4.12. Adding Users to a Kerberos Realm

Problem

You want to add a new user to an existing MIT Kerberos-5 realm.

Solution

Use kadmin on any realm host:

$ kadmin
Authenticating as principal pat/admin@DOGOOD.ORG with password.

To add the user named joe:

kadmin: ank -policy users joe
Enter password for principal "joe@DOGOOD.ORG": ********
Re-enter password for principal "joe@DOGOOD.ORG": ********
Principal "joe@DOGOOD.ORG" created.

To give joe administrative privileges:

kadmin: ank -policy admin joe/admin
Enter password for principal "joe/admin@DOGOOD.ORG": ********
Re-enter password for principal "joe/admin@DOGOOD.ORG": ********
Principal "joe/admin@DOGOOD.ORG" created.

and tell Joe his temporary user and admin passwords, which he should immediately change with kpasswd . When finished:

kadmin: quit

Discussion

This is the same procedure we used while setting up your KDC. [Recipe 4.11] You need not be on the KDC to do administration; you can do it remotely with kadmin. The program kadmin.local, which we used before, is only for bootstrapping or other exceptional situations.

See Also

kadmin(8).

Get Linux Security Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.