Kerberos Cheatsheet

Log In

Directly access the KDC Database

sudo kadmin.local

Log into kadmin using a specific principal

kdadmin -p $PRINCIPAL

Add Principal

A Kerberos principal is a unique identity to which Kerberos can assign tickets. They might represent a user or a computer. Refer here for how to specify the name of $PRINCIPAL, but it might be root/admin or john/admin@PROGRAMSTER.ORG

sudo kadmin.local -q addprinc $PRINCIPAL

For a service or host, you probably want to generate a principal with a random key:

sudo kadmin.local -q "addprinc -randkey HTTP/my.domain.com@PROGRAMSTER.ORG"

List Principals

sudo kadmin.local -q list_principals

If you wanted to list all principals that start with HTTP:

sudo kadmin.local -q "list_principals HTTP*"

Change Principal's Password

Use the following command to safely change a principal's password (will prompt you to enter it twice).

sudo kadmin.local -q "change_password $PRINCIPAL"

Enable Logging

Edit your kerberos config file:

sudo editor /etc/krb5.conf

Ensure there is a logging section (you will quite likely have to add it) E.g.

[logging]
    default = FILE:/var/log/krb5.log
    kdc = FILE:/var/log/krb5kdc.log
    admin_server = FILE:/var/log/kadmind.log

Request a Ticket-Granting Ticket (TGT)

kinit -p HTTP/sso-website.programster.org@PROGRAMSTER.ORG

You won't see any output, but you should be able to use klist to show your tickets.

List Cached Tickets

To display a list of your currently cached Kerberos tickets, simply run:

klist

References

• MIT Kerberos Documentation - kadmin
• web.mit.edu - What is a Kerberos Principal?
• Ubuntu Help - Kerberos