Administering the Kerberos Server

Principals

You must enter the fqdn in lowercase letters, and the fqdn instance must be the fully qualified domain name of the host system for the server or service.

These principals are not automatically added to the principal database when you install the Kerberos servers or application services.

Removing User Principals

You may need to delete user principals from the database. When you delete a principal account from the database, the principal name, attributes, and properties are removed from the database and you cannot use the principal to authenticate to the Kerberos server. To delete a principal, use the HP Kerberos Administrator or the command-line interface administrative utility.

For user principals, you may need to perform additional steps to remove the special privilege settings.

For user principals that use a UNIX system, every UNIX host that a principal uses contains the host/service principal. If this system is unused, delete the service key from the host and remove the host/<fqdn> principal from the database.

Removing Special Privilege Settings

If the principal has special privileges, remove these privileges. Examples of special privileges are as follows:

Administrative principal that is aware of the UNIX root password. Ensure that you change the root or administrator password according to your password requirements.

Administrative principal using kadmin. Ensure that you remove the administrative principal entry in admin_acl_file.

NOTE

When you delete an administrative principal using the HP Kerberos

 

Administrator, any reference to that principal is automatically removed

 

from admin_acl_file.

 

 

Chapter 8

127

Page 127
Image 127
HP UX Kerberos Data Security Software manual Removing User Principals, Removing Special Privilege Settings