NAME
kprinc -- add/modify/delete kerberos principals.
SYNOPSIS
$ setup kprinc
$ kprinc [-d] [-?]
DESCRIPTION
kprinc is an administration utility to add and modify ker-
beros principals.
ASSUMPTIONS
a) the person running the procedure must be in an account
which has MODERATOR privilege for the kerberos-announce
mailing list (so that new user principals can be
subscribed to this list).
- to check: from the node where kprinc is going
to be run, using the account under which kprinc
is going to be run, test by sending mail:
To: listserv@fnal.gov
Cc: <thisaccount-email-address>
The body should contain the line
subscribe kerberos-announce <real-email-address> *
(where <real-email-address> can be any address).
If this FAILS, then contact postmaster@fnal.gov to
gain moderator privileges.
b) the person must have access to an admin principal; by
default, we look for <default>/admin@PILOT.FNAL.GOV
where <default> is the current principal. This can be
overridden in the script (BUT, this part hasn't been
tested!)
c) the person must know the password to that admin principal.
EXAMPLE
The following is an example of an interactive session using
kprinc. The items of note are indicated, and discussed
below the example.
a) $ setup kprinc
b) $ kprinc
What is your kadmin principal (default = lauri/admin@PILOT.FNAL.GOV):
c) Enter the password for lauri/admin@PILOT.FNAL.GOV:
Choose from the following menu items:
0. Exit
1. Add new user.
2. Add new machine.
3. Add new admin.
4. Add new instances of existing principals.
5. Modify password for an existing user (or other principal).
6. Modify passwords for an existing machine.
7. Delete existing user.
8. Delete existing machine.
9. Delete an existing principal.
Which item number? (default = 0): 1
Add User (<CR> to terminate):
d) Enter the username[@realm]: loebel
e) Initial password: what#a#day!
f) Requestor's email address (default = loebel@fnal.gov):
now adding new principal loebel@PILOT.FNAL.GOV...
now subscribing loebel@fnal.gov to kerberos-announce mailing list...
now sending email notification to loebel@fnal.gov...
Add User (<CR> to terminate):
g) Enter the username[@realm]: laurelin
h) Initial password (default = what#a#day!):
Requestor's email address (default = laurelin@fnal.gov): loebel@fnal.gov
now adding new principal laurelin@PILOT.FNAL.GOV...
now subscribing loebel@fnal.gov to kerberos-announce mailing list...
now sending email notification to loebel@fnal.gov...
i) Add User (<CR> to terminate):
Enter the username[@realm]:
Choose from the following menu items:
0. Exit
1. Add new user.
2. Add new machine.
3. Add new admin.
4. Add new instances of existing principals.
5. Modify password for an existing user (or other principal).
6. Modify passwords for an existing machine.
7. Delete existing user.
8. Delete existing machine.
9. Delete an existing principal.
Which item number? (default = 0): 2
Add Machine (<CR> to terminate):
j) Enter the fully-qualified nodename[@realm]: bilbo.fnal.gov
Password for host/bilbo.fnal.gov: if#it#comes!
Password for ftp/bilbo.fnal.gov (default = if#it#comes!):
k) Requestor's email address: loebel@fnal.gov
now adding new principal host/bilbo.fnal.gov@PILOT.FNAL.GOV...
now adding new principal ftp/bilbo.fnal.gov@PILOT.FNAL.GOV...
now sending email notification to loebel@fnal.gov...
l) Add Machine (<CR> to terminate):
Enter the fully-qualified nodename[@realm]:
m) Choose from the following menu items:
0. Exit
1. Add new user.
2. Add new machine.
3. Add new admin.
4. Add new instances of existing principals.
5. Modify password for an existing user (or other principal).
6. Modify passwords for an existing machine.
7. Delete existing user.
8. Delete existing machine.
9. Delete an existing principal.
Which item number? (default = 0): 0
$
Discussion:
a) You must "setup kprinc" before you can use kprinc. (If you
"setup ktools", this will setup a number of kerberos
utilities, including kprinc).
b) This is the admin principal that will be used. Normally, the
program defaults should be acceptable.
c) This is the password for the admin principal. IT WILL NOT BE
ECHOED ON THE SCREEN. (But if you enter the wrong password,
you'll get to try again until you get it right).
d) This username should match the "official" FNAL username. If the
realm is NOT the default realm, you need to include it.
e) The initial password WILL be echoed to the screen (because whoever
creates the account must know what this password is, in order
to tell the user!). It will remain as the default password
for subsequent user principals being added.
f) Requestor's email address: the email address which is subscribed
to "kerberos-announce@fnal.gov" and where the notification message
is sent.
g) Note that you will remain in this menu item (e.g., in this case,
"Add new user principal") until you are done with all items of
this sort. Then you will be returned to the main menu.
h) Note also that the default password will remain the same while
you stay in this menu item.
i) When you are done entering all user principals (or doing whatever
the menu item you're in), just enter <CR> (carriage-return) to
go back to the main menu.
j) The fully-qualified nodename: in most cases, it will be
something.fnal.gov. Don't forget the fnal.gov!
k) There is no default for the requestor's email address; you will
need to know who asked for this machine to have kerberos installed
on it. If you don't know, just fill in "compdiv@fnal.gov".
l) Again, you'll continue with this menu item until you enter <CR>.
m) Entering <CR> at the main menu is equivalent to entering 0 (i.e.,
you'll exit.
AUTHOR
Lauri Loebel Carpenter (lauri@fnal.gov)