1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
<html lang="en">
<head>
<title>Kerberos V5 System Administrator's Guide</title>
<meta http-equiv="Content-Type" content="text/html">
<meta name="description" content="Kerberos V5 System Administrator's Guide">
<meta name="generator" content="makeinfo 4.5">
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home">
</head>
<body>
<div class="node">
<p>
Node:<a name="Adding%20or%20Modifying%20Principals">Adding or Modifying Principals</a>,
Next:<a rel="next" accesskey="n" href="Deleting-Principals.html#Deleting%20Principals">Deleting Principals</a>,
Previous:<a rel="previous" accesskey="p" href="Privileges.html#Privileges">Privileges</a>,
Up:<a rel="up" accesskey="u" href="Principals.html#Principals">Principals</a>
<hr><br>
</div>
<h4 class="subsection">Adding or Modifying Principals</h4>
<p>To add a principal to the database, use the kadmin <code>add_principal</code>
command, which requires the "add" administrative privilege. This
function creates the new principal, prompting twice for a password, and,
if neither the -policy nor -clearpolicy options are specified and the
policy "default" exists, assigns it that policy. The syntax is:
<pre class="smallexample"> <b>kadmin:</b> add_principal [<i>options</i>] <i>principal</i>
</pre>
<p>To modify attributes of a principal, use the kadmin
<code>modify_principal</code> command, which requires the "modify"
administrative privilege. The syntax is:
<pre class="smallexample"> <b>kadmin:</b> modify_principal [<i>options</i>] <i>principal</i>
</pre>
<p><code>add_principal</code> has the aliases <code>addprinc</code> and
<code>ank</code><a rel="footnote" href="#fn-1"><sup>1</sup></a>. <code>modify_principal</code> has the alias <code>modprinc</code>.
<p>The <code>add_principal</code> and <code>modify_principal</code> commands take the
following switches:
<dl>
<dt><b>-expire </b><i>date</i><b></b>
<dd>Sets the expiration date of the principal to <i>date</i>.
<br><dt><b>-pwexpire </b><i>date</i><b></b>
<dd>Sets the expiration date of the password to <i>date</i>.
<br><dt><b>-maxlife </b><i>maxlife</i><b></b>
<dd>Sets the maximum ticket life of the principal to <i>maxlife</i>.
<br><dt><b>-maxrenewlife </b><i>maxrenewlife</i><b></b>
<dd>Sets the maximum renewable life of tickets for the principal to
<i>maxrenewlife</i>.
<br><dt><b>-kvno </b><i>number</i><b></b>
<dd>Explicity sets the key version number to <i>number</i>. MIT
does not recommend doing this unless there is a specific reason.
<br><dt><b>-policy </b><i>policy</i><b></b>
<dd>Sets the policy used by this principal. (See <a href="Policies.html#Policies">Policies</a>.) With
<code>modify_principal</code>, the current policy assigned to the principal is
set or changed. With <code>add_principal</code>, if this option is not
supplied, the -clearpolicy is not specified, and the policy "default"
exists, that policy is assigned. If a principal is created with no
policy, <code>kadmin</code> will print a warning message.
<br><dt><b>-clearpolicy</b>
<dd>For <code>modify_principal</code>, removes the current policy from a
principal. For <code>add_principal</code>, suppresses the automatic
assignment of the policy "default".
<br><dt><b>{-|+}allow_postdated</b>
<dd>The "-allow_postdated" option prohibits this principal from obtaining
postdated tickets. "+allow_postdated" clears this flag. In effect,
"-allow_postdated" sets the KRB5_KDB_DISALLOW_POSTDATED flag on the
principal in the database.
<br><dt><b>{-|+}allow_forwardable</b>
<dd>The "-allow_forwardable" option prohibits this principal from
obtaining forwardable tickets. "+allow_forwardable" clears this flag.
In effect, "-allow_forwardable" sets the KRB5_KDB_DISALLOW_FORWARDABLE
flag on the principal in the database.
<br><dt><b>{-|+}allow_renewable</b>
<dd>The "-allow_renewable" option prohibits this principal from obtaining
renewable tickets. "+allow_renewable" clears this flag. In effect,
"-allow_renewable" sets the KRB5_KDB_DISALLOW_RENEWABLE flag on the
principal in the database.
<br><dt><b>{-|+}allow_proxiable</b>
<dd>The "-allow_proxiable" option prohibits this principal from obtaining
proxiable tickets. "+allow_proxiable" clears this flag. In effect,
"-allow_proxiable" sets the <br> KRB5_KDB_DISALLOW_PROXIABLE flag. on
the principal in the database.
<br><dt><b>{-|+}allow_dup_skey</b>
<dd>The "-allow_dup_skey" option disables user-to-user authentication for
this principal by prohibiting this principal from obtaining a session
key for another user. "+allow_dup_skey" clears this flag. In effect,
"-allow_dup_skey" sets the <br> KRB5_KDB_DISALLOW_DUP_SKEY flag on the
principal in the database.
