principaladministering policiesadministering Kerberosadministering This chapter provides procedures for administering principals and the policies that are associated with them. This chapter also shows how to administer a host's keytab file.This chapter should be used by anyone who needs to administer principals and policies. Before you use this chapter, you should be familiar with principals and policies, including any planning considerations. Refer to Chapter 21, Introduction to the Kerberos Service and Chapter 22, Planning for the Kerberos Service, respectively.This is a list of the information in this chapter.Ways to Administer Kerberos Principals and Policies SEAM Administration Tool Administering Kerberos Principals Administering Kerberos Policies SEAM Tool Reference Administering Keytab Files SEAM Administration Toolgkadmin commandSEAM Administration Toolkadmin commandThe Kerberos database on the master KDC contains all of your realm's Kerberos principals, their passwords, policies, and other administrative information. To create and delete principals, and to modify their attributes, you can use either the kadmin or gkadmin command.The kadmin command provides an interactive command-line interface that enables you to maintain Kerberos principals, policies, and keytab files. There are two versions of the kadmin command:kadmin – Uses Kerberos authentication to operate securely from anywhere on the network kadmin commandSEAM Administration Tool andkadmin.local – Must be run directly on the master KDC Other than kadmin using Kerberos to authenticate the user, the capabilities of the two versions are identical. The local version is necessary to enable you to set up enough of the database so that you can use the remote version. gkadmin commandSEAM Administration ToolAlso, the Solaris release provides the SEAM Administration Tool, gkadmin, which is an interactive graphical user interface (GUI) that provides essentially the same capabilities as the kadmin command. See SEAM Administration Tool for more information. KerberosAdministration ToolSEAM Administration Tool SEAM Administration Tooloverview The SEAM Administration Tool (SEAM Tool) is an interactive graphical user interface (GUI) that enables you to maintain Kerberos principals and policies. This tool provides much the same capabilities as the kadmin command. However, this tool does not support the management of keytab files. You must use the kadmin command to administer keytab files, which is described in Administering Keytab Files.SEAM Administration Toolor kadmin commandSimilar to the kadmin command, the SEAM Tool uses Kerberos authentication and encrypted RPC to operate securely from anywhere on the network. The SEAM Tool enables you to do the following:Create new principals that are based on default values or existing principals. Create new policies that are based on existing policies. Add comments for principals. Set up default values for creating new principals. Log in as another principal without exiting the tool. Print or save principal lists and policy lists. View and search principal lists and policy lists. The SEAM Tool also provides context-sensitive help and general online help.The following task maps provide pointers to the various tasks that you can do with the SEAM Tool:Administering Kerberos Principals (Task Map) Administering Kerberos Policies (Task Map) Also, go to SEAM Tool Panel Descriptions for descriptions of all the principal attributes and policy attributes that you can either specify or view in the SEAM Tool.SEAM Administration Toolcommand-line equivalents command-line equivalents of SEAM Administration Tool X Window systemand SEAM Administration Tool SEAM Administration Tooland X Window system This section lists the kadmin commands that provide the same capabilities as the SEAM Tool. These commands can be used without running an X Window system. Even though most procedures in this chapter use the SEAM Tool, many procedures also provide corresponding examples that use the command-line equivalents.SEAM Tool Procedure Equivalent kadmin Command View the list of principals. list_principals or get_principals View a principal's attributes. get_principal Create a new principal. add_principal Duplicate a principal. No command-line equivalent Modify a principal. modify_principal or change_password Delete a principal. delete_principal Set up defaults for creating new principals. No command-line equivalent View the list of policies. list_policies or get_policies View a policy's attributes. get_policy Create a new policy. add_policy Duplicate a policy. No command-line equivalent Modify a policy. modify_policy Delete a policy. delete_policy .gkadmin fileSEAM Administration Tool and SEAM Administration Toolfiles modified by SEAM Administration Tool.gkadmin file The only file that the SEAM Tool modifies is the $HOME/.gkadmin file. This file contains the default values for creating new principals. You can update this file by choosing Properties from the Edit menu. SEAM Administration Toolonline help SEAM Administration Toolhelp online helpSEAM Administration Tool helpSEAM Administration Tool The SEAM Tool provides both print features and online help features. From the Print menu, you can send the following to a printer or a file:List of available principals on the specified master KDC List of available policies on the specified master KDC The currently selected principal or the loaded principal helpSEAM Administration Toolcontext-sensitive helpSEAM Administration ToolSEAM Administration Toolcontext-sensitive helpThe currently selected policy or the loaded policy From the Help menu, you can access context-sensitive help and general help. When you choose Context-Sensitive Help from the Help menu, the Context-Sensitive Help window is displayed and the tool is switched to help mode. In help mode, when you click on any fields, labels, or buttons on the window, help on that item is displayed in the Help window. To switch back to the tool's normal mode, click Dismiss in the Help window. Help ContentsSEAM Administration ToolSEAM Administration ToolHelp ContentsYou can also choose Help Contents, which opens an HTML browser that provides pointers to the general overview and task information that is provided in this chapter. As your site starts to accumulate a large number of principals and policies, the time it takes the SEAM Tool to load and display the principal and policy lists will become increasingly longer. Thus, your productivity with the tool will decrease. There are several ways to work around this problem.First, you can completely eliminate the time to load the lists by not having the SEAM