Example--Deleting a Principal (Command Line)
In the following example, the delete_principal command of kadmin is used to delete the jdb principal.
kadmin: delete_principal pak Are you sure you want to delete the principal "pak@EXAMPLE.COM"? (yes/no): yes Principal "pak@EXAMPLE.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing. kadmin: quit |
How to Set Up Defaults for Creating New Principals
No command-line equivalent exists for this procedure.
If necessary, start the SEAM Tool.
See "How to Start the SEAM Tool" for details.
Choose Properties from the Edit Menu.
The Properties window is displayed.
Select the defaults that you want when you create new principals.
Choose Context-Sensitive Help from the Help menu for information about the various attributes in each window.
Click Save.
How to Modify the Kerberos Administration Privileges
Even though your site probably has many user principals, you usually want only a few users to be able to administer the Kerberos database. Privileges to administer the Kerberos database are determined by the Kerberos access control list (ACL) file, kadm5.acl. The kadm5.acl file enables you to allow or disallow privileges for individual principals. Or, you can use the '*' wildcard in the principal name to specify privileges for groups of principals.
Become superuser on the master KDC.
Edit the /etc/krb5/kadm5.acl file.
An entry in the kadm5.acl file must have the following format:
principal privileges [principal-target]
principal
Specifies the principal to which the privileges are granted. Any part of the principal name can include the '*' wildcard, which is useful for providing the same privileges for a group of principals. For example, if you want to specify all principals with the admin instance, you would use */admin@realm.
Note that a common use of an admin instance is to grant separate privileges (such as administration access to the Kerberos database) to a separate Kerberos principal. For example, the user jdb might have a principal for his administrative use, called jdb/admin. This way, the user jdb obtains jdb/admin tickets only when he or she actually needs to use those privileges.
privileges
Specifies which operations can or cannot be performed by the principal. This field consists of a string of one or more of the following list of characters or their uppercase counterparts. If the character is uppercase (or not specified), then the operation is disallowed. If the character is lowercase, then the operation is permitted.
a
[Dis]allows the addition of principals or policies.
d
[Dis]allows the deletion of principals or policies.
m
[Dis]allows the modification of principals or polices.
c
[Dis]allows the changing of passwords for principals.
i
[Dis]allows inquiries to the Kerberos database.
l
[Dis]allows the listing of principals or policies in the Kerberos database.
x or *
Allows all privileges (admcil).
principal-target
When a principal is specified in this field, the privileges apply to principal only when the principal operates on the principal_target. Any part of the principal name can include the '*' wildcard, which is useful to group principals.
Example--Modifying the Kerberos Administration Privileges
The following entry in the kadm5.acl file gives any principal in the EXAMPLE.COM realm with the admin instance all the privileges on the Kerberos database.
*/admin@EXAMPLE.COM * |
The following entry in the kadm5.acl file gives the jdb@EXAMPLE.COM principal the privilege to add, list, and inquire about any principal that has the root instance.
jdb@EXAMPLE.COM ali */root@EXAMPLE.COM |
Administering Policies
This section provides step-by-step instructions to administer policies with the SEAM Tool. This section also provides examples of equivalent command lines, when available.
Administering Policies (Task Map)
Task | Description | For Instructions |
---|---|---|
View the list of policies | View the list of policies by clicking the Policies tab. | |
View a policy's attributes | View a policy's attributes by selecting the policy in the Policy List, then clicking the Modify button. | |
Create a new policy | Create a new policy by clicking the Create New button in the Policy List panel. | |
Duplicate a policy | Duplicate a policy by selecting the policy to duplicate in the Policy List, then clicking the Duplicate button. | |
Modify a policy | Modify a policy by selecting the policy to modify in the Policy List, then clicking the Modify button. Note that you cannot modify a policy's name. To rename a policy, you must duplicate the policy, specify a new name for it, save it, and then delete the old policy. | |
Delete a policy | Delete a policy by selecting the policy to delete in the Policy List, then clicking the Delete button. |
How to View the List of Policies
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See "How to Start the SEAM Tool" for details.
Click the Policies tab.
The list of policies is displayed.
Display a specific policy or a sublist of policies.
Type a filter string in the Filter field, and press Return. If the filter succeeds, the list of policies that match the filter is displayed.
The filter string must consist of one or more characters. Because the filter mechanism is case sensitive, you need to use the appropriate uppercase and lowercase letters for the filter. For example, if you type the filter string ge, the filter mechanism displays only the policies with the ge string in them (for example, george or edge).
If you want to display the entire list of policies, click Clear Filter.
Example--Viewing the List of Policies (Command Line)
In the following example, the list_policies command of kadmin is used to list all the policies that match *user*. Wildcards can be used with the list_policies command.
kadmin: list_policies *user* testuser enguser kadmin: quit |
How to View a Policy's Attributes
An example of the command-line equivalent follows this procedure.
If necessary, start the SEAM Tool.
See "How to Start the SEAM Tool" for details.
Click the Policies tab.
Select the policy in the list that you want to view, then click Modify.
The Policy Details panel is displayed.
When you are finished viewing, click Cancel.