Skip to content

Managing User Accounts in Kerberos

Daniel Smith edited this page Nov 16, 2016 · 3 revisions

Wiki HomeManaging User Accounts in Kerberos

To manage user accounts in Kerberos, you will need access to the kadmin.local tool or kadmin tool.

The kadmin.local tool

To use the kadmin.local tool, you must either log onto the manager server as root or use sudo kadmin.local.

[ec2-user@ip-10-10-10-105 ~]$ sudo kadmin.local
Authenticating as principal cf/admin@CLOUDERA with password.
kadmin.local:

The kadmin tool

  1. To use the kadmin tool, first run the klist command to make sure that you don't have any active principals in Kerberos:
    [ec2-user@ip-10-10-10-105 ~]$ klist
    

klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_500) ```

  1. To initialize a new client, use the kinit command and enter the password.

    [ec2-user@ip-10-10-10-105 ~]$ kinit cf
    Password for cf@CLOUDERA:
    
  2. If you don't specify a principal name, the kinit command will use your current username. The principal must have access to the admin console, and the principal's name should end with /admin. Otherwise, check your principal name. If something is wrong, use kdestroy to destroy the session and use the kinit command again to create a new one.

  3. After this step, the klist command should show a result like this:

[ec2-user@ip-10-10-10-105 ~]$ klist Ticket cache: FILE:/tmp/krb5cc_500 Default principal: cf@CLOUDERA

Valid starting Expires Service principal 07/22/15 07:29:48 07/23/15 07:29:48 krbtgt/CLOUDERA@CLOUDERA renew until 07/29/15 07:29:48 ``` 9. Use the kadmin command and enter the password.

Managing accounts in Kerberos

The question mark command (?) shows you a list of all commands available.

Principal privileges

Each principal's access is described in its name.

  • Access to admin console <name>/admin@<domain>, cf/admin@CLOUDERA
  • Access to specified host <name>/<host>@<domain>, HTTP/ip-10-10-10-195.eu-west-1.compute.internal
  • Access to all hosts <name>@<domain>, cf@CLOUDERA

Creating a principal (user)

  1. To add a principal to Kerberos, use the addprinc command:

kadmin.local: addprinc usage: add_principal [options] principal options are: [-x db_princ_args]* [-expire expdate] [-pwexpire pwexpdate] [-maxlife maxtixlife] [-kvno kvno] [-policy policy] [-clearpolicy] [-randkey] [-pw password] [-maxrenewlife maxrenewlife] [-e keysaltlist] [{+|-}attribute] attributes are: allow_postdated allow_forwardable allow_tgs_req allow_renewable allow_proxiable allow_dup_skey allow_tix requires_preauth requires_hwauth needchange allow_svr password_changing_service ok_as_delegate ok_to_auth_as_delegate no_auth_data_required

...where: [-x db_princ_args]* - any number of database specific arguments. Look at each database documentation for supported arguments ```

  1. To create a user with a specified password, use the addprinc command and enter the password, or use the following:

    addprinc -pw <password> <name>

You can also create a user with a random password for services with the addprinc -randkey command.

Token lifetime

To change token lifetime, use the -maxlife parameter with the addprinc or modprinc command. The token in the first example below expires after 30 days; the token in the second expires after 12 hours:

 modprinc -maxlife 30d cf 
 addprinc -maxlife 12h -randkey cf 

Note: The value you enter cannot exceed the ticket_lifetime limit specified in the Kerberos configuration file, by default in the /etc/krb5.conf file.

Creating a keytab file

To create keytab files, use the ktadd command:

kadmin.local:  ktadd
Usage: ktadd [-k[eytab] keytab] [-q] [-e keysaltlist] [-norandkey] [principal | -glob princ-exp] [...]

Example:
ktadd -norandkey -k <file> <name1> <name2> ... <nameN>

Other useful commands

  • modprinc: Modifies Kerberos principal.
  • listprincs: Shows all Kerberos principals (users).
  • delprinc name: Deletes principal.
  • cwp name: Changes password for user . You must enter the current password and confirm it.
Clone this wiki locally