How to disallow users?

Derek Atkins derek at
Fri Mar 8 23:28:00 EST 2002

Austin Gonyou <austin at> writes:

> A user who's sole principal is user/admin at HOST.DOMAIN.COM is err'd,
> since user at HOST.DOMAIN.COM doesn't exist. 


> Questions:
> 1. Should I be adding user at HOST.DOMAIN.COM *first*, then add another
> principal that allows them admin rights?(as in
> user/admin at HOST.DOMAIN.COM)?

Yes.  A normal user is _always_ user at REALM.  A user/<role>@REALM is
_always_ a secondary ticket.  This secondary ticket it used by kadmin
(user/admin) or ksu (user/root).

> 2. If I wish to *lock* someone's kerberos account, to ensure they can
> not login to a kerberos authenticating workstation, or prevent those
> with NO kerberos principal from logging in, what's a good pointer for
> this?

Um, if they have no kerberos principal, what password are they giving
that allows them to login?  If you want to require someone to user
kerberos, make sure they do not have an actual password entry in
/etc/passwd (or NIS, Hesiod, LDAP, etc).  They need to have the pwent
information (username, uid, shell, homedir), but the password field
should be set to *NP*.

> Thanks much. So far, my kerberos experience and understanding has been
> far better than previous experiments. 

You're welcome.


> TIA.
> -- 
> Austin Gonyou
> Systems Architect, CCNA
> Coremetrics, Inc.
> Phone: 512-698-7250
> email: austin at

       Derek Atkins
       Computer and Internet Security Consultant
       derek at   

More information about the krbdev mailing list