E Configuring the Kerberos Administrative Utility
Before using kadmin
, you first need to configure permissions on the KDC. Kerberos uses an Access Control List (ACL) file to determine which principals have administrative access to the Kerberos database and their level of access.
The default location of the Kerberos ACL file is <LOCALSTATEDIR>/krb5kdc/kadm5.acl, where LOCALSTATEDIR
is the directory prefix where the KDC databases are located. This location can be modified by the acl_file
variable in kdc.conf
.
Lines containing ACL entries have this format:
principal permissions [target_principal [restrictions] ]
Note:
Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal.
To configure kadmin
, perform the following steps:
-
Create an access control list file and put the Kerberos principal of at least one of the administrators into it. For example:
*/admin@EXAMPLE.COM *
In this case, any principal in the
EXAMPLE.COM
realm with anadmin
instance has all administrative privileges on the KDC.For example,
joe/admin@EXAMPLE.com
has all privileges over the realm's Kerberos database. -
Create the first principal before accessing the KDC remotely:
kadmin.local: addprinc -randkey admin/admin kadmin.local: ktadd –k kadm5.keytab admin/admin
Note:
To enable passwordless autentication, copy kadm5.keytab
to any client machine.
Kadmin can also be used to perform security maintenance. For more information, see Guidelines for Updating Kerberos Passwords.