Tool load the lists. You can set this option by choosing Properties from the Edit menu, and unchecking the Show Lists field. Of course, when the tool doesn't load the lists, it can't display the lists, and you can no longer use the list panels to select principals or policies. Instead, you must type a principal or policy name in the new Name field that is provided, then select the operation that you want to perform on it. In effect, typing a name is equivalent to selecting an item from the list. Another way to work with large lists is to cache them. In fact, caching the lists for a limited time is set as the default behavior for the SEAM Tool. The SEAM Tool must still initially load the lists into the cache. But after that, the tool can use the cache rather than retrieve the lists again. This option eliminates the need to keep loading the lists from the server, which is what takes so long.You can set list caching by choosing Properties from the Edit menu. There are two cache settings. You can choose to cache the list forever, or you can specify a time limit when the tool must reload the lists from the server into the cache. Caching the lists still enables you to use the list panels to select principals and policies, so it doesn't affect how you use the SEAM Tool as the first option does. Also, even though caching doesn't enable you to see the changes of other users, you can still see the latest list information based on your changes, because your changes update the lists both on the server and in the cache. And, if you want to update the cache to see other changes and get the lastest copy of the lists, you can use the Refresh menu whenever you want to refresh the cache from the server. SEAM Administration Toolstarting Start the SEAM Tool by using the gkadmin command.$ /usr/sbin/gkadminSEAM Administration Toollogin windowThe SEAM Administration Login window is displayed. Dialog box titled SEAM Administration Login shows four fields for Principal Name, Password, Realm, and Master KDC. Shows OK and Start Over buttons. If you don't want to use the default values, specify new default values.SEAM Administration Tooldefault valuesThe window automatically fills in with default values. The default principal name is determined by taking your current identity from the USER environment variable and appending /admin to it (username/admin). The default Realm and Master KDC fields are selected from the /etc/krb5/krb5.conf file. If you ever want to retrieve the default values, click Start Over.The administration operations that each Principal Name can perform are dictated by the Kerberos ACL file, /etc/krb5/kadm5.acl. For information about limited privileges, see Using the SEAM Tool With Limited Kerberos Administration Privileges. Type a password for the specified principal name. Click OK.The following window is displayed. Dialog box titled Seam Administration Tool shows a list of principals and a list filter. Shows Modify, Create New, Delete, and Duplicate buttons. principaladministering administeringKerberosprincipals This section provides the step-by-step instructions used to administer principals with the SEAM Tool. This section also provides examples of command-line equivalents, when available.principaltask map for administering task mapsadministering principals (Kerberos) Task Description For Instructions View the list of principals. View the list of principals by clicking the Principals tab. How to View the List of Kerberos Principals View a principal's attributes. View a principal's attributes by selecting the Principal in the Principal List, then clicking the Modify button. How to View a Kerberos Principal's Attributes Create a new principal. Create a new principal by clicking the Create New button in the Principal List panel. How to Create a New Kerberos Principal Duplicate a principal. Duplicate a principal by selecting the principal to duplicate in the Principal List, then clicking the Duplicate button. How to Duplicate a Kerberos Principal Modify a principal. Modify a principal by selecting the principal to modify in the Principal List, then clicking the Modify button.Note that you cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal. How to Modify a Kerberos Principal Delete a principal. Delete a principal by selecting the principal to delete in the Principal List, then clicking the Delete button. How to Delete a Kerberos Principal Set up defaults for creating new principals. Set up defaults for creating new principals by choosing Properties from the Edit menu. How to Set Up Defaults for Creating New Kerberos Principals Modify the Kerberos administration privileges (kadm5.acl file). Command-line only. The Kerberos administration privileges determine what operations a principal can perform on the Kerberos database, such as add and modify.You need to edit the /etc/krb5/kadm5.acl file to modify the Kerberos administration privileges for each principal. How to Modify the Kerberos Administration Privileges principalautomating creation of automating principal creation kadmin.local commandautomating creation of principalsEven though the SEAM Tool provides ease-of-use, it doesn't provide a way to automate the creation of new principals. Automation is especially useful if you need to add 10 or even 100 new principals in a short time. However, by using the kadmin.local command in a Bourne shell script, you can do just that.The following shell script line is an example of how to automate the creation of new principals:awk '{ print "ank +needchange -pw", $2, $1 }' < /tmp/princnames | time /usr/sbin/kadmin.local> /dev/nullThis example is split over two lines for readability. The script reads in a file called princnames that contains principal names and their passwords, and adds them to the Kerberos database. You would have to create the princnames file, which contains a principal name and its password on each line, separated by one or more spaces. The +needchange option configures the principal so that the user is prompted for a new password during login with the principal for the first time. This practice helps to ensure that the passwords in the princnames file are not a security risk.You can build more elaborate scripts. For example, your script could use the information in the name service to obtain the list of user names for the principal names. What you do and how you do it is determined by your site's needs and your scripting expertise. principalviewing list of viewinglist of principals SEAM Administration Toolviewing list of principals An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Principals tab.The list of principals is displayed. Dialog box titled