SEAM Administration Tool
The SEAM Administration Tool (SEAM Tool) is an interactive graphical user interface (GUI)
that enables you to maintain Kerberos principals and policies. This tool provides much
the same capabilities as the kadmin command. However, this tool does not support
the management of keytab files. You must use the kadmin command to administer
keytab files, which is described in Administering Keytab Files.
Similar to the kadmin command, the SEAM Tool uses Kerberos authentication and encrypted
RPC to operate securely from anywhere on the network. The SEAM Tool enables
you to do the following:
Create new principals that are based on default values or existing principals.
Create new policies that are based on existing policies.
Add comments for principals.
Set up default values for creating new principals.
Log in as another principal without exiting the tool.
Print or save principal lists and policy lists.
View and search principal lists and policy lists.
The SEAM Tool also provides context-sensitive help and general online help.
The following task maps provide pointers to the various tasks that you can
do with the SEAM Tool:
Also, go to SEAM Tool Panel Descriptions for descriptions of all the principal attributes and policy
attributes that you can either specify or view in the SEAM Tool.
Command-Line Equivalents of the SEAM Tool
This section lists the kadmin commands that provide the same capabilities as the
SEAM Tool. These commands can be used without running an X Window system.
Even though most procedures in this chapter use the SEAM Tool, many procedures
also provide corresponding examples that use the command-line equivalents.
Table 25-1 Command-Line Equivalents of the SEAM Tool
SEAM Tool Procedure |
Equivalent kadmin Command |
View
the list of principals. |
list_principals or get_principals |
View a principal's attributes. |
get_principal |
Create a new principal. |
add_principal |
Duplicate
a principal. |
No command-line equivalent |
Modify a principal. |
modify_principal or change_password |
Delete a principal. |
delete_principal |
Set up defaults
for creating new principals. |
No command-line equivalent |
View the list of policies. |
list_policies or get_policies |
View
a policy's attributes. |
get_policy |
Create a new policy. |
add_policy |
Duplicate a policy. |
No command-line equivalent |
Modify a policy. |
modify_policy |
Delete
a policy. |
delete_policy |
The Only File Modified by the SEAM Tool
The only file that the SEAM Tool modifies is the $HOME/.gkadmin file. This
file contains the default values for creating new principals. You can update this
file by choosing Properties from the Edit menu.
Print and Online Help Features of the SEAM Tool
The SEAM Tool provides both print features and online help features. From the
Print menu, you can send the following to a printer or a
file:
List of available principals on the specified master KDC
List of available policies on the specified master KDC
The currently selected principal or the loaded principal
The currently selected policy or the loaded policy
From the Help menu, you can access context-sensitive help and general help. When
you choose Context-Sensitive Help from the Help menu, the Context-Sensitive Help window is
displayed and the tool is switched to help mode. In help mode, when
you click on any fields, labels, or buttons on the window, help
on that item is displayed in the Help window. To switch back to
the tool's normal mode, click Dismiss in the Help window.
You can also choose Help Contents, which opens an HTML browser that provides
pointers to the general overview and task information that is provided in this
chapter.
Working With Large Lists in the SEAM Tool
As your site starts to accumulate a large number of principals and
policies, the time it takes the SEAM Tool to load and display the
principal and policy lists will become increasingly longer. Thus, your productivity with the
tool will decrease. There are several ways to work around this problem.
First, you can completely eliminate the time to load the lists by
not having the SEAM Tool load the lists. You can set this option
by choosing Properties from the Edit menu, and unchecking the Show Lists field.
Of course, when the tool doesn't load the lists, it can't display the
lists, and you can no longer use the list panels to select principals
or policies. Instead, you must type a principal or policy name in the
new Name field that is provided, then select the operation that you want
to perform on it. In effect, typing a name is equivalent to selecting
an item from the list.
Another way to work with large lists is to cache them. In
fact, caching the lists for a limited time is set as the default
behavior for the SEAM Tool. The SEAM Tool must still initially load the
lists into the cache. But after that, the tool can use the cache
rather than retrieve the lists again. This option eliminates the need to keep
loading the lists from the server, which is what takes so long.
You can set list caching by choosing Properties from the Edit menu. There
are two cache settings. You can choose to cache the list forever,
or you can specify a time limit when the tool must reload the
lists from the server into the cache.
Caching the lists still enables you to use the list panels to
select principals and policies, so it doesn't affect how you use the SEAM
Tool as the first option does. Also, even though caching doesn't enable you
to see the changes of other users, you can still see the latest
list information based on your changes, because your changes update the lists both
on the server and in the cache. And, if you want to update
the cache to see other changes and get the lastest copy of the
lists, you can use the Refresh menu whenever you want to refresh the
cache from the server.
How to Start the SEAM Tool
- Start the SEAM Tool by using the gkadmin command.
$ /usr/sbin/gkadmin
The SEAM Administration Login window is displayed.
- If you don't want to use the default values, specify new default values.
The window automatically fills in with default values. The default principal name is determined
by taking your current identity from the USER environment variable and appending /admin
to it (username/admin). The default Realm and Master KDC fields are selected
from the /etc/krb5/krb5.conf file. If you ever want to retrieve the default values, click
Start Over.
Note - The administration operations that each Principal Name can perform are dictated by the
Kerberos ACL file, /etc/krb5/kadm5.acl. For information about limited privileges, see Using the SEAM Tool With Limited Kerberos Administration Privileges.
- Type a password for the specified principal name.
- Click OK.
The following window is displayed.