Manage Kerberos KDC


In order to manage your KDC you will need to generate a keytab that can authenticate without requiring a password.

For MIT Kerberos:

# ktadd -k /root/secure.keytab kadmin/admin kadmin/changepw

For Heimdal Kerberos:

# ext_keytab -k /root/secure.keytab kadmin/admin

On the KDC minion you will need to add the following to the minion configuration file so Salt knows what keytab to use and what principal to authenticate as. Optionally you can specify which kerberos flavor to use, the default is MIT Kerberos if left unspecified.

auth_keytab: /root/auth.keytab
auth_principal: kadmin/admin
krb_flavor: heimdal
salt.modules.kerberos.create_keytab(name, keytab, enctypes=None)

Create keytab

CLI Example:

salt '' kerberos.create_keytab host/
salt.modules.kerberos.create_principal(name, enctypes=None)

Create Principal

CLI Example:

salt '' kerberos.create_principal host/

Delete Principal

CLI Example:

salt '' kerberos.delete_principal host/

Get policy details. Not supported by Heimdal backend.

CLI Example:

salt '' kerberos.get_policy my_policy

Get princial details

CLI Example:

salt '' kerberos.get_principal root/admin

Current privileges

CLI Example:

salt '' kerberos.get_privs

List policies. Not supported by Heimdal backend.

CLI Example:

salt '' kerberos.list_policies

Get all principals

CLI Example:

salt '' kerberos.list_principals