On Mon Nov 19 13:13:51 2001, Ken Hornstein said: >>This would seem to mean calling kadmin and getting the administrator to >>authenticate. But I can't get it to work. kadmin seems not to be reading >>the admin password from stdin. Presumably its being careful about only >>reading it from a terminal (sensible). So how do I do this? Is there a >>way? Or am I just going to have to write a HOWTO instruction list telling >>the administrator to type in the kadmin runes? > > Check out the "-k" option to kadmin (you have to put an admin key in > a keytab). That's assuming you're using a MIT-based Kerberos implementation.
Ken, But this still doesn't deal with the return code issue. A long time ago, I faced the stated problem because I need to add large batches of student principals regularly. Under K4, I did use an expect script, but it ran too slowly for the thousands of principals I would add at a time. So, with K5, I decided to use the MIT kadmin API to write my own code that does kadm5_create_principal in a loop, reading input from a file. Because of special local circumstances, it does a bit more than this (such as bypass password policy to allow using student PINs as initial passwords, which are then disabled until the user chooses a real password later; after adding the principal, I set the default policy). This program is called from a perl script which creates a kadmin auth credential in a temporary ccache (based on a single prompt at the beginning of the script for an admin password). The effect is that of 'kadmin -c' against the temporary ccache (which is then deleted by the script). The result is that I can add principals at the rate of 8 per second (that's remotely, not on the KDC). I log the results of each transaction, including the return code from kadm5_create_principal. The return code is important, in order to detect such failures as occur, for example, when the database happens to be unloading because a kprop is in progress (database lock problems). When this happens, I may have to go back later and process the failed principals separately, depending on the state the principal was left in after the failure. Of course one could, instead, create a permanent keytab; a small change to my code would do the equivalent of 'kadmin -k'. However, I didn't want to leave a powerful keytab lying around indefinitely when this wasn't necessary for my purposes, since I run the script myself and can enter the admin password once up front. For a script that had to run unattended, the keytab approach would work. Mike ------------------------------------------------------------------------------ Mike Friedman System and Network Security [EMAIL PROTECTED] 2484 Shattuck Avenue 1-510-642-1410 University of California at Berkeley http://ack.Berkeley.EDU/~mikef http://security.berkeley.edu ------------------------------------------------------------------------------
