E Configuring the Kerberos Administrative Utility

Before using kadmin, you first need to configure permissions on the KDC. Kerberos uses an Access Control List (ACL) file to determine which principals have administrative access to the Kerberos database and their level of access.

The default location of the Kerberos ACL file is <LOCALSTATEDIR>/krb5kdc/kadm5.acl, where LOCALSTATEDIR is the directory prefix where the KDC databases are located. This location can be modified by the acl_file variable in kdc.conf.

Lines containing ACL entries have this format:

principal  permissions  [target_principal  [restrictions] ]

Note:

Line order in the ACL file is important. The first matching entry will control access for an actor principal on a target principal.

To configure kadmin, perform the following steps:

1. Create an access control list file and put the Kerberos principal of at least one of the administrators into it. For example:

   */admin@EXAMPLE.COM  *

   In this case, any principal in the EXAMPLE.COM realm with an admin instance has all administrative privileges on the KDC.

   For example, joe/admin@EXAMPLE.com has all privileges over the realm's Kerberos database.

2. Create the first principal before accessing the KDC remotely:

   kadmin.local: addprinc -randkey admin/admin
   kadmin.local: ktadd –k kadm5.keytab admin/admin 

Note:

To enable passwordless autentication, copy kadm5.keytab to any client machine.

Kadmin can also be used to perform security maintenance. For more information, see Guidelines for Updating Kerberos Passwords.