I have noticed that over time inconsistancies can arise where a machine entry will be deleted from LDAP but the relevant kerberos principals remain in the KDC. Here’s a small script that I wrote up to help prune out unwanted/stale kerberos principals. Obviously great care must be taken when running this script; if you delete a principal that is still in use, things ARE going to break. So, think before you type. That being said, if you’re not interested in typing 20 delprinc commands, this script is for you.
Usage: %pruneKerb.sh query
pruneKerb will then list all principals matching “query” (standard case-sensitive grep match)
It takes a single argument query and outputs a list of matching kerberos principals, presenting the user with the option to delete individual principals, all principles or simply print a list of matching principals.
Please read the scripts’ comments for more information.
