-
Notifications
You must be signed in to change notification settings - Fork 8
Managing User Accounts in Kerberos
Wiki Home ▸ Managing User Accounts in Kerberos
To manage user accounts in Kerberos, you will need access to the kadmin.local tool or kadmin tool.
To use the kadmin.local tool, you must either log onto the manager server as root or use sudo kadmin.local.
[ec2-user@ip-10-10-10-105 ~]$ sudo kadmin.local
Authenticating as principal cf/admin@CLOUDERA with password.
kadmin.local:
- To use the kadmin tool, first run the klist command to make sure that you don't have any active principals in Kerberos:
[ec2-user@ip-10-10-10-105 ~]$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500) ```
-
To initialize a new client, use the kinit command and enter the password.
[ec2-user@ip-10-10-10-105 ~]$ kinit cf Password for cf@CLOUDERA:
-
If you don't specify a principal name, the kinit command will use your current username. The principal must have access to the admin console, and the principal's name should end with /admin. Otherwise, check your principal name. If something is wrong, use kdestroy to destroy the session and use the kinit command again to create a new one.
-
After this step, the klist command should show a result like this:
[ec2-user@ip-10-10-10-105 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: cf@CLOUDERA
Valid starting Expires Service principal 07/22/15 07:29:48 07/23/15 07:29:48 krbtgt/CLOUDERA@CLOUDERA renew until 07/29/15 07:29:48 ``` 9. Use the kadmin command and enter the password.
The question mark command (?) shows you a list of all commands available.
Each principal's access is described in its name.
- Access to admin console
<name>/admin@<domain>
,cf/admin@CLOUDERA
- Access to specified host
<name>/<host>@<domain>
,HTTP/ip-10-10-10-195.eu-west-1.compute.internal
- Access to all hosts
<name>@<domain>
,cf@CLOUDERA
- To add a principal to Kerberos, use the addprinc command:
kadmin.local: addprinc usage: add_principal [options] principal options are: [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife] [-kvno kvno] [-policy policy] [-clearpolicy] [-randkey] [-pw password] [-maxrenewlife maxrenewlife] [-e keysaltlist] [{+|-}attribute] attributes are: allow_postdated allow_forwardable allow_tgs_req allow_renewable allow_proxiable allow_dup_skey allow_tix requires_preauth requires_hwauth needchange allow_svr password_changing_service ok_as_delegate ok_to_auth_as_delegate no_auth_data_required
...where: [-x db_princ_args]* - any number of database specific arguments. Look at each database documentation for supported arguments ```
-
To create a user with a specified password, use the addprinc command and enter the password, or use the following:
addprinc -pw <password> <name>
You can also create a user with a random password for services with the addprinc -randkey command.
To change token lifetime, use the -maxlife parameter with the addprinc or modprinc command. The token in the first example below expires after 30 days; the token in the second expires after 12 hours:
modprinc -maxlife 30d cf
addprinc -maxlife 12h -randkey cf
Note: The value you enter cannot exceed the ticket_lifetime limit specified in the Kerberos configuration file, by default in the /etc/krb5.conf file.
To create keytab files, use the ktadd command:
kadmin.local: ktadd
Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]
Example:
ktadd -norandkey -k <file> <name1> <name2> ... <nameN>
- modprinc: Modifies Kerberos principal.
- listprincs: Shows all Kerberos principals (users).
- delprinc name: Deletes principal.
- cwp name: Changes password for user . You must enter the current password and confirm it.