Filter
Top Products
Administering the Kerberos Server
Manual Administration Using kadmin
Chapter 8 203
Only a user with root permission can invoke the local command-line
administrator, kadminl.
To log on to the remote administrator, kadmin, use a principal account
that has an entry in admin_acl_file and an account that has at least
inquire privileges. For complete access to all functions, use an
unrestricted administrative principal account, one with the *
permissions in admin_acl_file. The account must at least have
inquire privileges. For more information on administrative permissions,
see “The admin_acl_file File” on page 113.
When you start kadmin, you must specify a principal name at the
command prompt; otherwise, the default logon name with the admin
instance appended to the default logon name is used. If you specify the
-n switch, the default logon name is used and the admin instance is not
automatically appended to the logon name.
The kadmin command-line administrator uses the following methods to
authenticate the administrator:
• The first method prompts administrators for a password.
• The second method uses the -k switch, which notifies kadmin to
search the v5srvtab file for the key. With the -k switch, you can
write shell scripts to automate administrative tasks. Read the
permissions in the v5srvtab file to use this switch.
The communication between the kadmin client and the server daemon
are encrypted to prevent disclosure of information across the network.
After you are authenticated, use the kadmin commands to manage the
principal database. The kadmin commands are discussed in the
subsequent sections of this chapter.
NOTE You cannot use kadmin to control the following parameters of the user
principals:
• Administrative permissions
• Default group prinicpal
• Maximum ticket lifetime and renew times
• Addition of new realms
• Alter key types