for the principal's attributes, and continue to click Next to specify more attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.
Click Save to save the principal, or click Done on the last panel.
If needed, set up Kerberos administration privileges for the principal in /etc/krb5/kadm5.acl file.
See How to Modify the Kerberos Administration Privileges for more details.
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Principals tab.
Select the principal in the list that you want to modify, then click Modify.
The Principal Basics panel that contains some of the attributes for the principal is displayed.
Modify the principal's attributes, and continue to click Next to modify more attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.
You cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal.
Click Save to save the principal, or click Done on the last panel.
Modify the Kerberos administration privileges for the principal in the /etc/krb5/kadm5.acl file.
See How to Modify the Kerberos Administration Privileges for more details.
In the following example, the change_password command of kadmin is used to modify the password for the jdb principal. The change_password command does not let you change the password to a password that is in the principal's password history.
kadmin: change_password jdb Enter password for principal "jdb": <type the new password> Re-enter password for principal "jdb": <type the password again> Password for "jdb@EXAMPLE.COM" changed. kadmin: quit |
To modify other attributes for a principal, you must use the modify_principal command of kadmin.
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Principals tab.
Select the principal in the list that you want to delete, then click Delete.
After you confirm the deletion, the principal is deleted.
Remove the principal from the Kerberos access control list (ACL) file, /etc/krb5/kadm5.acl.
See How to Modify the Kerberos Administration Privileges for more details.
In the following example, the delete_principal command of kadmin is used to delete the jdb principal.
kadmin: delete_principal pak Are you sure you want to delete the principal "pak@EXAMPLE.COM"? (yes/no): yes Principal "pak@EXAMPLE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin: quit |
No command-line equivalent exists for this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Choose Properties from the Edit Menu.
The Properties window is displayed.
Select the defaults that you want when you create new principals.
Choose Context-Sensitive Help from the Help menu for information about the various attributes in each window.
Click Save.
Even though your site probably has many user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos access control list (ACL) file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for individual principals. Or, you can use the '*' wildcard in the principal name to specify privileges for groups of principals.
Become superuser on the master KDC.
Edit the /etc/krb5/kadm5.acl file.
An entry in the kadm5.acl file must have the following format:
principal privileges [principal-target] |
principal |
Specifies the principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the admin instance, you would use */admin@realm. Note that a common use of an admin instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for his administrative use, called jdb/admin. This way, the user jdb obtains jdb/admin tickets only when he or she actually needs to use those privileges. |
|
privileges |
Specifies which operations can or cannot be performed by the principal. This field consists of a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted. |
|
|
a |
[Dis]allows the addition of principals or policies. |
|
d |
[Dis]allows the deletion of principals or policies. |
|
m |
[Dis]allows the modification of principals or polices. |
|
c |
[Dis]allows the changing of passwords for principals. |
|
i |
[Dis]allows inquiries to the Kerberos database. |
|
l |
[Dis]allows the listing of principals or policies in the Kerberos database. |
|
x or * |
Allows all privileges (admcil). |
principal-target |
When a principal is specified in this field, the privileges apply to principal only when the principal operates on the principal_target. Any part of the principal name can include the '*' wildcard, which is useful to group principals. |
The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database.
*/admin@EXAMPLE.COM * |
The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privilege to add, list, and inquire about any principal that has the root instance.
jdb@EXAMPLE.COM ali */root@EXAMPLE.COM |
This section provides step-by-step instructions to administer policies with the SEAM Tool. This section also provides examples of equivalent command lines, when available.
Task |
Description |
For Instructions |
---|---|---|
View the list of policies |
View the list of policies by clicking the Policies tab. | |
View a policy's attributes |
View a policy's attributes by selecting the policy in the Policy List, then clicking the Modify button. | |
Create a new policy |
Create a new policy by clicking the Create New button in the Policy List panel. | |
Duplicate a policy |
Duplicate a policy by selecting the policy to duplicate in the Policy List, then clicking the Duplicate button. | |
Modify a policy |
Modify a policy by selecting the policy to modify in the Policy List, then clicking the Modify button. Note that you cannot modify a policy's name. To rename a policy, you must duplicate the policy, specify a new name for it, save it, and then delete the old policy. | |
Delete a policy |
Delete a policy by selecting the policy to delete in the Policy List, then clicking the Delete button. |
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Policies tab.