Seam Administration Tool shows a list of principals and a list filter. Shows Modify, Create New, Delete, and Duplicate buttons. Display a specific principal or a sublist of principals.SEAM Administration ToolFilter Pattern fieldSEAM Administration Tooldisplaying sublist of principalsdisplayingsublist of principals (Kerberos)principalviewing sublist of principalsType a filter string in the Filter field, and press Return. If the filter succeeds, the list of principals that match the filter is displayed.The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the principals with the ge string in them (for example, george or edge). If you want to display the entire list of principals, click Clear Filter. In the following example, the list_principals command of kadmin is used to list all the principals that match test*. Wildcards can be used with the list_principals command.kadmin: list_principals test* test1@EXAMPLE.COM test2@EXAMPLE.COM kadmin: quit SEAM Administration Toolviewing a principal's attributes viewingprincipal's attributes principalviewing attributes An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Principals tab. Select the principal in the list that you want to view, then click Modify. The Principal Basics panel that contains some of the principal's attributes is displayed. Continue to click Next to view all the principal's attributes.Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions. When you are finished viewing, click Cancel. The following example shows the first window when you are viewing the jdb/admin principal. Dialog box titled SEAM Administration Tool shows account data for the jdb/admin principal. Shows account expiration date and comments. In the following example, the get_principal command of kadmin is used to view the attributes of the jdb/admin principal.kadmin: getprinc jdb/admin Principal: jdb/admin@EXAMPLE.COM Expiration date: Fri Aug 25 17:19:05 PDT 2004 Last password change: [never] Password expiration date: Wed Apr 14 11:53:10 PDT 2003 Maximum ticket life: 1 day 16:00:00 Maximum renewable life: 1 day 16:00:00 Last modified: Thu Jan 14 11:54:09 PST 2003 (admin/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: REQUIRES_HW_AUTH Policy: [none] kadmin: quit principalcreating creatingnew principal (Kerberos) SEAM Administration Toolcreating a new principal An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.policiescreating (Kerberos)SEAM Administration Toolcreating a new policycreatingnew policy (Kerberos)If you are creating a new principal that might need a new policy, you should create the new policy before you create the new principal. Go to How to Create a New Kerberos Policy. $ /usr/sbin/gkadmin Click the Principals tab. Click New.The Principal Basics panel that contains some attributes for a principal is displayed. Specify a principal name and a password.Both the principal name and the password are mandatory. Specify values for the principal's attributes, and continue to click Next to specify more attributes.Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions. Click Save to save the principal, or click Done on the last panel. kadm5.acl filenew principals andACLkadm5.acl fileIf needed, set up Kerberos administration privileges for the new principal in the /etc/krb5/kadm5.acl file.See How to Modify the Kerberos Administration Privileges for more details. The following example shows the Principal Basics panel when a new principal called pak is created. The policy is set to testuser. Dialog box titled SEAM Administration Tool shows account data for the pak principal. Shows password, account expiration date, and testuser policy. In the following example, the add_principal command of kadmin is used to create a new principal called pak. The principal's policy is set to testuser.kadmin: add_principal -policy testuser pak Enter password for principal "pak@EXAMPLE.COM": <Type the password> Re-enter password for principal "pak@EXAMPLE.COM": <Type the password again> Principal "pak@EXAMPLE.COM" created. kadmin: quit principalduplicating SEAM Administration Toolduplicating a principal duplicatingprincipals (Kerberos) This procedure explains how to use all or some of the attributes of an existing principal to create a new principal. No command-line equivalent exists for this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Principals tab. Select the principal in the list that you want to duplicate, then click Duplicate. The Principal Basics panel is displayed. All the attributes of the selected principal are duplicated, except for the Principal Name and Password fields, which are empty. Specify a principal name and a password.Both the principal name and the password are mandatory. To make an exact duplicate of the principal you selected, click Save and skip to Step 7. Specify different values for the principal's attributes, and continue to click Next to specify more attributes.Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions. Click Save to save the principal, or click Done on the last panel. kadm5.acl filenew principals andACLkadm5.acl fileIf needed, set up Kerberos administration privileges for the principal in /etc/krb5/kadm5.acl file.See How to Modify the Kerberos Administration Privileges for more details. principalmodifying modifyingprincipals (Kerberos) SEAM Administration Toolmodifying a principal An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Principals tab. Select the principal in the list that you want to modify, then click Modify.The Principal Basics panel that contains some of the attributes for the principal is displayed. Modify the principal's attributes, and continue to click Next to modify more attributes.Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to SEAM Tool Panel Descriptions.You cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal. Click Save to save the principal, or click Done on the last panel. Modify the Kerberos administration privileges for the principal in the /etc/krb5/kadm5.acl file.See How to Modify the Kerberos Administration Privileges for more details. passwordsmodifying a principal's password modifyingprincipal's password (Kerberos) In the following example, the change_password command of kadmin is used to modify the password for the jdb principal. The change_password command does not let you change the password to a password that is in the principal's password history.kadmin: change_password jdb Enter password for principal "jdb": <Type the new password> Re-enter password for principal "jdb": <Type the password again> Password for "jdb@EXAMPLE.COM" changed. kadmin: quitTo modify other attributes for a principal, you must use the modify_principal command of kadmin. principaldeleting deletingprincipal (Kerberos) SEAM Administration Tooldeleting a principal An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Principals tab. Select the principal in the list that you want to delete, then click Delete. After you confirm the deletion, the principal is deleted. Remove the principal from the Kerberos access control list (ACL) file, /etc/krb5/kadm5.acl.See How to Modify the Kerberos Administration Privileges for more details. In the following example, the delete_principal command of kadmin is used to delete the jdb principal.kadmin: delete_principal pak Are you sure you want to delete the principal "pak@EXAMPLE.COM"? (yes/no): yes Principal "pak@EXAMPLE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin: quit principalsetting up defaults settingprincipal defaults (Kerberos) SEAM Administration Toolsetting up principal defaults No command-line equivalent exists for this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Choose Properties from the Edit Menu.The Properties window is displayed. Dialog box titled Properties shows defaults for new principals and list controls. Defaults for principals cover security and other options. Select the defaults that you want to use when you create new principals.Choose Context-Sensitive Help from the Help menu for information about the various attributes in each window. Click Save. Even though your site probably has many user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos access control list (ACL) file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for individual principals. Or, you can use the '*' wildcard in the principal name to specify privileges for groups of principals. Become superuser on the master KDC. Edit the /etc/krb5/kadm5.acl file.ACLkadm5.acl filekadm5.acl fileformat of entriesAn entry in the kadm5.acl file must have the following format:principal privileges [principal-target]principal Specifies the principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the admin instance, you would use */admin@realm.Note that a common use of an admin instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for his administrative use, called jdb/admin. This way, the user jdb obtains jdb/admin tickets only when he or she actually needs to use those privileges. privileges Specifies which operations can or cannot be performed by the principal. This field consists of a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted. a [Dis]allows the addition of principals or policies. d [Dis]allows the deletion of principals or policies. m [Dis]allows the modification of principals or polices. c [Dis]allows the changing of passwords for principals. i [Dis]allows inquiries to the Kerberos database. l [Dis]allows the listing of principals or policies in the Kerberos database. x or * Allows all privileges (admcil). principal-target When a principal is specified in this field, the privileges apply to the principal only when the principal operates on the principal-target. Any part of the principal name can include the '*' wildcard, which is useful to group principals. The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database:*/admin@EXAMPLE.COM *The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privileges to add, list, and inquire about any principal that has the root instance.jdb@EXAMPLE.COM ali */root@EXAMPLE.COM policiesadministering administeringKerberospolicies This section provides step-by-step instructions used to administer policies with the SEAM Tool. This section also provides examples of command-line equivalents, when available.task mapsadministering policies (Kerberos) policiestask map for administering Task Description For Instructions View the list of policies. View the list of policies by clicking the Policies tab. How to View the List of Kerberos Policies View a policy's attributes. View a policy's attributes by selecting the policy in the Policy List, then clicking the Modify button. How to View a Kerberos Policy's Attributes Create a new policy. Create a new policy by clicking the Create New button in the Policy List panel. How to Create a New Kerberos Policy Duplicate a policy. Duplicate a policy by selecting the policy to duplicate in the Policy List, then clicking the Duplicate button. How to Duplicate a Kerberos Policy Modify a policy. Modify a policy by selecting the policy to modify in the Policy List, then clicking the Modify button.Note that you cannot modify a policy's name. To rename a policy, you must duplicate the policy, specify a new name for it, save it, and then delete the old policy. How to Modify a Kerberos Policy Delete a policy. Delete a policy by selecting the policy to delete in the Policy List, then clicking the Delete button. How to Delete a Kerberos Policy policiesviewing list of viewinglist of policies SEAM Administration Toolviewing list of policies An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Policies tab.The list of policies is displayed. Dialog box titled SEAM Administration Tool shows a list of policies and a policy filter. Shows Modify, Create New, Delete, and Duplicate buttons. Display a specific policy or a sublist of policies.Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of policies that match the filter is displayed.The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the policies with the ge string in them (for example, george or edge). If you want to display the entire list of policies, click Clear Filter. In the following example, the list_policies command of kadmin is used to list all the policies that match *user*. Wildcards can be used with the list_policies command.kadmin: list_policies *user* testuser enguser kadmin: quit policiesviewing attributes viewingpolicy attributes SEAM Administration Toolviewing policy attributes An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Policies tab. Select the policy in the list that you want to view, then click Modify. The Policy Details panel is displayed. When you are finished viewing, click Cancel. The following example shows the Policy Details panel when you are viewing the test policy. Dialog box titled SEAM Administration Tool shows policy details of the enguser policy. Shows Save, Previous, Done, and Cancel buttons In the following example, the get_policy command of kadmin is used to view the attributes of the enguser policy.kadmin: get_policy enguser Policy: enguser Maximum password life: 2592000 Minimum password life: 0 Minimum password length: 8 Minimum number of password character classes: 2 Number of old keys kept: 3 Reference count: 0 kadmin: quitThe Reference count is the number of principals that use this policy. policiescreating new (Kerberos) creatingnew policy (Kerberos) SEAM Administration Toolcreating a new policy An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Policies tab. Click New.The Policy Details panel is displayed. Specify a name for the policy in the Policy Name field.The policy name is mandatory. Specify values for the policy's attributes.Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 25–5 for all the policy attribute descriptions. Click Save to save the policy, or click Done. In the following example, a new policy called build11 is created. The Minimum Password Classes is set to 3. Dialog box titled SEAM Administration Tool shows policy details of the build11 policy. Shows Save, Previous, Done, and Cancel buttons. In the following example, the add_policy command of kadmin is used to create the build11 policy. This policy requires at least 3 character classes in a password.$ kadmin kadmin: add_policy -minclasses 3 build11 kadmin: quit This procedure explains how to use all or some of the attributes of an existing policy to create a new policy. No command-line equivalent exists for this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Policies tab. Select the policy in the list that you want to duplicate, then click Duplicate. The Policy Details panel is displayed. All the attributes of the selected policy are duplicated, except for the Policy Name field, which is empty. Specify a name for the duplicated policy in the Policy Name field.The policy name is mandatory. To make an exact duplicate of the policy you selected, skip to Step 6. Specify different values for the policy's attributes.Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 25–5 for all the policy attribute descriptions. Click Save to save the policy, or click Done. policiesmodifying modifyingpolicies (Kerberos) SEAM Administration Toolmodifying a policy An example of the command-line equivalent follows this procedure. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for details.$ /usr/sbin/gkadmin Click the Policies tab. Select the policy in the list that you want to modify, then click Modify. The Policy Details panel is displayed. Modify the policy's attributes.Choose Context-Sensitive Help from the Help menu for information about the various attributes in this window. Or, go to Table 25–5 for all the policy attribute descriptions.You cannot modify a policy's name. To rename a policy, you must duplicate the policy, specify a new name for it, save it, and then delete the old policy. Click Save to save the policy, or click Done. In the following example, the modify_policy command of kadmin is used to modify the minimum length of a password to five characters for the build11 policy.$ kadmin kadmin: modify_policy -minlength 5 build11 kadmin: quit policiesdeleting deletingpolicies (Kerberos) SEAM Administration Tooldeleting policies An example of the command-line equivalent follows this procedure.Before you delete a policy, you must cancel the policy from all principals that are currently using it. To do so, you need to modify the principals' Policy attribute. The policy cannot be deleted if any principal is using it. If necessary, start the SEAM Tool.See How to Start the SEAM Tool for more information.$ /usr/sbin/gkadmin Click the Policies tab. Select the policy in the list that you want to delete, then click Delete. After you confirm the deletion, the policy is deleted. In the following example, the delete_policy command of the kadmin command is used to delete the build11 policy.kadmin: delete_policy build11 Are you sure you want to delete the policy "build11"? (yes/no): yes kadmin: quitBefore you delete a policy, you must cancel the policy from all principals that are currently using it. To do so, you need to use the modify_principal policy command of kadmin on the affected principals. The delete_policy command fails if the policy is in use by a principal. This section provides descriptions of each panel in the SEAM Tool. Also, information about using limited privileges with SEAM Tool are provided.SEAM Administration Toolpanel descriptions SEAM Administration Tooltable of panels policiesSEAM Administration Tool panels for principalSEAM Administration Tool panels for panelstable of SEAM Administration Tool This section provides descriptions for each principal and policy attribute that you can either specify or view in the SEAM Tool. The attributes are organized by the panel in which they are displayed.Attribute Description Principal Name The name of the principal (which is the primary/instance part of a fully qualified principal name). A principal is a unique identity to which the KDC can assign tickets.If you are modifying a principal, you cannot edit its name. Password The password for the principal. You can use the Generate Random Password button to create a random password for the principal. Policy A menu of available policies for the principal. Account Expires The date and time on which the principal's account expires. When the account expires, the principal can no longer get a ticket-granting ticket (TGT) and might be unable to log in. Last Principal Change The date on which information for the principal was last modified. (Read only) Last Changed By The name of the principal that last modified the account for this principal. (Read only) Comments Comments that are related to the principal (for example, “Temporary Account”). Attribute Description Last Success The date and time when the principal last logged in successfully. (Read only) Last Failure The date and time when the last login failure for the principal occurred. (Read only) Failure Count The number of times a login failure has occurred for the principal. (Read only) Last Password Change The date and time when the principal's password was last changed. (Read only) Password Expires The date and time when the principal's current password expires. Key Version The key version number for the principal. This attribute is normally changed only when a password has been compromised. Maximum Lifetime (seconds) The maximum length of time for which a ticket can be granted for the principal (without renewal). Maximum Renewal (seconds) The maximum length of time for which an existing ticket can be renewed for the principal. Attribute (Radio Buttons) Description Disable Account When checked, prevents the principal from logging in. This attribute provides an easy way to temporarily freeze a principal account. Require Password Change When checked, expires the principal's current password, which forces the user to use the kpasswd command to create a new password. This attribute is useful if a security breach