Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Automating the Creation of New Kerberos Principals

You can use the kadmin.local command in a script to automate the creation of new Kerberos principals. Automation is useful when you want to add many new principals to the database.

The following shell script line shows how to automate the creation of new principals:

awk '{ print "ank +needchange -pw", $2, $1 }' < /tmp/princnames |
time /usr/sbin/kadmin.local> /dev/null

    The preceding example is split over two lines for readability.

  • The script reads in a file called princnames. This file contains principal names and their passwords, and adds them to the Kerberos database.

    You would have to create the princnames file, which contains a principal name and its password on each line, separated by one or more spaces.

  • The ank command adds a new key. ank is an alias for the add_principal command.

  • The +needchange option configures the principal so that the user who is the principal is prompted for a new password at first login.

    Requiring a password change helps to ensure that the passwords in the princnames file are not a security risk.

You can build more elaborate scripts. For example, your script could use the information in the name service to obtain the list of user names for the principal names. What you do and how you do it is determined by your site's needs and your scripting expertise.