The list of policies is displayed.
Display a specific policy or a sublist of policies.
Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of policies that match the filter is displayed.
The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the policies with the ge string in them (for example, george or edge).
If you want to display the entire list of policies, click Clear Filter.
In the following example, the list_policies command of kadmin is used to list all the policies that match *user*. Wildcards can be used with the list_policies command.
kadmin: list_policies *user* testuser enguser kadmin: quit |
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Policies tab.
Select the policy in the list that you want to view, then click Modify.
The Policy Details panel is displayed.
When you are finished viewing, click Cancel.
The following example shows the Policy Details panel when you are viewing the test policy.
In the following example, the get_policy command of kadmin is used to view the attributes of the enguser policy.
kadmin: get_policy enguser Policy: enguser Maximum password life: 2592000 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 2 Number of old keys kept: 3 Reference count: 0 kadmin: quit |
The reference count is the number of principals that use this policy.
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Policies tab.
Click New.
The Policy Details panel is displayed.
Specify a name for the policy in the Policy Name field.
The policy name is mandatory.
Specify values for the policy's attributes.
Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 11–5 for all the policy attribute descriptions.
Click Save to save the policy, or click Done.
In the following example, a new policy called build11 is created. The Minimum Password Classes is set to 3.
In the following example, the add_policy command of kadmin is used to create the build11 policy. This policy requires at least 3 character classes in a password.
$ kadmin kadmin: add_policy -minclasses 3 build11 kadmin: quit |
This procedure explains how to use all or some of the attributes of an existing policy to create a new policy. No command-line equivalent exists for this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Policies tab.
Select the policy in the list that you want to duplicate, then click Duplicate.
The Policy Details panel is displayed. All the attributes of the selected policy are duplicated, except for the Policy Name field, which is empty.
Specify a name for the duplicated policy in the Policy Name field.
The policy name is mandatory. To make an exact duplicate of the policy you selected, click Save and skip to Step 6.
Specify different values for the policy's attributes.
Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 11–5 for all the policy attribute descriptions.
Click Save to save the policy, or click Done.
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Policies tab.
Select the policy in the list that you want to modify, then click Modify.
The Policy Details panel is displayed.
Modify the policy's attributes.
Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 11–5 for all the policy attribute descriptions.
You cannot modify a policy's name. To rename a policy, you must duplicate the policy, specify a new name for it, save it, and then delete the old policy.
Click Save to save the policy, or click Done.
In the following example, the modify_policy command of kadmin is used to modify the minimum length of a password to five characters for the build11 policy.
$ kadmin kadmin: modify_policy -minlength 5 build11 kadmin: quit |
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See How to Start the SEAM Tool for details.
Click the Policies tab.
Before you delete a policy, you must cancel the policy from all principals that are currently using it. To do so, you need to modify the principals' Policy attribute. The policy cannot be deleted if any principal is using it.
Select the policy in the list that you want to delete, then click Delete.
After you confirm the deletion, the policy is deleted.
In the following example, the delete_policy command of the kadmin command is used to delete the build11 policy.
kadmin: delete_policy build11 Are you sure you want to delete the policy "build11"? (yes/no): yes kadmin: quit |
Before you delete a policy, you must cancel the policy from all principals that are currently using it. To do so, you need to use the modify_principal -policy command of kadmin on the affected principals. The delete_policy command fails if the policy is in use by a principal.
This section provides reference information for the SEAM Tool.
This section provides descriptions for each principal and policy attribute that you can either specify or view in the SEAM Tool. The attributes are organized by the panel in which they are displayed.
