This section provides examples of using the kadmin command and the gkadmin GUI to administer Kerberos policies. Most Kerberos policies specify password requirements.
The steps for administering policies are similar to the steps for administering principals. For more information, see the kadmin(1M) and gkadmin(1M) man pages.
Example 5-8 Viewing the List of Kerberos PoliciesIn this example, the list_policies subcommand is used to list all the policies that match *user*. Without an argument, list_policies lists all the policies that are defined in the Kerberos database.
# kadmin kadmin: list_policies *user* testuser financeuser kadmin: quitExample 5-9 Viewing the Attributes of a Kerberos Policy
In this example, the get_policy subcommand is used to view the attributes of the financeuser policy.
# /usr/sbin/kadmin.local kadmin.local: get_policy financeuser Policy: financeuser Maximum password life: 13050000 Minimum password life: 10886400 Minimum password length: 8 Minimum number of password character classes: 2 Number of old keys kept: 3 Reference count: 8 Maximum password failures before lockout: 5 Password failure count reset interval: 200 Password lockout duration: 300 kadmin: quit
The Reference count is the number of principals that are assigned this policy.
Example 5-10 Creating a New Kerberos Password PolicyIn this example, the add_policy subcommand is used to create the build11 policy. This policy requires at least three character classes in a password.
# kadmin kadmin: add_policy -minclasses 3 build11 kadmin: quitExample 5-11 Handling a Kerberos Account Lockout Policy
In this example, three authentication failures during a span of 300 seconds triggers an account lockout of 900 seconds.
kadmin: add_policy -maxfailure 3 -failurecountinterval "300 seconds"\ -lockoutduration "900 seconds" default
To release the lock within the 15 minutes requires administrative action.
# /usr/sbin/kadmin -p kws/admin Enter password: xxxxxxxx kadmin: modify_principal -unlock principalExample 5-12 Modifying a Kerberos Policy
In this example, the modify_policy subcommand is used to change the minimum length of a password to eight characters for the build11 policy.
# kadmin kadmin: modify_policy -minlength 8 build11 kadmin: quitExample 5-13 Deleting a Kerberos Policy
In this example, the delete_policy subcommand is used to delete the build11 policy.
The administrator removes the policy from all principals that use it.
# kadmin kadmin: modify_principal -policy build11 *admin*
Then, the administrator deletes the policy.
kadmin: delete_policy build11 Are you sure you want to delete the policy "build11"? (yes/no): yes kadmin: quit
The delete_policy command fails if the policy is assigned to a principal.
Example 5-14 Duplicating a Kerberos Policy by Using the gkadmin GUIIn the gkadmin GUI, you can duplicate a selected policy by clicking the Duplicate button. In the Policy Name field, name the new policy. You can also modify the policy attributes that you duplicated. The steps are similar to the steps in Duplicating a Kerberos Principal by Using the gkadmin GUI.