projects techreports press lab location staff
citi top.2 top.3
citi mid.3
bot.1 bot.2 bot.3

Admin Notes

Kerberos 5 admin in the CITI Realm

Spring 2009 notes

To add someone to Kerberos:
  • SSH to babylon (Check the SSH host keys)
  • Run /usr/krb5/sbin/kadmin.local as root
  • Use the addprinc command

kaserver to MIT K5 conversion

We used the AFS to K5 migration kit from Ken Hornstein of the Naval Research Laboratory. This kit provides auxillary programs to the MIT K5 distribution that allow transparent migration from using an AFS kaserver for authentication to using an MIT K5 KDC for authentication. See this picture for a flow of how things fit together. The fakeka, ka-forwarder, and aklog programs are provided in the migration kit.  In addition to the picture, there is a kadmind4 server provided with the MIT code that allows a user to change their password using a Kerberos 4 version of the kpasswd program.

Note: that the AFS kpasswd program can no longer be used to change CITI cell passwords.

November 2003 updates

  • As of MIT Kerberos 5 release 1.3, the fakeka program is now provided in the base distribution from MIT.
  • We no longer run kadmind4. Password changes need to be done using a K5 kpasswd program.

Binary locations

The binaries currently in use on (aka are located in /usr/krb5/. The 'system' binaries are in the sbin directory and the user binaries are in bin. The source for this code is currently in /afs/ There are several builds for different platforms in sister directories.

N.B. (ph, 25 april 2005): The kadmin command can sometimes be found in


Configuration files, etc.

/etc/krb5.conf is the general use K5 configuration file. It defines the default realm for a machine and server locations for all known realms. It also defines log file information for the kdc and admin server (kadmind). Here is an example of a minimal krb5.conf file for the CITI realm. The configuration file for the KDC (and other programs) has a default location of /usr/krb5/var/krb5kdc/kdc.conf. /usr/krb5/var/krb5kdc/ is also the default location for the actual database files and various other related files.

Changes are also required in /etc/services to locate kerberos services. Here are the changes required in /etc/services for a client machine.

Basic Administration

Adding new users

The kas create command is no longer used to create new principals in the cell.  Instead, the kadmin command is used.  To create a new user:
/krb5/sbin/kadmin -p admin/admin
< you'll be prompted for the password of admin/admin>
kadmin: addprinc exampleid
< you'll be prompted for the user's initial password twice>

Deleting users

kadmin: delprinc exampleid
<you'll be asked to verify the deletion>

Managing users

To change the ticket lifetime for an individual user:
kadmin: modprince -maxlife "2 hours" exampleid
(This changes the default TGT lifetime to 2 hours for this user.)

To change a user's password:
kadmin: cpw exampleid
Enter password for principal "exampleid":
Re-enter password for principal "exampleid":

To list the attributes of a principal:
kadmin: getprinc kwc
Principal: kwc@CITI.UMICH.EDU
Expiration date: Wed Dec 30 19:00:00 EST 2037
Last password change: Wed Apr 22 08:05:02 EDT 1998
Password expiration date: Fri Apr 24 08:05:02 EDT 1998
Maximum ticket life: 1 day 01:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Thu Apr 23 07:40:30 EDT 1998 (admin/admin@CITI.UMICH.EDU)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 11, DES cbc mode with CRC-32, no salt
Key: vno 11, DES cbc mode with CRC-32, AFS version 3
Policy: kwcpolicy

To list policy information:
kadmin: getpol kwcpolicy
Policy: kwcpolicy
Maximum password life: 172800
Minimum password life: 86400
Minimum password length: 3
Minimum number of password character classes: 1
Number of old keys kept: 1
Reference count: 1

Creating keytabs (K4 had srvtabs, K5 has keytabs)

To create a K5 keytab file, use the kadmin ktadd subcommand.  This can be invoked so that a new keytab file is created and a new random password for the principal is generated.  The K5 keytab can then be converted into a K4 srvtab format for use by K4 application servers with the ktutil program.

The syntax of the ktadd subcommand is:
    ktadd [-k[eytab] keytab] [-q] [principal | -glob principal-expression] [...]

NOTE:  The principal name formats have changed between K4 and K5.  In K4, the principal and instance were separated by a period.  In K5, the principal and instance are separated with a slash.  So a principal name of www and instance name of buffalo in K4 would be www.buffalo@CITI.UMICH.EDU. The same principal in K5 is www/buffalo@CITI.UMICH.EDU.

To create a K5 keytab file:
kadmin: ktadd -k /tmp/www.keytab www/buffalo
Entry for principal www/buffalo with kvno 3, encryption type DES-CBC-CRC added to keytab WRFILE:/tmp/www.keytab.
kadmin: quit

To convert the keytab into a K4 srvtab format:
# /krb5/sbin/ktutil
ktutil: rkt /tmp/www.keytab
ktutil: list
slot KVNO Principal
---- ---- ---------------------------------------------------------------------------------
   1    3               www/buffalo@CITI.UMICH.EDU
ktutil: wst /tmp/www.srvtab
ktutil: quit

The first subcommand (rkt) reads the existing keytab file.  The list subcommand prints the contents read from the keytab file.  The wst subcommand writes the current contents to the file specified in srvtab format. projects | techreports | press | lab | location | staff Email address
or call +1 734 763 2929
Copyright © 1996-2013
The Regents of the University of Michigan