[3400] in Kerberos
Re: removing users from the kerberos database
daemon@ATHENA.MIT.EDU (Mike Friedman (510) 642-1410)
Mon Jun 13 22:37:35 1994
To: kerberos@MIT.EDU
Date: Mon, 13 Jun 94 15:26:10 PDT
From: spgmnf@cmsa.Berkeley.EDU (Mike Friedman (510) 642-1410)
In article <1994Jun13.201800.16949@pony.Ingres.COM>
sid@Ingres.COM (Sid Shapiro) writes:
>Pardon me for asking what will may turn out to be a simple question,
>but I'm trying to figure out how to remove users from the kerberos db.
>I see no utility that can do it, so I'm left with changing the
>expiration date from within kdb_edit. I have no idea if this will
>actually remove the user.
>
The MIT distribution of Kerberos V4, by intention, does not provide a utility
to delete principals from the database. The reasoning is that you may later
assign the same principal name to another person, who might be able to acquire
archived files belonging to the original owner of the principal name. Of
course, this would depend on how you're using Kerberos at your site, but it's
why the MIT people didn't want to make it particularly easy to remove a
principal.
It can be done, however. As a user (eg root) with R/W access to the database,
first do a 'kdb_util dump' of the database to an ASCII file, edit the file and
then do a 'kdb_util load' back to a new copy of the database. Kerberos had
better not be in use when you do the latter!
(See the kdb_util man page for the actual syntax).
This is not a very nice method, of course. What's really needed is a database
management system. Commercial implementations of Kerberos usually come with
such a thing.
