From eca37d2f89586c04f8bb130cfee9986f147d8b16 Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sat, 16 May 2026 14:42:38 +0200
Subject: [PATCH] Enhance README with detailed instructions for managing
 principals and keytabs in Kerberos

---
 README.md | 65 +++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 58 insertions(+), 7 deletions(-)

diff --git a/README.md b/README.md
index 5c63648..ac24bfb 100644
--- a/README.md
+++ b/README.md
@@ -168,22 +168,73 @@ kdestroy
 
 ## Managing principals
 
-Exec into the running container, then use `kadmin.local` (no password required):
+Exec into the running container to use `kadmin.local` (no password required):
 
 ```bash
 container exec -it kerberos bash
 ```
 
+### Principals
+
 ```bash
-# List all principals
+# List all principals (supports glob: "user*")
 kadmin.local -q "listprincs"
 
-# Add a user principal
-kadmin.local -q "addprinc username@REALM"
+# Inspect a principal
+kadmin.local -q "getprinc user@REALM"
 
-# Add a service principal and extract a keytab
-kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM"
-kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM"
+# Add a user principal
+kadmin.local -q "addprinc user@REALM"
+
+# Add a service principal (random key, no password)
+kadmin.local -q "addprinc -randkey service/host.example.org@REALM"
+
+# Change password
+kadmin.local -q "cpw -pw newpassword user@REALM"
+
+# Randomise key (invalidates existing tickets and keytabs)
+kadmin.local -q "cpw -randkey service/host.example.org@REALM"
+
+# Set expiry
+kadmin.local -q "modprinc -expire '2027-01-01' user@REALM"
+
+# Unlock after failed authentication lockout
+kadmin.local -q "modprinc -unlock user@REALM"
+
+# Delete a principal
+kadmin.local -q "delprinc user@REALM"
+```
+
+### Keytabs
+
+```bash
+# Extract keytab (randomises the principal's key)
+kadmin.local -q "ktadd -k /tmp/service.keytab service/host.example.org@REALM"
+
+# Extract without randomising key (-norandkey, preserves existing tickets)
+kadmin.local -q "ktadd -k /tmp/service.keytab -norandkey service/host.example.org@REALM"
+
+# Remove keytab entries for a principal
+kadmin.local -q "ktremove -k /tmp/service.keytab service/host.example.org@REALM all"
+```
+
+### Password policies
+
+```bash
+# Create a policy
+kadmin.local -q "addpol -minlength 12 -minclasses 3 -maxlife '90 days' -maxfailure 5 default"
+
+# Assign policy to a principal
+kadmin.local -q "modprinc -policy default user@REALM"
+
+# Inspect a policy
+kadmin.local -q "getpol default"
+
+# List policies
+kadmin.local -q "listpols"
+
+# Delete a policy (fails if any principal uses it)
+kadmin.local -q "delpol default"
 ```
 
 ## OpenLDAP SASL/GSSAPI integration