Specifications
Chapter 15 Configuring and Managing Open Directory 263
The principal.kadm5 database is the kadmind process’ policy database. It is located in /
var/db/krb5kdc/. Although principals and their keys are stored in /var/db/krb5kdc/
principal, policies, which can be applied to principals, are stored in principal.kadm5.
Principal.kadm5.lock is a lock file used by kadmind. However, it is unlike most lock files
because kadmind does not write to the policy or principal database unless it exists.
The kadmin tool, in /usr/sbin/, is the native MIT administrative client to kadmind. kadmin
reads the Kerberos configuration file, edu.mit.kerberos, to discover the network
location of the kadmind server.
Unlike kadmin, kadmin.local cannot be run remotely, nor is it bound by the access
controls of kadmind. Instead, it is a brute-force tool that you must always run with root
privileges, with full administrative privileges over the kadmind and KDC databases. Both
kadmin and kadmin.local can be run interactively or in query mode (using the -q flag).
The following examples show basic kadmin tool uses.
To add a principal:
$ sudo kadmin.local -q "add_principal
student1
"
Replace
student1
with the principal you are adding to the database.
To add a service principal:
$ sudo kadmin.local -q "add_principal
afpserver/server.example.com
"
Replace
afpserver/server.example.com
with the service principal you are adding to
the database.
To delete a principal:
$ sudo kadmin.local -q "delete_principal
student1
"
Replace
student1
with the principal you are deleting from the database.
To view all principals:
$ sudo kadmin.local -q list_principals
Using kadmin to Kerberize a Service
You can use kadmin to kerberize additional services, depending on your specific
configuration requirements. Although Mac OS X Server kerberizes many services for
you, you can use Kerberos command-line tools to kerberize additional services with
Open Directory Kerberos.
A kerberized service must know its principal name. The service type for most services is
compiled into the binary.