Directly access the KDC Database
Log into kadmin using a specific principal
kdadmin -p $PRINCIPAL
A Kerberos principal is a unique identity to which Kerberos can assign tickets. They might represent a user or a computer.
Refer here for how to specify the name of
$PRINCIPAL, but it might be
sudo kadmin.local -q addprinc $PRINCIPAL
For a service or host, you probably want to generate a principal with a random key:
sudo kadmin.local -q "addprinc -randkey HTTP/my.domain.com@PROGRAMSTER.ORG"
sudo kadmin.local -q list_principals
If you wanted to list all principals that start with HTTP:
sudo kadmin.local -q "list_principals HTTP*"
Change Principal's Password
Use the following command to safely change a principal's password (will prompt you to enter it twice).
sudo kadmin.local -q "change_password $PRINCIPAL"
Edit your kerberos config file:
sudo editor /etc/krb5.conf
Ensure there is a logging section (you will quite likely have to add it) E.g.
[logging] default = FILE:/var/log/krb5.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
Request a Ticket-Granting Ticket (TGT)
kinit -p HTTP/sso-website.programster.org@PROGRAMSTER.ORG
klist to show your tickets.
List Cached Tickets
To display a list of your currently cached Kerberos tickets, simply run:
- MIT Kerberos Documentation - kadmin
- web.mit.edu - What is a Kerberos Principal?
- Ubuntu Help - Kerberos
First published: 17th June 2020