The Kerberos database now contains the Kerberos principals,
their keys, and other administrative information about each principal
for your realm. For more information on configuring your realm,
refer to “Creating the Kerberos Database”.
Before we proceed further, we need to set up some principal
names that will allow us to administer the database. The programs
that allow us do this are kadmin and kadmin.local. The kadmin client contacts the kadmind for Kerberos authentication whereas the kadmin.local does not require a server for authentication. The kadmin.local runs only on a machine which has the Kerberos database.
kadmind |
 |
The kadmind command starts the administrative server. This administrative
server runs on Kerberos server that stores the Kerberos principal
database and the policy database. The kadmind accepts password change request and
remote
requests to administer the information in these databases.
kadmind requires the following configuration files to be set
for it to work:
- kdc.conf
The KDC configuration file contains configuration information
for the KDC and the KADM5
system.
- keytab
kadmind requires a keytab containing the keys for the kadmin/admin and kadmin/changepw principals for every realm that kadmind will answer requests for. This admin keytab can be created
with the kadmin.local. The location of the keytab is determined by the admin
keytab configuration variable present in the kdc.conf file.
- ACL
file
kadmind's access control list (ACL) restricts
it as to which principals are allowed to perform administration
actions. The path of the ACL file is specified via the acl_file configuration
variable in the kdc.conf file.
See the man page for kadmind for more details on kadmind options and configuration values.
kadmin and kadmin.local |
|
These utilities provide a unified administration
interface for the Kerberos database. Kerberos administrators use
these utilities to create new users and services for the master
database, and to modify information for the existing database entries.
Both the utilities provide for maintenance of Kerberos principals, policies,
and service key tables (keytabs).
These utilities exist as both a Kerberos client, 'kadmin'and a local client, 'kadmin.local'.
The kadmin utility uses Kerberos authentication and an Remote Procedure Call (RPC) to operate
securely from anywhere on the network.
The'kadmin.local' is intended to run directly on the KDC without any Kerberos
authentication. Normal UNIX users cannot
execute this command. Executing the kadmin.local command will display the kadmin.local prompt only if you are the root user.
For more information on the kadmin option, type man kadmin (1) at the HP-UX prompt
|
| |
|
 | NOTE: All commands can be abbreviated as long as they
are unique. Some short versions of the commands are also recognized
for backward compatibility. |
|
| |
|
Also, you can use these utilities to maintain Kerberos principals,
policies and service key tables (keytabs).
Getting the kadmin to work
kadmin allows you to administer the Kerberos database remotely
(and securely). If you just run kadmin, you may obtain an error message as shown below:
kadmin: Client not found in Kerberos database while initializing kadmin interface
|
| |
|
| NOTE: In the examples mentioned below, kdc1 is our host and finance.bambi.com the realm. |
|
| |
|
To be able to use the kadmin interface, you need to register yourself as a database
administrator.
On the KDC machine, in kadmin.local, you can add the administrator role:
kadmin.local: addprinc jar/admin
Enter password for principal "jar/admin@finance.bambi.com": <your_password>
Re-enter password for principal "jar/admin@finance.bambi.com": <your_password>
Principal "jar/admin@finance.bambi.com" created
kadmin.local: quit |
Now you can access kadmin on the Kerberos server. For example,
/opt/krb5/sbin/kadmin -p jar/admin
Authenticating as principal jar/admin with password
Enter password: <your_password>
kadmin: |
Refer to the kadmin and kadmin.local manpages for more information.
Printable version
