A principal is a string that names a specific entity to which
a set of credentials may be assigned. The general syntax of a principal
is as follows:
- primary
the first part of a Kerberos principal. In the case of a user, it is the username. In the case
of a service, it is the name of a service.
- instance
the second part of a Kerberos principal. It gives information that qualifies the primary. The
instance may be null. In the case of a user, the instance is often used
to describe the intended use of the corresponding credentials. In
the case of a host, the instance is the fully qualified hostname.
- realm
the logical network served by a single Kerberos database
and a set of Key Distribution Centers. By convention, realm names
are generally all uppercase letters.
The typical format of a typical Kerberos principal is:
primary/instance@REALM
Privileges |
 |
Administrative privileges for the Kerberos database are stored
in the kadm5.acl. Each line in the file contains a principal, the privileges
that the principal has and optionally the target to which those
permissions apply. The privileges are represented by single letters; UPPER-CASE letters
represent negative permissions. The permissions are:
- a
allows the addition of principals or policies in
the database.
- A
disallows the addition of principals or policies
in the database.
- d
allows the deletion of principals or policies in
the database.
- D
disallows the deletion of principals or policies
in the database.
- m
allows the modification of principals or policies
in the database.
- M
disallows the modification of principals or policies
in the database.
- c
allows the changing of passwords for principals
in the database.
- C
disallows the changing of passwords for principals
in the database.
- i
allows inquiries to the database.
- I
disallows inquiries to the database.
- L
disallows the listing of principals or policies
in the database.
- *
All privileges (admcil).
- x
All privileges (admcil); identical to "*".
Principals in this file can include the * wildcard. Given
below is an example of a kadm5.acl file.
|
| |
|
 | NOTE: The order is important. Permissions are
determined by the first matching entry. |
|
| |
|
To set all privileges for the principals with the admin instance,
type the following:
*/admin@FINANCE.BAMBI.COM * |
To set the privileges add, delete modify, change password,
inquire and list for the principals with the admin instance, type
the following:
admin@FINANCE.BAMBI.COM admcil |
Adding a New Principal |
|
To add a principal to the database, use the kadmin.local add_prinicpal command, which requires the "add" administrative privilege.
This command adds a new principal with the given name into
the database.
The general syntax for adding a new principal is:
kadmin.local: addprinc/ank [options] principal
For example, to add a principal "admin", you would do the following:
kadmin.local: add_principal admin
WARNING: no policy specified for admin@finance.bambi.com; defaulting to no policy
Enter password for principal "admin@finance.bambi.com":
Re-enter password for prinicpal "admin@finance.bambi.com":
Principal "admin@finance.bambi.com" created. |
The add_principal has the aliases addprinc and ank.
Modifying a Principal |
|
To modify attributes of a principal in the database, use the
kadmin.local modify_prinicpal command, which requires the "modify" administrative privilege.
The general syntax for adding a new principal is:
kadmin.local: modify_principal [options] principal
To modify the principal "admin@finance.bambi.com" to
disallow forwardable tickets, you need to do the following:
kadmin.local: modify_principal -allow_forwardable admin
Principal "admin@finance.bambi.com" modified. |
The modify_principal has the alias modprinc.
Retrieving Information About a Principal |
|
To retrieve a listing of the attributes and/or policies associated
with a principal, use the kadmin.local get_principal command, which requires the "inquire" administrative privilege in the acl file. The general
syntax is:
get_principal principal
The get_principal command has the alias getprinc.
For example, suppose you wanted to view the attributes of
the principals kdc1/root@FINANCE.BAMBI.COM and kdc2@FINANCE.BAMBI.COM. You would type:
kadmin.local: get_principal kdc1/root
princial: kdc1/root@FINANCE.BAMBI.COM
Expiration data: Tue Oct 18 22:34:07 IST 2018
Last Password change: Wed Dec 07 02:06:40 IST 2001
Password expiraton date: Mon Jan 17 14:40:00 ISI 2001
Maximum ticket life: 09 hours 10:06:08
Maximum renewable life: 7days 00:00:00
Last modified: Wed Jul 31 18:27:08 IST 2001 (root/admin@finance.bambi.com)
Last successful authentication: Tue Dec 18 08:24:00 IST 2001
Login failed authentication: [never]
Failed password attempts: 0
Number of keys: 1
Key: vno1, DES cbc mode with RSA-MD5, Version 5 - No Realm Attributes
Policy: [none] |
The get_principal command has a -terse option, which lists the fields
as a quoted, tab-separated string. For example:
kadmin.local: getprinc - terse kdc2
kdc2@FINANCE.BAMBI.COM 3 86400 604800 1
785963355 75321423 879500000
admin/admin@FINANCE.BAMBI.COM 8790000123 0 0
kadmin.local: |
Retrieving a List of Principals
To list the principals, use the kadmin.local list_prinicpals command, which requires the "list" privilege in the acl file. The general syntax
is:
list_principals [expression]
where expression is a shell-style global expression that
can contain the wildcard character '*'. All principal
names matching the expression are displayed.
The list_principals command has the alias listprincs.
Deleting a Principal |
|
To delete a principal, use the kadmin.local delete_principal command, which requires the "delete" administrative privilege. The general syntax
is:
delprinc [-force] principal
kadmin.local: delprinc admin
Are you sure you want to delete the principal "admin@finance.bambi.com"? (yes/no): yes
Principal "admin@finance.bambi.com" deleted.
Make sure that you have removed this principal from all the ACLs before resuing.
kadmin.local: |
This deletes the principal "admin@finance.bambi.com" from
the Kerberos database. Therefore, if you want to reactivate this
principal later, you will have to add it and enter the password
again.
The delete_principal has the alias delprinc. The -force option causes the delete_principal command not to prompt you for a confirmation.
Printable version
