Kerberos Principals

Fredrik Tolf fredrik at dolda2000.com
Wed Dec 21 13:22:23 EST 2005


On Wed, 2005-12-21 at 14:38 +0200, Amir Saad wrote:
> i'm replacing the NIS with LDAP and Kerberos, the question is , is there any way to automate the creation of the principals? do i have to add a pricipal for each user in my current system or there is a tool (like ldap migration) that can do that?

Is any tool other than kadmin needed? I don't know about your specific
situtation, but I'd do it with a shell command, like this:

ypcat passwd | while IFS=: read name rest; do
  password=$(dd if=/dev/random bs=3 count=2 2>/dev/null | encode-base64)
  kadmin -c "$KRB5CCNAME" -q "ank -pw $password $name"
  echo "$name $password" >>/tmp/newpasswords
done

That requires your ccache to have a valid kadmin service ticket, though.
Get it with a command like "kinit -S kadmin/admin yourname/admin".

It also requires a base64 encoding program. The one I used comes from
Perl's MIME-Base64 module.

I don't know if there might be anything wrong with this way of doing it,
but in that case, I can't think of any.

Hope it helps.

Fredrik Tolf





More information about the Kerberos mailing list