koszewscy/kerberos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enhance README with detailed instructions for managing principals and keytabs in Kerberos

Browse Source
This commit is contained in:
Sławek Koszewski
2026-05-16 14:42:38 +02:00
parent f1be45c147
commit eca37d2f89
1 changed files with 58 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+58 -7
View File
@@ -168,22 +168,73 @@ kdestroy
## Managing principals ## Managing principals
Exec into the running container, then use `kadmin.local` (no password required): Exec into the running container to use `kadmin.local` (no password required):
```bash ```bash
container exec -it kerberos bash container exec -it kerberos bash
``` ```
### Principals
```bash ```bash
# List all principals # List all principals (supports glob: "user*")
kadmin.local -q "listprincs" kadmin.local -q "listprincs"
# Add a user principal # Inspect a principal
kadmin.local -q "addprinc username@REALM" kadmin.local -q "getprinc user@REALM"
# Add a service principal and extract a keytab # Add a user principal
kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM" kadmin.local -q "addprinc user@REALM"
kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM"
# Add a service principal (random key, no password)
kadmin.local -q "addprinc -randkey service/host.example.org@REALM"
# Change password
kadmin.local -q "cpw -pw newpassword user@REALM"
# Randomise key (invalidates existing tickets and keytabs)
kadmin.local -q "cpw -randkey service/host.example.org@REALM"
# Set expiry
kadmin.local -q "modprinc -expire '2027-01-01' user@REALM"
# Unlock after failed authentication lockout
kadmin.local -q "modprinc -unlock user@REALM"
# Delete a principal
kadmin.local -q "delprinc user@REALM"
```
### Keytabs
```bash
# Extract keytab (randomises the principal's key)
kadmin.local -q "ktadd -k /tmp/service.keytab service/host.example.org@REALM"
# Extract without randomising key (-norandkey, preserves existing tickets)
kadmin.local -q "ktadd -k /tmp/service.keytab -norandkey service/host.example.org@REALM"
# Remove keytab entries for a principal
kadmin.local -q "ktremove -k /tmp/service.keytab service/host.example.org@REALM all"
```
### Password policies
```bash
# Create a policy
kadmin.local -q "addpol -minlength 12 -minclasses 3 -maxlife '90 days' -maxfailure 5 default"
# Assign policy to a principal
kadmin.local -q "modprinc -policy default user@REALM"
# Inspect a policy
kadmin.local -q "getpol default"
# List policies
kadmin.local -q "listpols"
# Delete a policy (fails if any principal uses it)
kadmin.local -q "delpol default"
``` ```
## OpenLDAP SASL/GSSAPI integration ## OpenLDAP SASL/GSSAPI integration