Working With Large Lists in the SEAM Tool
As your site starts to accumulate a large number of principals and policies, the time it takes the SEAM Tool to load and display the principal and policy lists will become increasingly longer. Thus, your our productivity with the tool will increase. There are several ways to work around this problem.
First, you can completely eliminate the time to load the lists by not having the SEAM Tool load the lists. You can set this option by choosing Properties from the Edit menu, and unchecking the Show Lists field. Of course, when the tool doesn't load the lists, it can't display the lists, and you can no longer use the list panels to select principals or policies. Instead, you must type a principal or policy name in the new Name field that is provided, then select the operation that you want to perform on it. In effect, typing a name is equivalent to selecting an item from the list.
Another way to work with large lists is to cache them. In fact, caching the lists for a limited time is set as the default behavior for the SEAM Tool. The SEAM Tool must still initially load the lists into the cache, but after that, the tool can use the cache rather than retrieve the lists again. This option eliminates the need to keep loading the lists from the server, which is what takes so long.
You can set list caching by choosing Properties from the Edit menu. There are two cache settings. You can choose to cache the list forever, or you can specify a time limit when the tool must reload the lists from the server into the cache.
Caching the lists still enables you to use the list panels to select principals and policies, so it doesn't affect how you use the SEAM Tool as the first option does. Also, even though caching doesn't enable you to see the changes of others, you can still see the latest list information based on your changes, since your changes update the lists both on the server and in the cache. And, if you want to update the cache to see other changes and get the lastest copy of the lists, you can use the Refresh menu whenever you want to refresh the cache from the server.
How to Start the SEAM Tool
Start the SEAM Tool by using the gkadmin command.
$ /usr/sbin/gkadmin
If you don't want to use the default values, specify new default values.
The window automatically fills in with default values. The default principal name is determined by taking your current identity from the USER environment variable and appending /admin to it (username/admin). The default Realm and Master KDC fields are selected from the /etc/krb5/krb5.conf file. If you ever want to retrieve the default values, click Start Over.
Note - The administration operations that each Principal Name can perform are dictated by the Kerberos ACL file, /etc/krb5/kadm5.acl. For information about limited privileges, see "Using the SEAM Tool With Limited Kerberos Administration Privileges".
Enter a password for the specified principal name.
Click OK.
The following window is displayed.
Administering Principals
This section provides the step-by-step instructions to administer principals with the SEAM Tool. This section also provides examples of equivalent command lines, when available.
Administering Principals (Task Map)
Task | Description | For Instructions |
---|---|---|
View the list of principals | View the list of principals by clicking the Principals tab. | |
View a principal's attributes | View a principal's attributes by selecting the Principal in the Principal List, then clicking the Modify button. | |
Create a new principal | Create a new principal by clicking the Create New button in the Principal List panel. | |
Duplicate a principal | Duplicate a principal by selecting the principal to duplicate in the Principal List, then clicking the Duplicate button. | |
Modify a principal | Modify a principal by selecting the principal to modify in the Principal List, then clicking the Modify button. Note that you cannot modify a principal's name. To rename a principal, you must duplicate the principal, specify a new name for it, save it, and then delete the old principal. | |
Delete a principal | Delete a principal by selecting the principal to delete in the Principal List, then clicking the Delete button. | |
Set up defaults for creating new principals | Set up defaults for creating new principals by choosing Properties from the Edit menu. | |
Modify the Kerberos administration privileges (kadm5.acl File) | Command-line only. The Kerberos administration privileges determine what operations a principal can perform on the Kerberos database, such as add and modify. You need to edit the /etc/krb5/kadm5.acl file to modify the Kerberos administration privileges for each principal. |
Automating the Creation of New Principals
Even though the SEAM Tool provides ease-of-use, it doesn't provide a way to automate the creation of new principals. Automation is especially useful if you need to add 10 or even 100 new principals in a short time. However, by using the kadmin.local command in a Bourne shell script, you can do just that.
The following shell script line is an example of how automate the creation of new principals:
sed -e 's/^\(.*\)$/ank +needchange -pw \1 \1/' < princnames | time /usr/sbin/kadmin.local> /dev/null |
This example is split over two lines readability. The script reads in a file called princnames that contains principal names and their passwords, and adds them to the Kerberos database. You would have to create the princnames file, which contains a principal name and its password on each line, separated by one or more spaces. The +needchange option configures the principal so that the user is prompted for a new password during login with the principal for the first time. This practice helps to ensure that the passwords in the princnames file are not a security risk.
You can build more elaborate scripts. For example, your script could use the information in the name service to obtain the list of user names for the principal names. What you do and how you do it is determined by your site needs and your scripting expertise.
How to View the List of Principals
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See "How to Start the SEAM Tool" for details.
Click the Principals tab.
The list of principals is displayed.
Display a specific principal or a sublist of principals.
Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of principals that match the filter is displayed.
The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the principals with the ge string in them (for example, george or edge).
If you want to display the entire list of principals, click Clear Filter.
Example--Viewing the List of Principals (Command Line)
In the following example, the list_principals command of kadmin is used to list all the principals that match test*. Wildcards can be used with the list_principals command.
kadmin: list_principals test* test1@EXAMPLE.COM test2@EXAMPLE.COM kadmin: quit |
How to View a Principal's Attributes
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See "How to Start the SEAM Tool" for details.
Click the Principals tab.
Select the principal in the list that you want to view, then click Modify.
The Principal Basics panel that contains some of the principal's attributes is displayed.
Continue to click Next to view all the principal's attributes.
Three windows contain attribute information. Choose Context-Sensitive Help from the Help menu to get information about the various attributes in each window. Or, for all the principal attribute descriptions, go to "SEAM Tool Panel Descriptions".
When you are finished viewing, click Cancel.
Example--Viewing a Principal's Attributes
The following example shows the first window when you are viewing the jdb/admin principal.
Example--Viewing a Principal's Attributes (Command Line)
In the following example, the get_principal command of kadmin is used to view the attributes of the jdb/admin principal.
kadmin: getprinc jdb/admin Principal: jdb/admin@EXAMPLE.COM Expiration date: Fri Aug 25 17:19:05 PDT 2000 Last password change: [never] Password expiration date: Wed Apr 14 11:53:10 PDT 1999 Maximum ticket life: 1 day 16:00:00 Maximum renewable life: 1 day 16:00:00 Last modified: Thu Jan 14 11:54:09 PST 1999 (admin/admin@EXAMPLE.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, DES cbc mode with CRC-32, no salt Attributes: REQUIRES_HW_AUTH Policy: [none] kadmin: quit |