Creating a principal using the kadmin C API

Lars Francke lars.francke at
Fri Apr 8 05:54:16 EDT 2022

Thank you!

Yeah, our problem is that we want to create Keytabs for multiple different
KDCs automatically.
I would still be very much interested in your code, I assume we can still
learn something and then - together with Greg's answer - figure out what we
need to do.

On Fri, Apr 8, 2022 at 3:49 AM Chris Hecker <checker at> wrote:

> I use the kadm5 api to create princs and change keys.  I do this with a
> memory keytab (well, I load a disk keytab while root, copy it to a
> memory keytab, and then drop privs), but I assume it's using the default
> system /etc/krb5.conf.  I do have my krb5 client stuff build an
> in-memory conf and I hacked an API in for using that because there
> didn't used to be a way to do that, I think there is now, but I don't do
> kadm5 stuff the same way.
> I'm happy to post my code for making princs and randkeying if you'd
> like.
> Chris
> ------ Original Message ------
> From: "Lars Francke" <lars.francke at>
> To: kerberos at
> Sent: 2022-04-07 13:19:50
> Subject: Creating a principal using the kadmin C API
> >Hi everyone,
> >
> >we're trying to create principals and keys using the kadmin C API.
> >The normal API has some documentation[1] but unfortunately the kadmin API
> >doesn't have any we could find.
> >
> >We tried to use kadm5_create_principal_3 and kadm5_randkey_principal_3 but
> >we seem to be running into an issue. Ideally we'd like to call this
> >function with a handle (+ context) with an in-memory krb5.conf but that
> >does not seem to work so we create the files and refer to them in the
> >profile but kadmin still seems to load (is this related to the
> >"alt_profile"?) a file from a default location which means it'll use the
> >wrong connection details.
> >
> >I am sorry for the vague description, it's been two weeks since we tried
> >and I only now get around to writing it down. I'm happy to provide more
> >details.
> >
> >In general though my question is whether there's a good way (maybe even an
> >example and/or docs) to programatically create principals and keys using
> >the kadmin API without resorting to calling kadmin and parsing stdout etc.
> >
> >Thank you very much for your help.
> >
> >Cheers,
> >Lars
> >
> >[1] <
> >________________________________________________
> >Kerberos mailing list           Kerberos at
> >
> ________________________________________________
> Kerberos mailing list           Kerberos at

More information about the Kerberos mailing list