JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Solaris 11.1 Administration: Security Services     Oracle Solaris 11.1 Information Library
search filter icon
search icon

Document Information

Preface

Part I Security Overview

1.  Security Services (Overview)

Part II System, File, and Device Security

2.  Managing Machine Security (Overview)

3.  Controlling Access to Systems (Tasks)

4.  Virus Scanning Service (Tasks)

5.  Controlling Access to Devices (Tasks)

6.  Verifying File Integrity by Using BART (Tasks)

7.  Controlling Access to Files (Tasks)

Part III Roles, Rights Profiles, and Privileges

8.  Using Roles and Privileges (Overview)

9.  Using Role-Based Access Control (Tasks)

10.  Security Attributes in Oracle Solaris (Reference)

Part IV Cryptographic Services

11.  Cryptographic Framework (Overview)

12.  Cryptographic Framework (Tasks)

13.  Key Management Framework

Part V Authentication Services and Secure Communication

14.  Using Pluggable Authentication Modules

15.  Using Secure Shell

16.  Secure Shell (Reference)

17.  Using Simple Authentication and Security Layer

18.  Network Services Authentication (Tasks)

Part VI Kerberos Service

19.  Introduction to the Kerberos Service

20.  Planning for the Kerberos Service

21.  Configuring the Kerberos Service (Tasks)

22.  Kerberos Error Messages and Troubleshooting

23.  Administering Kerberos Principals and Policies (Tasks)

Ways to Administer Kerberos Principals and Policies

SEAM Tool

Command-Line Equivalents of the SEAM Tool

The Only File Modified by the SEAM Tool

Print and Online Help Features of the SEAM Tool

Working With Large Lists in the SEAM Tool

How to Start the SEAM Tool

Administering Kerberos Principals

Administering Kerberos Principals (Task Map)

Automating the Creation of New Kerberos Principals

How to View the List of Kerberos Principals

How to View a Kerberos Principal's Attributes

How to Create a New Kerberos Principal

How to Duplicate a Kerberos Principal

How to Modify a Kerberos Principal

How to Delete a Kerberos Principal

How to Set Up Defaults for Creating New Kerberos Principals

How to Modify the Kerberos Administration Privileges

Administering Kerberos Policies

Administering Kerberos Policies (Task Map)

How to View the List of Kerberos Policies

How to View a Kerberos Policy's Attributes

How to Create a New Kerberos Policy

How to Duplicate a Kerberos Policy

How to Modify a Kerberos Policy

How to Delete a Kerberos Policy

SEAM Tool Reference

SEAM Tool Panel Descriptions

Using the SEAM Tool With Limited Kerberos Administration Privileges

Administering Keytab Files

Administering Keytab Files (Task Map)

How to Add a Kerberos Service Principal to a Keytab File

How to Remove a Service Principal From a Keytab File

How to Display the Keylist (Principals) in a Keytab File

How to Temporarily Disable Authentication for a Service on a Host

24.  Using Kerberos Applications (Tasks)

25.  The Kerberos Service (Reference)

Part VII Auditing in Oracle Solaris

26.  Auditing (Overview)

27.  Planning for Auditing

28.  Managing Auditing (Tasks)

29.  Auditing (Reference)

Glossary

Index

SEAM Tool

The SEAM Tool (gkadmin) is an interactive graphical user interface (GUI) that enables you to maintain Kerberos principals and policies. This tool provides much the same capabilities as the kadmin command. However, this tool does not support the management of keytab files. You must use the kadmin command to administer keytab files, which is described in Administering Keytab Files.

Similar to the kadmin command, the SEAM Tool uses Kerberos authentication and encrypted RPC to operate securely from anywhere on the network. The SEAM Tool enables you to do the following:

The SEAM Tool also provides context-sensitive help and general online help.

The following task maps provide pointers to the various tasks that you can do with the SEAM Tool:

Also, go to SEAM Tool Panel Descriptions for descriptions of all the principal attributes and policy attributes that you can either specify or view in the SEAM Tool.

Command-Line Equivalents of the SEAM Tool

This section lists the kadmin commands that provide the same capabilities as the SEAM Tool. These commands can be used without running an X Window system. Even though most procedures in this chapter use the SEAM Tool, many procedures also provide corresponding examples that use the command-line equivalents.

