Administration

Manual Administration Using kadmin

The Local Command-Line-Administrator, kadminl, can be invoked only by a root user.

To log in to the Remote Administrator, kadmin, you must use a principal account that has an entry in the admin_acl_file. For complete access to all the functions, use an unrestricted administrative principal account, one with the ‘*’ permissions in the admin_acl_file. At a minimum, the account must have the inquire privileges. For more information on administrative permissions, refer to “admin_acl_file” on page 95.

When you start the kadmin, a principal name must be specified at the command line prompt, else the default login name, with the admin instance appended to it, is used. If the -nswitch is specified, the default login name is used and the admin instance is not automatically appended to the login name.

The kadmin has two mechanisms to authenticate the administrator. The first mechanism prompts administrators for a password. Then second uses the -kswitch that notifies kadmin to search the v5srvtab file for the key. With the -kswitch, you can write shell-scripts to automate administrative tasks. Read the permissions in the v5srvtab to use this switch.

All communications between the kadmin client and the server-side daemon are encrypted to prevent disclosure of information across the network.

Once you have been authenticated, use the kadmin commands to manage the principal database. The kadmin commands have been discussed in the subsequent sections of this chapter.

NOTE

The Command-Line-Administrator, kadmin, has limited capabilities. It

 

cannot be used to control the following parameters of the user principals:

 

administrative permissions

 

default group prinicpal

 

• maximum ticket lifetime and renew times

 

adding new realms

 

alter key types

Chapter 6

171

Page 170 Page 172
Page 171
Image 171
HP UX Kerberos Data Security Software manual
Page 170 Page 172
Top Page Image Contents