<br><dt><b>{-|+}requires_preauth</b>
<dd>The "+requires_preauth" option requires this principal to
preauthenticate before being allowed to kinit. -requires_preauth clears
this flag. In effect, +requires_preauth sets the
KRB5_KDB_REQUIRES_PRE_AUTH flag on the principal in the database.
<br><dt><b>{-|+}requires_hwauth</b>
<dd>The "+requires_hwauth" flag requires the principal to preauthenticate
using a hardware device before being allowed to kinit.
"-requires_hwauth" clears this flag. In effect, "+requires_hwauth"
sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the principal in the
database.
<br><dt><b>{-|+}allow_svr</b>
<dd>The "-allow_svr" flag prohibits the issuance of service tickets for
this principal. "+allow_svr" clears this flag. In effect,
"-allow_svr" sets the <br> KRB5_KDB_DISALLOW_SVR flag on the principal
in the database.
<br><dt><b>{-|+}allow_tgs_req</b>
<dd>The "-allow_tgs_req" option specifies that a Ticket-Granting Service
(TGS) request for a service ticket for this principal is not permitted.
You will probably never need to use this option. "+allow_tgs_req"
clears this flag. The default is "+allow_tgs_req". In effect,
"-allow_tgs_req" sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the
principal in the database.
<br><dt><b>{-|+}allow_tix</b>
<dd>The "-allow_tix" option forbids the issuance of any tickets for this
principal. "+allow_tix" clears this flag. The default is
"+allow_tix". In effect, "-allow_tix" sets the <br>
KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database.
<br><dt><b>{-|+}needchange</b>
<dd>The "+needchange" option sets a flag in attributes field to force a
password change; "-needchange" clears it. The default is
"-needchange". In effect, "+needchange" sets the
KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.
<br><dt><b>{-|+}password_changing_service</b>
<dd>The "+password_changing_service" option sets a flag in the attributes
field marking this principal as a password change service. (Again, you
will probably never need to use this option.)
"-password_changing_service" clears the flag. The default is
"-password_changing_service". In effect, the
"+password_changing_service" option sets the KRB5_KDB_PWCHANGE_SERVICE
flag on the principal in the database.
<br><dt><b>-randkey</b>
<dd>Sets the key for the principal to a random value (<code>add_principal</code>
only). MIT recommends using this option for host keys.
<br><dt><b>-pw </b><i>password</i><b></b>
<dd>Sets the key of the principal to the specified string and does not
prompt for a password (<code>add_principal</code> only). MIT does
not recommend using this option.
<br><dt><b>-e </b><i>enc:salt...</i><b></b>
<dd>Uses the specified list of enctype-salttype pairs for setting the key
of the principal. The quotes are necessary if there are multiple
enctype-salttype pairs. This will not function against kadmin daemons
earlier than krb5-1.2. See <a href="Supported-Encryption-Types.html#Supported%20Encryption%20Types">Supported Encryption Types</a> and
<a href="Salts.html#Salts">Salts</a> for available types.
</dl>
<p>If you want to just use the default values, all you need to do is:
<pre class="smallexample"> <b>kadmin:</b> addprinc jennifer
<b>WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
defaulting to no policy.</b>
<b>Enter password for principal jennifer@ATHENA.MIT.EDU:</b> <i><= Type the password.</i>
<b>Re-enter password for principal jennifer@ATHENA.MIT.EDU:</b> <i><=Type it again.</i>
<b>Principal "jennifer@ATHENA.MIT.EDU" created.
kadmin:</b>
</pre>
<p>If, on the other hand, you want to set up an account that expires on
January 1, 2000, that uses a policy called "stduser", with a temporary
password (which you want the user to change immediately), you would type
the following. (Note: each line beginning with => is a
continuation of the previous line.)
<pre class="smallexample">
<b>kadmin:</b> addprinc david -expire "1/1/2000 12:01am EST" -policy stduser
=> +needchange
<b>Enter password for principal david@ATHENA.MIT.EDU:</b> <i><= Type the password.</i>
<b>Re-enter password for principal
david@ATHENA.MIT.EDU:</b> <i><= Type it again.</i>
<b>Principal "david@ATHENA.MIT.EDU" created.
kadmin:</b>
</pre>
<p>If you will need cross-realm authentication, you need to add principals
for the other realm's TGT to each realm. For example, if you need to
do cross-realm authentication between the realms ATHENA.MIT.EDU
and EXAMPLE.COM, you would need to add the principals <br>
<code>krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU</code> and
<code>krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM</code> to both
databases. You need to be sure the passwords and the key version
numbers (kvno) are the same in both databases. This may require
explicitly setting the kvno with the <code>-kvno</code> option. See
<a href="Cross-realm-Authentication.html#Cross-realm%20Authentication">Cross-realm Authentication</a> for more details.
<div class="footnote">
<hr>
<h4>Footnotes</h4>
<ol type="1">
<li><a name="fn-1"></a>
<p><code>ank</code> was the short form of the equivalent
command using the deprecated <code>kadmin5</code> database administrative tool.
It has been kept</p>
</ol><hr></div>
</body></html>
|
