Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 673 — #699
i
i
i
i
i
i
i
i
26
Security in the Network
To keep the system time in sync with an NTP server, you can also set up the
host as an NTP client by selecting ‘NTP Configuration...’. After finishing
the configuration, YaST performs all the necessary changes and the Ker-
beros client is ready for use.
26.6.7 Remote Kerberos Administration
To be able to add and remove principals from the Kerberos database with-
out accessing the KDC’s console directly, tell the Kerberos administration
server which principals are allowed to do what. Do this by editing the file
/var/heimdal/kadmind.acl (ACL is an acronym for access control
list). The ACL file allows you to specify privileges with a fine degree of
control. For details, refer to the manual page with man 8 kadmind.
Right now, just grant yourself the privilege to do anything you want with
the database by putting the following line into the file:
newbie/admin all
Replace the user name newbie with your own. Restart the KDC for the
change to take effect.
Using kadmin for Remote Administration
You should now be able to perform Kerberos administration tasks re-
motely using the kadmin tool. First, obtain a ticket for your admin role and
use that ticket when connecting to the kadmin server:
kinit newbie/admin
newbie/admin@SAMPLE.COM’s Password: <enter password>
/usr/sbin/kadmin
kadmin> privs
change-password, list, delete, modify, add, get
Using the privs command, verify which privileges you have. The list shown
above is the full set of privileges.
As an example, modify the principal newbie:
kadmin> mod newbie
Max ticket life [1 day]:2 days
Max renewable life [1 week]:
Principal expiration time [never]:2005-01-01
Password expiration time [never]:
Attributes []:
673
SUSE LINUX Enterprise Server