Note

For the sake of convenience, you may want to make your administrative user the same name as your login name. Although not the most secure option, doing so means that you don't have to use the following command each time you start kadmin:

/usr/kerberos/sbin/kadmin -p james/admin

Still, it's important that you know this command, because you will need to use it at least once on every host that belongs to your Kerberos network. This is because, as you will see, each client needs to have its keytab file updated by the systems administrator.

Finally, if you are logged into one Kerberos realm named @othercompany.com, and you wish to use Kerberos to log into @yourcompany.com realm, you can issue the following command:

/usr/kerberos/sbin/kadmin -p james/[email protected]

This command will also work if you are logging in from the @yourcompany.com realm. Adding the @yourcompany.com is simply redundant in this case, however.

The kadmin command also lists, modifies, and deletes principals.To list present Kerberos users from within kadmin, enter the following command:

kadmin:list_principals ftp/blake.yourcompany.com.YOURCOMPANY.COM rlogin/wordsworth.YOURCOMPANY.COM james.YOURCOMPANY.COM sandi.YOURCOMPANY.COM

host/blake.yourcompany.com.YOURCOMPANY.COM kadmin:

To delete any principal, you can issue the following command: kadmin: delete_principal userl

Are you sure you want to delete the principal "[email protected]"? (yes/no): yes

Principal "[email protected]" deleted.

Make sure that you have removed this principal from all ACL's before reusing.

kadmin:

For more information, use the ? command from within kadmin or consult the Kerberos documentation in the /usr/share/krb5*/ directory and the man pages. The asterisk represents the Kerberos version you are using.

The kadmin command does not simply add and manage principals to the Kerberos realm. It is also used to populate and update the Key table files for each Kerberos host. It is vital that you understand this kadmin function, because most of the existing Kerberos documentation skims over this step. This is partially because most people who write about Kerberos do not have the knowledge to actually implement Kerberos, or because they know how to implement Kerberos so well that they just assume that you already know this step. Hopefully, the present discussion will bridge the gap between the overly theoretical and overly technical writers and actually show you how to properly configure Kerberos clients. You will learn more about this shortly. Figure 6.11 shows the gkadmin interface.

Although it is a nice interface, the command-line interface is ideal for updating the /etc/krb5.keytab files on clients.

Figure 6.11 The gkadmin Interface

Figure 6.11 The gkadmin Interface

Was this article helpful?

0 0

Post a comment