Sun Microsystems, Inc.
spacer |
black dot
  Previous   Contents   Next 
Chapter 10

Administering Principals and Policies (Tasks)

This chapter provides procedures for managing principals and the policies that are associated with them. This chapter also shows how to manage a host's keytab file.

This chapter should be used by anyone who needs to administer principals and policies. Before you use this chapter, you should be familiar with principals and policies, including any planning considerations. Refer to Chapter 6, Introduction to SEAM and Chapter 7, Planning for SEAM, respectively.

This is a list of the information in this chapter.

Ways to Administer Principals and Policies

The Kerberos database on the master KDC contains all of your realm's Kerberos principals, their passwords, policies, and other administrative information. To create and delete principals, and to modify their attributes, you can use the kadmin or gkadmin commands.

The kadmin command provides an interactive command-line interface that enables you to maintain Kerberos principals, policies, and keytab files. There are two versions of the kadmin command:

  • kadmin, which uses Kerberos authentication to operate securely from anywhere on the network

  • kadmin.local, which must be run directly on the master KDC

Other than kadmin using Kerberos to authenticate the user, the capabilities of the two versions are identical. The local version is necessary to enable you to set up enough of the database so that you can use the remote version.

Also, SEAM provides the SEAM Administration Tool, gkadmin, which is an interactive graphical user interface (GUI) that provides essentially the same capabilities as the kadmin command. See "SEAM Administration Tool" for more information.

SEAM Administration Tool

The SEAM Administration Tool is an interactive graphical user interface (GUI) that enables you to maintain Kerberos principals and policies. This tool provides much the same capabilities as the kadmin command. However, this tool does not support the management of keytab files. You must use the kadmin command to administer keytab files, which is described in "Administering Keytab Files".

Similar to the kadmin command, the SEAM Tool uses Kerberos authentication and encrypted RPC to operate securely from anywhere on the network. The SEAM Tool enables you to do the following:

  • Create new principals that are based on default values or existing principals

  • Create new policies that are based on existing policies

  • Add comments for principals

  • Set up default values for creating new principals

  • Log in as another principal without exiting the tool

  • Print or save principal lists and policy lists

  • View and search principal lists and policy lists

The SEAM Tool also provides context-sensitive help and general online help.

The following task maps provide pointers to the various tasks that you can do with the SEAM Tool:

Also, go to "SEAM Tool Panel Descriptions" for descriptions of all the principal attributes and policy attributes that you can either specify or view in the SEAM Tool.

Command-Line Equivalents of the SEAM Tool

This section lists the kadmin commands that provide the same capabilities as the SEAM Tool. These commands can be used without running an X Window system. Even though most procedures in this chapter use the SEAM Tool, many procedures also provide corresponding examples that use the command-line equivalents.

Table 10-1 Command-Line Equivalents of the SEAM Tool

SEAM Tool Procedure

Equivalent kadmin Command

View the list of principals

list_principals or get_principals

View a principal's attributes


Create a new principal


Duplicate a principal

No command-line equivalent

Modify a principal

modify_principal or change_password

Delete a principal


Set up defaults for creating new principals

No command-line equivalent

View the list of policies

list_policies or get_policies

View a policy's attributes


Create a new policy


Duplicate a policy

No command-line equivalent

Modify a policy


Delete a policy


Files Modified by the SEAM Tool

The only file that the SEAM Tool modifies is the $HOME/.gkadmin file. This file contains the default values for creating new principals. You can update this file by choosing Properties from the Edit menu.

Print and Online Help Features of the SEAM Tool

The SEAM Tool provides both print features and online help features. From the Print menu, you can send the following to a printer or a file:

  • List of available principals on the specified master KDC

  • List of available policies on the specified master KDC

  • The currently selected principal or the loaded principal

  • The currently selected policy or the loaded policy

From the Help menu, you can access context-sensitive help and general help. When you choose Context-Sensitive Help from the Help menu, the Context-Sensitive Help window is displayed and the tool is switched to help mode. In help mode, when you click on any fields, labels, or buttons on the window, help on that item is displayed in the Help window. To switch back to the tool's normal mode, click Dismiss in the Help window.

You can also choose Help Contents, which opens an HTML browser that provides pointers to the general overview and task information that is provided in this chapter.

  Previous   Contents   Next