Deleting Kerberos Principals and Keys (CLI)

Use the following procedure to delete individual keys, or to delete all keys for a principal.

1. Go to configuration services kerberos and enter list.

   hostname:configuration services kerberos> 
                 list
               
   REALM               KDC
   TEST.NET

2. Select the realm.

   hostname:configuration services kerberos> 
                 select TEST.NET
               
   hostname:configuration services kerberos TEST.NET>

3. Enter show to view the principals for the KDC.

   hostname:configuration services kerberos TEST.NET> 
                 show
               
   Properties:
                   kdcs = kdc1.example.com
   Keytab entries:
   NAME            KEYS  PRINCIPAL
   principal-000   4     host/hostname.example.com@TEST.NET
   principal-001   4     nfs/hostname.example.com@TEST.NET

4. To delete all of the keys for a principal, enter destroy and the principal name, and confirm your action.

   To delete an individual key, see the next step.

   hostname:configuration services kerberos TEST.NET> 
                 destroy principal-000
               
   This will delete all keys for "principal-000". Are you sure? (Y/N) 
                 Y
               
             

5. To delete an individual key for a principal, first select a principal and enter show to view the list of keys.

   hostname:configuration services kerberos TEST.NET> 
                 select principal-001
               
   hostname:configuration services kerberos principal-001> 
                 show
               
   Properties:
                    name = nfs/hostname.example.com@TEST.NET
   Keys:
   KEY       KVNO   ENCTYPENO   ENCTYPE
   key-000   28     18          AES-256 CTS mode with 96-bit SHA-1 HMAC
   key-001   28     17          AES-128 CTS mode with 96-bit SHA-1 HMAC
   key-002   28     16          Triple DES cbc mode with HMAC/sha1
   key-003   28     23          ArcFour with HMAC/md5
   key-004   28     24          Exportable ArcFour with HMAC/md5
   key-005   28     3           DES cbc mode with RSA-MD5
   key-006   28     1           DES cbc mode with CRC-32

   Legend for column headings:

   • KEY = Key name
   • KVNO = Key version number
   • ENCTYPENO = Encryption type number
   • ENCTYPE = Encryption type
6. To view the properties of a key, select a key and enter show.

   hostname:configuration services kerberos principal-001> 
                 select key-003
               
   hostname:configuration services kerberos principal-001 key-003> 
                 show
               
   Properties:
                  principal = nfs/hostname.example.com@TEST.NET
                       kvno = 28
                    enctype = ArcFour with HMAC/md5
                  enctypeno = 23

7. To delete a key or view a different key, enter done to return to the principal context.

   hostname:configuration services kerberos principal-001 key-003> 
                 done
               
   hostname:configuration services kerberos principal-001>

8. To delete the key, enter destroy and the key name, and confirm your action.

   hostname:configuration services kerberos principal-001> 
                 destroy key-003
               
   This will delete key "key-003". Are you sure? (Y/N) 
                 Y