1
.. _add_mod_del_princs_label:
3
Adding, modifying and deleting principals
4
============================================
6
To add a principal to the database, use the *kadmin* **add_principal** command.
8
To modify attributes of a principal, use the *kadmin* **modify_principal** command.
10
To delete a principal, use the *kadmin* **delete_principal** command.
13
.. include:: ../../admin_commands/kadmin_local.rst
14
:start-after: _add_principal:
15
:end-before: _add_principal_end:
17
.. include:: ../../admin_commands/kadmin_local.rst
18
:start-after: _modify_principal:
19
:end-before: _modify_principal_end:
21
.. include:: ../../admin_commands/kadmin_local.rst
22
:start-after: _delete_principal:
23
:end-before: _delete_principal_end:
28
If you want to create a principal which is contained by a LDAP object, all you need to do is::
30
kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer
31
WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
32
defaulting to no policy.
33
Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.
34
Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.
35
Principal "jennifer@ATHENA.MIT.EDU" created.
38
If you want to create a principal under a specific LDAP container and link to an existing LDAP object, all you need to do is::
40
kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david
41
WARNING: no policy specified for "david@ATHENA.MIT.EDU";
42
defaulting to no policy.
43
Enter password for principal david@ATHENA.MIT.EDU: <= Type the password.
44
Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again.
45
Principal "david@ATHENA.MIT.EDU" created.
48
If you want to associate a ticket policy to a principal, all you need to do is::
50
kadmin: modprinc -x tktpolicy=userpolicy david
51
Principal "david@ATHENA.MIT.EDU" modified.
54
If, on the other hand, you want to set up an account that expires on January 1, 2000, that uses a policy called "stduser", with a temporary password (which you want the user to change immediately), you would type the following::
57
kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser +needchange
58
Enter password for principal david@ATHENA.MIT.EDU: <= Type the password.
59
Re-enter password for principal
60
david@ATHENA.MIT.EDU: <= Type it again.
61
Principal "david@ATHENA.MIT.EDU" created.
64
If you need cross-realm authentication, you will need to add principals for the other realm's TGT to each realm. For example, if you need to do cross-realm authentication between the realms *ATHENA.MIT.EDU* and *EXAMPLE.COM*, you would need to add the principals *krbtgt\/EXAMPLE.COM\@ATHENA.MIT.EDU* and *krbtgt\/ATHENA.MIT.EDU\@EXAMPLE.COM* to both databases. You need to be sure the passwords and the key version numbers (*kvno*) are the same in both databases. This may require explicitly setting the *kvno* with the *-kvno* option. See :ref:`xrealm_authn_label` for more details.
66
If you want to delete a principal ::
68
kadmin: delprinc jennifer
69
Are you sure you want to delete the principal
70
"jennifer@ATHENA.MIT.EDU"? (yes/no): yes
71
Principal "jennifer@ATHENA.MIT.EDU" deleted.
72
Make sure that you have removed this principal from
73
all ACLs before reusing.
81
Please, provide your feedback at krb5-bugs@mit.edu?subject=Documentation___db_princs