From f75db61578303db06d39c7a235caa83dfd61606c Mon Sep 17 00:00:00 2001
From: Slawomir Koszewski <slawek@koszewscy.waw.pl>
Date: Sat, 16 May 2026 14:50:44 +0200
Subject: [PATCH] Enhance README with instructions for using kadmin remotely
 and locally

---
 README.md | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index ac24bfb..df578e4 100644
--- a/README.md
+++ b/README.md
@@ -168,7 +168,25 @@ kdestroy
 
 ## Managing principals
 
-Exec into the running container to use `kadmin.local` (no password required):
+### Remote (kadmin)
+
+`kadmin` connects to `kadmind` on port 749 from any machine with a valid `krb5.conf`. Authenticate as a principal with rights in `kadm5.acl`:
+
+```bash
+kadmin -p admin@REALM
+```
+
+With a keytab instead of a password prompt:
+
+```bash
+kadmin -p admin@REALM -k -t /path/to/admin.keytab
+```
+
+All commands below work identically in `kadmin` — replace `kadmin.local` with `kadmin -p admin@REALM`.
+
+### Local (kadmin.local)
+
+Exec into the running container — no authentication required, bypasses `kadmind` entirely:
 
 ```bash
 container exec -it kerberos bash