Manualshelf

Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
171172173174175176177178179180
Administration
Manual Administration Using kadmin
Chapter 6 171
The Local Command-Line-Administrator, kadminl, can be invoked only
by a root user.
To log in to the Remote Administrator, kadmin, you must use a principal
account that has an entry in the admin_acl_file. For complete access to
all the functions, use an unrestricted administrative principal account,
one with the ‘*’ permissions in the admin_acl_file. At a minimum,
the account must have the inquire privileges. For more information on
administrative permissions, refer to “admin_acl_file” on page 95.
When you start the kadmin, a principal name must be specified at the
command line prompt, else the default login name, with the admin
instance appended to it, is used. If the -n switch is specified, the default
login name is used and the admin instance is not automaticallyappended
to the login name.
The kadmin has two mechanisms to authenticate the administrator. The
first mechanism prompts administrators for a password. Then second
uses the -k switch that notifies kadmin to search the v5srvtab file for
the key. With the -k switch, you can write shell-scripts to automate
administrative tasks. Read the permissions in the v5srvtab to use this
switch.
All communications between the kadmin client and the server-side
daemon are encrypted to prevent disclosure of information across the
network.
Once you have been authenticated, use the kadmin commands to manage
the principal database. The kadmin commands have been discussed in
the subsequent sections of this chapter.
NOTE The Command-Line-Administrator, kadmin, has limited capabilities. It
cannot be used to control the following parameters of the user principals:
administrative permissions
default group prinicpal
maximum ticket lifetime and renew times
adding new realms
alter key types