Administering the Kerberos Server
Manual Administration Using kadmin
Only a user with root permission can invoke the local
To log on to the remote administrator, kadmin, use a principal account that has an entry in admin_acl_file and an account that has at least inquire privileges. For complete access to all functions, use an unrestricted administrative principal account, one with the * permissions in admin_acl_file. The account must at least have inquire privileges. For more information on administrative permissions, see “The admin_acl_file File” on page 113.
When you start kadmin, you must specify a principal name at the command prompt; otherwise, the default logon name with the admin instance appended to the default logon name is used. If you specify the
The kadmin
• The first method prompts administrators for a password.
• The second method uses the
The communication between the kadmin client and the server daemon are encrypted to prevent disclosure of information across the network.
After you are authenticated, use the kadmin commands to manage the principal database. The kadmin commands are discussed in the subsequent sections of this chapter.
NOTE | You cannot use kadmin to control the following parameters of the user | |
| principals: | |
| • | Administrative permissions |
| • | Default group prinicpal |
| • Maximum ticket lifetime and renew times | |
| • Addition of new realms | |
| • | Alter key types |
Chapter 8 | 203 |