Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

Administering Kerberos Policies

This section provides examples of using the kadmin command and the gkadmin GUI to administer Kerberos policies. Most Kerberos policies specify password requirements.

The steps for administering policies are similar to the steps for administering principals. For more information, see the kadmin(1M) and gkadmin(1M) man pages.

Example 5-8  Viewing the List of Kerberos Policies

In this example, the list_policies subcommand is used to list all the policies that match *user*. Without an argument, list_policies lists all the policies that are defined in the Kerberos database.

# kadmin
kadmin: list_policies *user*
kadmin: quit
Example 5-9  Viewing the Attributes of a Kerberos Policy

In this example, the get_policy subcommand is used to view the attributes of the financeuser policy.

# /usr/sbin/kadmin.local
kadmin.local: get_policy financeuser
Policy: financeuser
Maximum password life: 13050000
Minimum password life: 10886400
Minimum password length: 8
Minimum number of password character classes: 2
Number of old keys kept: 3
Reference count: 8
Maximum password failures before lockout: 5
Password failure count reset interval: 200
Password lockout duration: 300
kadmin: quit

The Reference count is the number of principals that are assigned this policy.

Example 5-10  Creating a New Kerberos Password Policy

In this example, the add_policy subcommand is used to create the build11 policy. This policy requires at least three character classes in a password.

# kadmin
kadmin: add_policy -minclasses 3 build11
kadmin: quit
Example 5-11  Handling a Kerberos Account Lockout Policy

In this example, three authentication failures during a span of 300 seconds triggers an account lockout of 900 seconds.

kadmin: add_policy -maxfailure 3 -failurecountinterval "300 seconds"\
-lockoutduration "900 seconds" default

To release the lock within the 15 minutes requires administrative action.

# /usr/sbin/kadmin -p kws/admin
Enter password: xxxxxxxx
kadmin: modify_principal -unlock principal
Example 5-12  Modifying a Kerberos Policy

In this example, the modify_policy subcommand is used to change the minimum length of a password to eight characters for the build11 policy.

# kadmin
kadmin: modify_policy -minlength 8 build11
kadmin: quit
Example 5-13  Deleting a Kerberos Policy

In this example, the delete_policy subcommand is used to delete the build11 policy.

  1. The administrator removes the policy from all principals that use it.

    # kadmin
    kadmin: modify_principal -policy build11 *admin*
  2. Then, the administrator deletes the policy.

    kadmin: delete_policy build11
    Are you sure you want to delete the policy "build11"? (yes/no): yes
    kadmin: quit

The delete_policy command fails if the policy is assigned to a principal.

Example 5-14  Duplicating a Kerberos Policy by Using the gkadmin GUI

In the gkadmin GUI, you can duplicate a selected policy by clicking the Duplicate button. In the Policy Name field, name the new policy. You can also modify the policy attributes that you duplicated. The steps are similar to the steps in Duplicating a Kerberos Principal by Using the gkadmin GUI.