Creating a principal using the kadmin C API

Chris Hecker checker at
Thu Apr 7 21:40:38 EDT 2022

I use the kadm5 api to create princs and change keys.  I do this with a 
memory keytab (well, I load a disk keytab while root, copy it to a 
memory keytab, and then drop privs), but I assume it's using the default 
system /etc/krb5.conf.  I do have my krb5 client stuff build an 
in-memory conf and I hacked an API in for using that because there 
didn't used to be a way to do that, I think there is now, but I don't do 
kadm5 stuff the same way.

I'm happy to post my code for making princs and randkeying if you'd 


------ Original Message ------
From: "Lars Francke" <lars.francke at>
To: kerberos at
Sent: 2022-04-07 13:19:50
Subject: Creating a principal using the kadmin C API

>Hi everyone,
>we're trying to create principals and keys using the kadmin C API.
>The normal API has some documentation[1] but unfortunately the kadmin API
>doesn't have any we could find.
>We tried to use kadm5_create_principal_3 and kadm5_randkey_principal_3 but
>we seem to be running into an issue. Ideally we'd like to call this
>function with a handle (+ context) with an in-memory krb5.conf but that
>does not seem to work so we create the files and refer to them in the
>profile but kadmin still seems to load (is this related to the
>"alt_profile"?) a file from a default location which means it'll use the
>wrong connection details.
>I am sorry for the vague description, it's been two weeks since we tried
>and I only now get around to writing it down. I'm happy to provide more
>In general though my question is whether there's a good way (maybe even an
>example and/or docs) to programatically create principals and keys using
>the kadmin API without resorting to calling kadmin and parsing stdout etc.
>Thank you very much for your help.
>[1] <>
>Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list