Administration
Manual Administration Using kadmin
| • Service principal, the service accepts TGTs only from user |
| principals who obtained a TGT using a preauthentication protocol |
| Client applications require preauthentication by default; however, a |
NOTE | |
| client can override this setting. |
| To modify the parameter type attr for the principal admin, to set the |
| |
| Require Preauthentication Attribute, you need to do the following: |
| Command: mod |
| Name of Principal to Modify: admin |
| Parameter Type to be Modified (attr,fcnt,vno or quit) :attr |
| Attribute (or quit): {preauthnopreauth} |
| Principal modified. |
| Require Password Change Attribute |
| The Require Password Change attribute determines whether a |
| principal must change the user’s password during the next |
| authentication attempt. When this attribute is set, users are required to |
| change their passwords. |
| When a new principal is added to the database or when a principal’s |
| password is changed, this attribute is controlled by the NoReqChangePwd |
| setting in the principal’s password policy file. By default, |
| NoReqChangePwd is set to zero, meaning the user must change their |
| password at first logon. |
| If a random key is designated for a principal using Administrator or the |
| kadmin addrnd command, the Require Change Password attribute is |
| not set by default. As a result, a service principal with an extracted key |
| is not required to have a new key extracted at the next authentication |
| attempt. |
| To modify the parameter type attr for the principal admin, to set the |
| Require Password Change Attribute, you need to do the following: |
| Command: mod |
| Name of Principal to Modify: admin |
| Parameter Type to be Modified (attr,fcnt,vno or quit) :attr |
| Attribute (or quit): {pwchgnopwchg} |
| Principal modified. |
182 | Chapter 6 |