Table 11–2 Attributes for the Principal Basics Panel
Attribute |
Description |
---|---|
Principal Name |
The name of the principal (the primary/instance part of a fully-qualified principal name). A principal is a unique identity to which the KDC can assign tickets. If you are modifying a principal, you cannot edit a principal's name. |
Password |
The password for the principal. You can use the Generate Random Password button to create a random password for the principal. |
Policy |
A menu of available policies for the principal. |
Account Expires |
The date and time on which the principal's account expires. When the account expires, the principal can no longer get a ticket-granting ticket (TGT) and might be unable to log in. |
Last Principal Change |
The date on which information for the principal was last modified. (Read-only) |
Last Changed By |
The name of the principal that last modified the account for this principal. (Read-only) |
Comments |
Comments that are related to the principal (for example, “Temporary Account”). |
Table 11–3 Attributes for the Principal Details Panel
Attribute |
Description |
---|---|
Last Success |
The date and time when the principal last logged in successfully. (Read-only) |
Last Failure |
The date and time when the last login failure for the principal occurred. (Read-only) |
Failure Count |
The number of times that there has been a login failure for the principal. (Read-only) |
Last Password Change |
The date and time when the principal's password was last changed. (Read-only) |
Password Expires |
The date and time when the principal's current password expires. |
Key Version |
The key version number for the principal. This attribute is normally changed only when a password has been compromised. |
Maximum Lifetime (seconds) |
The maximum length of time for which a ticket can be granted for the principal (without renewal). |
Maximum Renewal (seconds) |
The maximum length of time for which an existing ticket can be renewed for the principal. |
Table 11–4 Attributes of the Principal Flags Panel
Attribute (Radio Buttons) |
Description |
---|---|
Disable Account |
When checked, prevents the principal from logging in. This attribute provides an easy way to temporarily freeze a principal account. |
Require Password Change |
When checked, expires the principal's current password, which forces the user to use the kpasswd command to create a new password. This attribute is useful if there is a security breach, and you need to make sure that old passwords are replaced. |
Allow Postdated Tickets |
When checked, allows the principal to obtain postdated tickets. For example, you might need to use postdated tickets for cron jobs that must run after hours, but you cannot obtain tickets in advance because of short ticket lifetimes. |
Allow Forwardable Tickets |
When checked, allows the principal to obtain forwardable tickets. Forwardable tickets are tickets that are forwarded to the remote host to provide a single-sign-on session. For example, if you are using forwardable tickets and you authenticate yourself through ftp or rsh, then other services, such as NFS services, are available without your being prompted for another password. |
Allow Renewable Tickets |
When checked, allows the principal to obtain renewable tickets. A principal can automatically extend the expiration date or time of a ticket that is renewable (rather than having to get a new ticket after the first ticket expires). Currently, the NFS service is the ticket service that can renew tickets. |
Allow Proxiable Tickets |
When checked, allows the principal to obtain proxiable tickets. A proxiable ticket is a ticket that can be used by a service on behalf of a client to perform an operation for the client. With a proxiable ticket, a service can take on the identity of a client and obtain a ticket for another service, but the service cannot obtain a ticket-granting ticket. |
Allow Service Tickets |
When checked, allows service tickets to be issued for the principal. You should not allow service tickets to be issued for the kadmin/hostname and changepw/hostname principals. This practice ensures that these principals can only update the KDC database. |
Allow TGT-Based Authentication |
When checked, allows the service principal to provide services to another principal. More specifically, this attribute allows the KDC to issue a service ticket for the service principal. This attribute is valid only for service principals. When unchecked, service tickets cannot be issued for the service principal. |
Allow Duplicate Authentication |
When checked, allows the user principal to obtain service tickets for other user principals. This attribute is valid only for user principals. When unchecked, the user principal can still obtain service tickets for service principals, but not for other user principals. |
Required Preauthentication |
When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through software) that the principal is really the principal that is requesting the TGT. This preauthentication is usually done through an extra password, for example, from a DES card. When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal. |
Required Hardware Authentication |
When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through hardware) that it is really the principal that is requesting the TGT. Hardware preauthentication can occur, for example, on a Java ring reader. When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal. |
Table 11–5 Attributes for the Policy Basics Pane
Attribute |
Description |
---|---|
Policy Name |
The name of the policy. A policy is a set of rules that govern a principal's password and tickets. If you are modifying a policy, you cannot edit a policy's name. |
Minimum Password Length |
The minimum length for the principal's password. |
Minimum Password Classes |
The minimum number of different character types that are required in the principal's password. For example, a minimum classes value of 2 means that the password must have at least two different character types, such as letters and numbers (hi2mom). A value of 3 means that the password must have at least three different character types, such as letters, numbers, and punctuation (hi2mom!). And so on. A value of 1 sets no restriction on the number of password character types. |
Saved Password History |
The number of previous passwords that have been used by the principal, and a list of the previous passwords that cannot be reused. |
Minimum Password Lifetime (seconds) |
The minimum time that the password must be used before it can be changed. |
Maximum Password Lifetime (seconds) |
The maximum time that the password can be used before it must be changed. |
Principals Using This Policy |
The number of principals to which this policy currently applies. (Read-only) |
All features of the SEAM Administration Tool are available if your admin principal has all the privileges to administer the Kerberos database. But it is possible to have limited privileges, such as being allowed to view only the list of principals or to change a principal's password. With limited Kerberos administration privileges, you can still use the SEAM Tool. However, various parts of the SEAM Tool will change based on the Kerberos administration privileges that you do not have. Table 11–6 shows how the SEAM Tool changes based on your Kerberos administration privileges.
