Enhance README with detailed instructions for managing principals and keytabs in Kerberos

2026-05-16 14:42:38 +02:00
parent f1be45c147
commit eca37d2f89
1 changed files with 58 additions and 7 deletions
@@ -168,22 +168,73 @@ kdestroy

 ## Managing principals

-Exec into the running container, then use `kadmin.local` (no password required):
+Exec into the running container to use `kadmin.local` (no password required):

 ```bash
 container exec -it kerberos bash
 ```

+### Principals
+
 ```bash
-# List all principals
+# List all principals (supports glob: "user*")
 kadmin.local -q "listprincs"

-# Add a user principal
-kadmin.local -q "addprinc username@REALM"
+# Inspect a principal
+kadmin.local -q "getprinc user@REALM"

-# Add a service principal and extract a keytab
-kadmin.local -q "addprinc -randkey ldap/ldap.example.org@REALM"
-kadmin.local -q "ktadd -k /tmp/ldap.keytab ldap/ldap.example.org@REALM"
+# Add a user principal
+kadmin.local -q "addprinc user@REALM"
+
+# Add a service principal (random key, no password)
+kadmin.local -q "addprinc -randkey service/host.example.org@REALM"
+
+# Change password
+kadmin.local -q "cpw -pw newpassword user@REALM"
+
+# Randomise key (invalidates existing tickets and keytabs)
+kadmin.local -q "cpw -randkey service/host.example.org@REALM"
+
+# Set expiry
+kadmin.local -q "modprinc -expire '2027-01-01' user@REALM"
+
+# Unlock after failed authentication lockout
+kadmin.local -q "modprinc -unlock user@REALM"
+
+# Delete a principal
+kadmin.local -q "delprinc user@REALM"
+```
+
+### Keytabs
+
+```bash
+# Extract keytab (randomises the principal's key)
+kadmin.local -q "ktadd -k /tmp/service.keytab service/host.example.org@REALM"
+
+# Extract without randomising key (-norandkey, preserves existing tickets)
+kadmin.local -q "ktadd -k /tmp/service.keytab -norandkey service/host.example.org@REALM"
+
+# Remove keytab entries for a principal
+kadmin.local -q "ktremove -k /tmp/service.keytab service/host.example.org@REALM all"
+```
+
+### Password policies
+
+```bash
+# Create a policy
+kadmin.local -q "addpol -minlength 12 -minclasses 3 -maxlife '90 days' -maxfailure 5 default"
+
+# Assign policy to a principal
+kadmin.local -q "modprinc -policy default user@REALM"
+
+# Inspect a policy
+kadmin.local -q "getpol default"
+
+# List policies
+kadmin.local -q "listpols"
+
+# Delete a policy (fails if any principal uses it)
+kadmin.local -q "delpol default"
 ```

 ## OpenLDAP SASL/GSSAPI integration