Table 23-1 Command-Line Equivalents of the SEAM Tool

SEAM Tool Procedure
Equivalent kadmin Command
View the list of principals.
list_principals or get_principals
View a principal's attributes.
get_principal
Create a new principal.
add_principal
Duplicate a principal.
No command-line equivalent
Modify a principal.
modify_principal or change_password
Delete a principal.
delete_principal
Set up defaults for creating new principals.
No command-line equivalent
View the list of policies.
list_policies or get_policies
View a policy's attributes.
get_policy
Create a new policy.
add_policy
Duplicate a policy.
No command-line equivalent
Modify a policy.
modify_policy
Delete a policy.
delete_policy

The Only File Modified by the SEAM Tool

The only file that the SEAM Tool modifies is the $HOME/.gkadmin file. This file contains the default values for creating new principals. You can update this file by choosing Properties from the Edit menu.

Print and Online Help Features of the SEAM Tool

The SEAM Tool provides both print features and online help features. From the Print menu, you can send the following to a printer or a file:

From the Help menu, you can access context-sensitive help and general help. When you choose Context-Sensitive Help from the Help menu, the Context-Sensitive Help window is displayed and the tool is switched to help mode. In help mode, when you click on any fields, labels, or buttons on the window, help on that item is displayed in the Help window. To switch back to the tool's normal mode, click Dismiss in the Help window.

You can also choose Help Contents, which opens an HTML browser that provides pointers to the general overview and task information that is provided in this chapter.

Working With Large Lists in the SEAM Tool

As your site starts to accumulate a large number of principals and policies, the time it takes the SEAM Tool to load and display the principal and policy lists will become increasingly longer. Thus, your productivity with the tool will decrease. There are several ways to work around this problem.

First, you can completely eliminate the time to load the lists by not having the SEAM Tool load the lists. You can set this option by choosing Properties from the Edit menu, and unchecking the Show Lists field. Of course, when the tool doesn't load the lists, it can't display the lists, and you can no longer use the list panels to select principals or policies. Instead, you must type a principal or policy name in the new Name field that is provided, then select the operation that you want to perform on it. In effect, typing a name is equivalent to selecting an item from the list.

Another way to work with large lists is to cache them. In fact, caching the lists for a limited time is set as the default behavior for the SEAM Tool. The SEAM Tool must still initially load the lists into the cache. But after that, the tool can use the cache rather than retrieve the lists again. This option eliminates the need to keep loading the lists from the server, which is what takes so long.

You can set list caching by choosing Properties from the Edit menu. There are two cache settings. You can choose to cache the list forever, or you can specify a time limit when the tool must reload the lists from the server into the cache.

Caching the lists still enables you to use the list panels to select principals and policies, so it doesn't affect how you use the SEAM Tool as the first option does. Also, even though caching doesn't enable you to see the changes of other users, you can still see the latest list information based on your changes, because your changes update the lists both on the server and in the cache. And, if you want to update the cache to see other changes and get the lastest copy of the lists, you can use the Refresh menu whenever you want to refresh the cache from the server.

How to Start the SEAM Tool

  1. Start the SEAM Tool by using the gkadmin command.
    $ /usr/sbin/gkadmin

    The SEAM Administration Login window is displayed.


    image:Dialog box titled SEAM Administration Login shows four fields for Principal Name, Password, Realm, and Master KDC. Shows OK and Start Over buttons.
  2. If you don't want to use the default values, specify new default values.

    The window automatically fills in with default values. The default principal name is determined by taking your current identity from the USER environment variable and appending /admin to it (username/admin). The default Realm and Master KDC fields are selected from the /etc/krb5/krb5.conf file. If you ever want to retrieve the default values, click Start Over.


    Note - The administration operations that each Principal Name can perform are dictated by the Kerberos ACL file, /etc/krb5/kadm5.acl. For information about limited privileges, see Using the SEAM Tool With Limited Kerberos Administration Privileges.


  3. Type a password for the specified principal name.
  4. Click OK.

    A window showing all of the principals is displayed.