The most visual change to the SEAM Tool occurs when you don't have the list privilege. Without the list privilege, the List panels do not display the list of principals and polices for you to manipulate. Instead, you must use the Name field in the List panels to specify a principal or policy that you want to manipulate.
If you login to the SEAM Tool, and you do not have sufficient privileges to perform tasks with it, the following message displays and you are sent back to the SEAM Administration Login window:
Insufficient privileges to use gkadmin: ADMCIL. Please try using another principal. |
To change the privileges for a principal to administer the Kerberos database, go to How to Modify the Kerberos Administration Privileges.
Table 11–6 Using SEAM Tool With Limited Kerberos Administration Privileges
Disallowed Privilege |
Change the SEAM Tool |
---|---|
a (add) |
The Create New and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the add privilege, you cannot create new principals or policies or duplicate them. |
d (delete) |
The Delete button is unavailable in the Principal List and Policy List panels. Without the delete privilege, you cannot delete principal or policies. |
m (modify) |
The Modify button is unavailable in the Principal List and Policy List panels. Without the modify privilege, you cannot modify principal or policies. Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege. |
c (change password) |
The Password field in the Principal Basics panel is read-only and cannot be changed. Without the change password privilege, you cannot modify a principal's password. Note that even if you have the change password privilege, you must also have the modify privilege to change a principal's password. |
i (inquiry to database) |
The Modify and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the inquiry privilege, you cannot modify or duplicate a principal or policy. Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege. |
l (list) |
The list of principals and policies in the List panels are unavailable. Without the list privilege, you must use the Name field in the List panels to specify the principal or policy that you want to manipulate. |
Every host that provides a service must have a local file, called a keytab (short for key table). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains its nfs service principal.
To add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command of kadmin. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database so that kadmin can verify its existence. On the master KDC, the keytab file is located at /etc/krb5/kadm5.keytab, by default. On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.
A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network.
There is also a special instance to add a root principal to a host's keytab file. If you want a user on the SEAM client to mount Kerberized NFS file systems that use Kerberos authentication automatically, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system, even when they are using the automounter. See Setting Up Root Authentication to Mount NFS File Systems for detailed information.
When you set up a master KDC, you need to add the kadmind and changepw principals to the kadm5.keytab file. This step enables the KDC to decrypt administrators' Kerberos tickets to determine whether it should give the administrators access to the database.
Another command that you can use to administer keytab files is the ktutil command. ktutil is an interactive command that enables you to manage a local host's keytab file without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database as kadmin does. So, after a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.
Task |
Description |
For Instructions |
---|---|---|
Add a service principal to a keytab file |
Use the ktadd command of kadmin to add a service principal to a keytab file. | |
Remove a service principal from a keytab file |
Use the ktremove command of kadmin to remove a service from a keytab file. | |
Display the keylist (Principals) in a keytab file |
Use the ktutil command to display the keylist in a keytab file. | |
Temporarily disable authentication for a service on a host |
This procedure is a quick way to temporarily disable authentication for a service on a host without having to have kadmin privileges. Before you use ktutil to delete the service principal from the server's keytab file, copy the original keytab file to a temporary location. When you want to enable the service again, copy the original keytab file back to its proper location. |
How to Temporarily Disable Authentication for a Service on a Host |
Make sure that the principal already exists in the Kerberos database.
