Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
201202203204205206207208209210
Managing Principals
Mac OS X Server uses MITs Kerberos administration architecture for principal
management. The Kerberos kadmind administration daemon is responsible for making
changes to the Kerberos database. Aside from Open Directory, kadmind is largely
manipulated by kadmin and kadmin.local.
Generally in Mac OS X, Apple applications are responsible for telling kadmin what to
do, so manual modications are rarely needed.
The conguration les for kadmin and krb5kdc are in /var/db/krb5kdc/. The kadm5.acl
le is a list of Kerberos principals that have various administrative privileges.
The principal.kadm5 database is the kadmind process’ policy database. It is located in
/var/db/krb5kdc/. Although principals and their keys are stored in /var/db/krb5kdc/principal,
policies, which can be applied to principals, are stored in principal.kadm5.
Principal.kadm5.lock is a lock le used by kadmind. However, it is unlike most lock les
because kadmind does not write to the policy or principal database unless it exists.
The kadmin tool, in /usr/sbin/, is the native MIT administrative client to kadmind.
kadmin reads the Kerberos conguration le, edu.mit.kerberos, to discover the network
location of the kadmind server.
Unlike kadmin, kadmin.local cannot be run remotely, nor is it bound by the access
controls of kadmind. Instead, it is a brute-force tool that you must always run with root
privileges, with full administrative privileges over the kadmind and KDC databases. Both
kadmin and kadmin.local can be run interactively or in query mode (using the -q ag).
To manage principals:
The following examples show basic kadmin tool uses.
To add a principal: m
$ sudo kadmin.local -q "add_principal student1"
Replace student1 with the principal you are adding to the database.
To add a service principal: m
$ sudo kadmin.local -q "add_principal afpserver/server.example.com"
Replace afpserver/server.example.com with the service principal you are adding to
the database.
To delete a principal: m
$ sudo kadmin.local -q "delete_principal student1"
Replace student1 with the principal you are deleting from the database.
To view all principals: m
$ sudo kadmin.local -q list_principals
Replace student1 with the principal you are deleting from the database.
206 Chapter 9 Maintaining Open Directory Services