Filter
Top Products
262 Chapter 15 Working with Open Directory
Principal Management
Mac OS X Server uses MIT’s Kerberos administration architecture for principal
management. The Kerberos administration daemon
kadmind is responsible for making
changes to the Kerberos database. Aside from Open Directory,
kadmind is largely
manipulated by kadmin and kadmin.local . Generally in Mac OS X, Apple applications
are responsible for telling kadmin what to do, and hence, manual modifications are
rarely needed.
The configuration files for kadmin and krb5kdc are located in /var/db/krb5kdc. The
kadm5.acl file is a list of Kerberos principals that have various administrative privileges.
The database named principal.kadm5 is the kadmind process’ policy database. It is
located in /var/db/krb5kdc. While principals and their keys are stored in /var/db/
krb5kdc/principal, policies, which can be applied to principals, are stored in
principal.kadm5.
Principal.kadm5.lock is a lock file used by kadmind. It is unlike most lock files though, as
kadmind will not write to either the policy or principal database unless it exists.
The kadmin tool, located in /usr/sbin, is the native MIT administrative client to kadmind.
kadmin reads the Kerberos configuration file, edu.mit.kerberos, to discover the network
location of the kadmind server.
Unlike kadmin, kadmin.local cannot be run remotely, nor is it bound by the access
controls of kadmind. Instead, it is a brute force tool that is always run as root, with full
administrative privileges over the kadmind and KDC databases. Both kadmin and
kadmin.local can be run interactively or in query mode (using the -q flag).
The following examples show some basic kadmin tool uses.
To add a principal:
Replace
student1
with the new principal that you are adding to the database.
$ sudo kadmin.local -q "add_principal
student1
"
To add a service principal:
Replace
afpserver/server.example.com
with the new service principal that you are
adding to the database.
$ sudo kadmin.local -q "add_principal
afpserver/server.example.com
"
To delete a principal:
Replace
student1
with the principal that you are deleting from the database.
$ sudo kadmin.local -q "delete_principal
student1
"
To list all principals:
$ sudo kadmin.local -q list_principals