occurs, and you need to make sure that old passwords are replaced. Allow Postdated Tickets When checked, allows the principal to obtain postdated tickets. For example, you might need to use postdated tickets for cron jobs that must run after hours, but you cannot obtain tickets in advance because of short ticket lifetimes. Allow Forwardable Tickets When checked, allows the principal to obtain forwardable tickets.Forwardable tickets are tickets that are forwarded to the remote host to provide a single-sign-on session. For example, if you are using forwardable tickets and you authenticate yourself through ftp or rsh, then other services, such as NFS services, are available without your being prompted for another password. Allow Renewable Tickets When checked, allows the principal to obtain renewable tickets.A principal can automatically extend the expiration date or time of a ticket that is renewable (rather than having to get a new ticket after the first ticket expires). Currently, the NFS service is the ticket service that can renew tickets. Allow Proxiable Tickets When checked, allows the principal to obtain proxiable tickets.A proxiable ticket is a ticket that can be used by a service on behalf of a client to perform an operation for the client. With a proxiable ticket, a service can take on the identity of a client and obtain a ticket for another service. However, the service cannot obtain a ticket-granting ticket (TGT). Allow Service Tickets When checked, allows service tickets to be issued for the principal.You should not allow service tickets to be issued for the kadmin/hostname and changepw/hostname principals. This practice ensures that only these principals can update the KDC database. Allow TGT-Based Authentication When checked, allows the service principal to provide services to another principal. More specifically, this attribute allows the KDC to issue a service ticket for the service principal.This attribute is valid only for service principals. When unchecked, service tickets cannot be issued for the service principal. Allow Duplicate Authentication When checked, allows the user principal to obtain service tickets for other user principals.This attribute is valid only for user principals. When unchecked, the user principal can still obtain service tickets for service principals, but not for other user principals. Required Preauthentication When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through software) that the principal is really the principal that is requesting the TGT. This preauthentication is usually done through an extra password, for example, from a DES card.When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal. Required Hardware Authentication When checked, the KDC will not send a requested ticket-granting ticket (TGT) to the principal until the KDC can authenticate (through hardware) that the principal is really the principal that is requesting the TGT. Hardware preauthentication can occur, for example, on a Java ring reader.When unchecked, the KDC does not need to preauthenticate the principal before the KDC sends a requested TGT to the principal. Attribute Description Policy Name The name of the policy. A policy is a set of rules that govern a principal's password and tickets.If you are modifying a policy, you cannot edit its name. Minimum Password Length The minimum length for the principal's password. Minimum Password Classes The minimum number of different character types that are required in the principal's password.For example, a minimum classes value of 2 means that the password must have at least two different character types, such as letters and numbers (hi2mom). A value of 3 means that the password must have at least three different character types, such as letters, numbers, and punctuation (hi2mom!). And so on. A value of 1 sets no restriction on the number of password character types. Saved Password History The number of previous passwords that have been used by the principal, and a list of the previous passwords that cannot be reused. Minimum Password Lifetime (seconds) The minimum length of time that the password must be used before it can be changed. Maximum Password Lifetime (seconds) The maximum length of time that the password can be used before it must be changed. Principals Using This Policy The number of principals to which this policy currently applies. (Read only) SEAM Administration Tooland limited administration privileges All features of the SEAM Administration Tool are available if your admin principal has all the privileges to administer the Kerberos database. However, you might have limited privileges, such as only being allowed to view the list of principals or to change a principal's password. With limited Kerberos administration privileges, you can still use the SEAM Tool. However, various parts of the SEAM Tool change based on the Kerberos administration privileges that you do not have. Table 25–6 shows how the SEAM Tool changes based on your Kerberos administration privileges.SEAM Administration Tooland list privilegeslist privilegeSEAM Administration Tool andSEAM Administration ToolprivilegesThe most visual change to the SEAM Tool occurs when you don't have the list privilege. Without the list privilege, the List panels do not display the list of principals and polices for you to manipulate. Instead, you must use the Name field in the List panels to specify a principal or a policy that you want to manipulate. If you log in to the SEAM Tool, and you do not have sufficient privileges to perform tasks with it, the following message displays and you are sent back to the SEAM Administration Login window:Insufficient privileges to use gkadmin: ADMCIL. Please try using another principal.SEAM Administration Toolhow affected by privilegesprivilegeseffects on SEAM Administration ToolTo change the privileges for a principal so that it can administer the Kerberos database, go to How to Modify the Kerberos Administration Privileges.Disallowed Privilege How the SEAM Tool Changes a (add) The Create New and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the add privilege, you cannot create new principals or policies, or duplicate them. d (delete) The Delete button is unavailable in the Principal List and Policy List panels. Without the delete privilege, you cannot delete principals or policies. m (modify) The Modify button is unavailable in the Principal List and Policy List panels. Without the modify privilege, you cannot modify principals or policies. Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege. c (change password) The Password field in the Principal Basics panel is read only and cannot be changed. Without the change password privilege, you cannot modify a principal's password. Note that even if you have the change password privilege, you must also have the modify privilege to change a principal's password. i (inquiry to database) The Modify and Duplicate buttons are unavailable in the Principal List and Policy List panels. Without the inquiry privilege, you cannot modify or duplicate a principal or a policy. Also, with the Modify button unavailable, you cannot modify a principal's password, even if you have the change password privilege. l (list) The list of principals and policies in the List panels are unavailable. Without the list privilege, you must use the Name field in the List panels to specify the principal or the policy that you want to manipulate. keytab fileadministering administeringKerberoskeytabs service keyskeytab files and keysservice key Every host that provides a service must have a local file, called a keytab (short for “key table”). The keytab contains the principal for the appropriate service, called a service key. A service key is used by a service to authenticate itself to the KDC and is known only by Kerberos and the service itself. For example, if you have a Kerberized NFS server, that server must have a keytab file that contains its nfs service principal.ktadd commandadding service principalkeytab fileadding service principal tokadm5.keytab filedescriptionservice principaladding to keytab fileprincipaladding service principal to keytabTo add a service key to a keytab file, you add the appropriate service principal to a host's keytab file by using the ktadd command of kadmin. Because you are adding a service principal to a keytab file, the principal must already exist in the Kerberos database so that kadmin can verify its existence. On the master KDC, the keytab file is located at /etc/krb5/kadm5.keytab, by default. On application servers that provide Kerberized services, the keytab file is located at /etc/krb5/krb5.keytab, by default.A keytab is analogous to a user's password. Just as it is important for users to protect their passwords, it is equally important for application servers to protect their keytab files. You should always store keytab files on a local disk, and make them readable only by the root user. Also, you should never send a keytab file over an unsecured network. root principaladding to host's keytabThere is also a special instance in which to add a root principal to a host's keytab file. If you want a user on the Kerberos client to mount Kerberized NFS file systems that require root-equivalent access, you must add the client's root principal to the client's keytab file. Otherwise, users must use the kinit command as root to obtain credentials for the client's root principal whenever they want to mount a Kerberized NFS file system with root access, even when they are using the automounter. kadmind principalchangepw principalWhen you set up a master KDC, you need to add the kadmind and changepw principals to the kadm5.keytab file. ktutil commandadministering keytab filekeytab fileadministering with ktutil commandAnother command that you can use to administer keytab files is the ktutil command. This interactive command enables you to manage a local host's keytab file without having Kerberos administration privileges, because ktutil doesn't interact with the Kerberos database as kadmin does. So, after a principal is added to a keytab file, you can use ktutil to view the keylist in a keytab file or to temporarily disable authentication for a service.When you change a principal in a keytab file using the ktadd command in kadmin, a new key is generated and added to the keytab file. Task Description For Instructions Add a service principal to a keytab file. Use the ktadd command of kadmin to add a service principal to a keytab file. How to Add a Kerberos Service Principal to a Keytab File Remove a service principal from a keytab file. Use the ktremove command of kadmin to remove a service from a keytab file. How to Remove a Service Principal From a Keytab File Display the keylist (list of principals) in a keytab file. Use the ktutil command to display the keylist in a keytab file. How to Display the Keylist (Principals) in a Keytab File Temporarily disable authentication for a service on a host. This procedure is a quick way to temporarily disable authentication for a service on a host without requiring kadmin privileges. Before you use ktutil to delete the service principal from the server's keytab file, copy the original keytab file to a temporary location. When you want to enable the service again, copy the original keytab file back to its proper location. How to Temporarily Disable Authentication for a Service on a Host keytab fileadding service principal to addingservice principal to keytab file (Kerberos) service principaladding to keytab file principaladding service principal to keytab ktadd commandadding service principal kadmin commandktadd command Make sure that the principal already exists in the Kerberos database. See How to View the List of Kerberos Principals for more information. Become superuser on the host that needs a principal added to its keytab file. Start the kadmin command. # /usr/sbin/kadmin ktadd commandsyntaxAdd a principal to a keytab file by using the ktadd command.kadmin: ktadd [-e enctype] [-k keytab] [-q] [principal | -glob principal-exp]e enctypeOverrides the list of encryption types defined in the krb5.conf file. k keytabSpecifies the keytab file. By default, /etc/krb5/krb5.keytab is used. qDisplays less verbose information. principalSpecifies the principal to be added to the keytab file. You can add the following service principals: host, root, nfs, and ftp. glob principal-expSpecifies the principal expressions. All principals that match the principal-exp are added to the keytab file. The rules for principal expression are the same as for the list_principals command of kadmin. Quit the kadmin command.kadmin: quit In the following example, the kadmin/kdc1.example.com and changepw/kdc1.example.com principals are added to a master KDC's keytab file. For this example, the keytab file must be the file that is specified in the kdc.conf file.kdc1 # /usr/sbin/kadmin.local kadmin.local: ktadd -k /etc/krb5/kadm5.keytab kadmin/kdc1.example.com changepw/kdc1.example.com Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal kadmin/kdc1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc1.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc1.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc1.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. Entry for principal changepw/kdc1.