Red Hat Enterprise Linux 5 Administration Unleashed

Enabling Kerberos 281Principals must be explicitly added using the add_principal command to kadmin orkadmin.local. The kadmin and kadmin.local utilities offer the same functionality exceptthat the kadmin.local utility can only be run on the master KDC and does not authenticatethrough Kerberos. Because the KDC service hasn’t been started yet, add at least oneadministrative principal using the kadmin.local utility. Additional principals, bothadministrators and non-administrators, can be added during this setup phase, or they canbe added later.12NOTEIf the kadmin command is used, the principal adding, modifying, or deleting principalsmust have permission to do so using the Kerberos ACLs as described in the “SettingAccess Control Lists for Kerberos” section.Start the kadmin shell by executing kadmin.local as the root user on the KDC server. Toadd a principal, use the following command:add_principal TIPTo view a list of valid commands while in the kadmin or kadmin.local shell, pressthe Tab key twice.Replace with the username such as tfox/admin. Table 12.1 shows available.TABLE 12.1 Principal OptionsRestriction Flags-expire -pwexpire -maxlife -maxrenewlife -kvno -policy -clearpolicy-allow_postdated-allow_forwardable-allow_renewableDescriptionSet expiration date for the principal.Set the password expiration date.Set maximum ticket life for the principal.Set maximum renewable ticket life for the principal.Set the key version number.Set policy for the principal. If no policy is set, the policyname default is used if it exists. A warning message isprinted if a principal doesn’t have a policy.Do not assign the principal the “default” policy if one isnot specified with -policy .Do not allow the principal to retrieve post-dated tickets.+allow_postdated clears this preference.Do not allow the principal to retrieve forwardable tickets.+allow_forwardable clears this preference.Do not allow the principal to retrieve renewable tickets.+allow_renewable clears this preference.