See How to View the List of Principals for more information.
Become superuser on the host that needs a principal added to its keytab file.
Start the kadmin command.
# /usr/sbin/kadmin |
Add a principal to a keytab file by using the ktadd command.
kadmin: ktadd [-k keytab] [-q] [principal | -glob principal-exp] |
-k keytab |
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used. |
-q |
Displays less verbose information. |
principal |
Specifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp. |
-glob principal-exp |
Specifies the principal expressions. All principals that match the principal.are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin. |
Quit the kadmin command.
kadmin: quit |
In the following example, the kadmin/admin and kadmin/changepw principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.
kdc1 # /usr/sbin/kadmin.local kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/admin kadmin/changepw Entry for principal kadmin/admin@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/changepw@EXAMPLE.COM with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local: quit |
In the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.
denver # /usr/sbin/kadmin kadmin: ktadd host/denver@example.com@EXAMPLE.COM kadmin: Entry for principal host/denver@example.com@EXAMPLE.COM with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |
Become superuser on the host with a service principal that must be removed from its keytab file.
Start the kadmin command.
# /usr/sbin/kadmin |
(Optional) To display the current list of principals (keys) in the keytab file, use the ktutil command.
See How to Display the Keylist (Principals) in a Keytab File for detailed instructions.
Remove a principal from the keytab file by using the ktremove command.
kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ] |
-k keytab |
Specifies the keytab file. By default, /etc/krb5/krb5.keytab is used. |
-q |
Displays less verbose information. |
principal |
Specifies the principal to be removed from the keytab file. |
kvno |
Removes all entries for the specified principal whose key version number matches kvno. |
all |
Removes all entries for the specified principal. |
old |
Removes all entries for the specified principal, except those principals with the highest key version number. |
Quit the kadmin command.
kadmin: quit |
In the following example, denver's host principal is removed from denver's keytab file.
denver # /usr/sbin/kadmin kadmin: ktremove host/denver.example.com@EXAMPLE.COM kadmin: Entry for principal host/denver.example.com@EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit |
Become superuser on the host with the keytab file.
Although you can create keytab files that are owned by other users, the default location for the keytab file requires root ownership.
Start the ktutil command.
# /usr/bin/ktutil |
Read the keytab file into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab |
Display the keylist buffer by using the list command.
ktutil: list |
The current keylist buffer is displayed.
Quit the ktutil command.
ktutil: quit |
The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.
denver # /usr/bin/ktutil ktutil: read_kt /etc/krb5/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------- 1 5 host/denver@EXAMPLE.COM ktutil: quit |
At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.
By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service will still work, even if you disable authentication for the service.
Become superuser on the host with the keytab file.
Although you can create keytab files that are owned by other users, the default location for the keytab file requires root ownership.
Save the current keytab file to a temporary file.
Start the ktutil command.
# /usr/bin/ktutil |
Read the keytab file into the keylist buffer by using the read_kt command.
ktutil: read_kt keytab |
Display the keylist buffer by using the list command.
ktutil: list |
The current keylist buffer is displayed. Note the slot number for the service that you want to disable.
To temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.
ktutil: delete_entry slot-number |
In this example, slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command.
Write the keylist buffer to the keytab file by using the write_kt command.
ktutil: write_kt keytab |
Quit the ktutil command.
ktutil: quit |
When you want to re-enable the service, copy the temporary (original) keytab file back to its original location.
In the following example, the host service on the denver host is temporarily disabled. To enable the host service back on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.
denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp denver # /usr/bin/ktutil ktutil:read_kt /etc/krb5/krb5.keytab ktutil:list slot KVNO Principal ---- ---- --------------------------------------- 1 8 root/denver@EXAMPLE.COM 2 5 host/denver@EXAMPLE.COM ktutil:delete_entry 2 ktutil:list slot KVNO Principal ---- ---- -------------------------------------- 1 8 root/denver@EXAMPLE.COM ktutil:write_kt /etc/krb5/krb5.keytab ktutil: quit |