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/kadm5.keytab. kadmin.local: quitIn the following example, denver's host principal is added to denver's keytab file, so that the KDC can authenticate denver's network services.denver # /usr/sbin/kadmin kadmin: ktadd host/denver.example.com Entry for principal host/denver.example.com with kvno 3, encryption type AES-256 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type AES-128 CTS mode with 96-bit SHA-1 HMAC added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type Triple DES cbc mode with HMAC/sha1 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type ArcFour with HMAC/md5 added to keytab WRFILE:/etc/krb5/krb5.keytab. Entry for principal host/denver.example.com with kvno 3, encryption type DES cbc mode with RSA-MD5 added to keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit keytab fileremoving service principal from removingservice principal from keytab file service principalremoving from keytab file principalremoving service principal from keytab kadmin commandremoving principals from keytab with Become superuser on the host with a service principal that must be removed from its keytab file. Start the kadmin command. # /usr/sbin/kadmin ktutil commandviewing list of principalskeytab fileviewing contents with ktutil commandTo display the current list of principals (keys) in the keytab file, use the ktutil command. See How to Display the Keylist (Principals) in a Keytab File for detailed instructions. ktremove commandkeytab fileremoving principals with ktremove commandremovingprincipals with ktremove commandprincipalremoving from keytab filekadmin commandktremove commandRemove a principal from the keytab file by using the ktremove command.kadmin: ktremove [-k keytab] [-q] principal [kvno | all | old ]k keytabSpecifies the keytab file. By default, /etc/krb5/krb5.keytab is used. qDisplays less verbose information. principalSpecifies the principal to be removed from the keytab file. kvnoRemoves all entries for the specified principal whose key version number matches kvno. allRemoves all entries for the specified principal. oldRemoves all entries for the specified principal, except those principals with the highest key version number. Quit the kadmin command.kadmin: quit In the following example, denver's host principal is removed from denver's keytab file.denver # /usr/sbin/kadmin kadmin: ktremove host/denver.example.com@EXAMPLE.COM kadmin: Entry for principal host/denver.example.com@EXAMPLE.COM with kvno 3 removed from keytab WRFILE:/etc/krb5/krb5.keytab. kadmin: quit ktutil commandviewing list of principals keytab fileviewing contents with ktutil command Become superuser on the host with the keytab file.Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership. Start the ktutil command.# /usr/bin/ktutil read_kt commandkeytab fileread into keytab buffer with read_kt commandktutil commandread_kt commandRead the keytab file into the keylist buffer by using the read_kt command.ktutil: read_kt keytab list commandviewingkeylist buffer with list commandkeytab fileviewing keylist buffer with list commandktutil commandlist commandDisplay the keylist buffer by using the list command.ktutil: listThe current keylist buffer is displayed. Quit the ktutil command.ktutil: quit The following example displays the keylist in the /etc/krb5/krb5.keytab file on the denver host.denver # /usr/bin/ktutil ktutil: read_kt /etc/krb5/krb5.keytab ktutil: list slot KVNO Principal ---- ---- --------------------------------------- 1 5 host/denver@EXAMPLE.COM ktutil: quit hostsdisabling Kerberos service on servicedisabling on a host disablingservice on a host (Kerberos) At times, you might need to temporarily disable the authentication mechanism for a service, such as rlogin or ftp, on a network application server. For example, you might want to stop users from logging in to a system while you are performing maintenance procedures. The ktutil command enables you to accomplish this task by removing the service principal from the server's keytab file, without requiring kadmin privileges. To enable authentication again, you just need to copy the original keytab file that you saved back to its original location.By default, most services are set up to require authentication. If a service is not set up to require authentication, then the service still works, even if you disable authentication for the service. Become superuser on the host with the keytab file.Although you can create keytab files that are owned by other users, using the default location for the keytab file requires root ownership. Save the current keytab file to a temporary file. Start the ktutil command.# /usr/bin/ktutil read_kt commandkeytab fileread into keytab buffer with read_kt commandktutil commandread_kt commandRead the keytab file into the keylist buffer by using the read_kt command.ktutil: read_kt keytab viewingkeylist buffer with list commandlist commandkeytab fileviewing keylist buffer with list commandktutil commandlist commandDisplay the keylist buffer by using the list command.ktutil: listThe current keylist buffer is displayed. Note the slot number for the service that you want to disable. delete_entry commandktutil commanddeletinghost's servicekeytab filedisabling a host's service with delete_entry commandktutil commanddelete_entry commandTo temporarily disable a host's service, remove the specific service principal from the keylist buffer by using the delete_entry command.ktutil: delete_entry slot-numberWhere slot-number specifies the slot number of the service principal to be deleted, which is displayed by the list command. Write the keylist buffer to a new keytab file by using the write_kt command.ktutil: write_kt new-keytab Quit the ktutil command.ktutil: quit Move the new keytab file.# mv new-keytab keytab When you want to re-enable the service, copy the temporary (original) keytab file back to its original location. In the following example, the host service on the denver host is temporarily disabled. To re-enable the host service on denver, you would copy the krb5.keytab.temp file to the /etc/krb5/krb5.keytab file.denver # cp /etc/krb5/krb5.keytab /etc/krb5/krb5.keytab.temp denver # /usr/bin/ktutil ktutil:read_kt /etc/krb5/krb5.keytab ktutil:list slot KVNO Principal ---- ---- --------------------------------------- 1 8 root/denver@EXAMPLE.COM 2 5 host/denver@EXAMPLE.COM ktutil:delete_entry 2 ktutil:list slot KVNO Principal ---- ---- -------------------------------------- 1 8 root/denver@EXAMPLE.COM ktutil:write_kt /etc/krb5/new.krb5.keytab ktutil: quit denver # cp /etc/krb5/new.krb5.keytab /etc/krb5/krb5.keytab