1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090 |
- .\" Man page generated from reStructuredText.
- .
- .TH "KADMIN" "1" " " "1.20.1" "MIT Kerberos"
- .SH NAME
- kadmin \- Kerberos V5 database administration program
- .
- .nr rst2man-indent-level 0
- .
- .de1 rstReportMargin
- \\$1 \\n[an-margin]
- level \\n[rst2man-indent-level]
- level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
- -
- \\n[rst2man-indent0]
- \\n[rst2man-indent1]
- \\n[rst2man-indent2]
- ..
- .de1 INDENT
- .\" .rstReportMargin pre:
- . RS \\$1
- . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
- . nr rst2man-indent-level +1
- .\" .rstReportMargin post:
- ..
- .de UNINDENT
- . RE
- .\" indent \\n[an-margin]
- .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .nr rst2man-indent-level -1
- .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
- .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
- ..
- .SH SYNOPSIS
- .sp
- \fBkadmin\fP
- [\fB\-O\fP|\fB\-N\fP]
- [\fB\-r\fP \fIrealm\fP]
- [\fB\-p\fP \fIprincipal\fP]
- [\fB\-q\fP \fIquery\fP]
- [[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP]
- [\fB\-w\fP \fIpassword\fP]
- [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]
- [command args...]
- .sp
- \fBkadmin.local\fP
- [\fB\-r\fP \fIrealm\fP]
- [\fB\-p\fP \fIprincipal\fP]
- [\fB\-q\fP \fIquery\fP]
- [\fB\-d\fP \fIdbname\fP]
- [\fB\-e\fP \fIenc\fP:\fIsalt\fP ...]
- [\fB\-m\fP]
- [\fB\-x\fP \fIdb_args\fP]
- [command args...]
- .SH DESCRIPTION
- .sp
- kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
- administration system. They provide nearly identical functionalities;
- the difference is that kadmin.local directly accesses the KDC
- database, while kadmin performs operations using kadmind(8)\&.
- Except as explicitly noted otherwise, this man page will use "kadmin"
- to refer to both versions. kadmin provides for the maintenance of
- Kerberos principals, password policies, and service key tables
- (keytabs).
- .sp
- The remote kadmin client uses Kerberos to authenticate to kadmind
- using the service principal \fBkadmin/admin\fP or \fBkadmin/ADMINHOST\fP
- (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
- server). If the credentials cache contains a ticket for one of these
- principals, and the \fB\-c\fP credentials_cache option is specified, that
- ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and
- \fB\-k\fP options are used to specify the client Kerberos principal name
- used to authenticate. Once kadmin has determined the principal name,
- it requests a service ticket from the KDC, and uses that service
- ticket to authenticate to kadmind.
- .sp
- Since kadmin.local directly accesses the KDC database, it usually must
- be run directly on the primary KDC with sufficient permissions to read
- the KDC database. If the KDC database uses the LDAP database module,
- kadmin.local can be run on any host which can access the LDAP server.
- .SH OPTIONS
- .INDENT 0.0
- .TP
- \fB\-r\fP \fIrealm\fP
- Use \fIrealm\fP as the default database realm.
- .TP
- \fB\-p\fP \fIprincipal\fP
- Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append
- \fB/admin\fP to the primary principal name of the default ccache,
- the value of the \fBUSER\fP environment variable, or the username as
- obtained with getpwuid, in order of preference.
- .TP
- \fB\-k\fP
- Use a keytab to decrypt the KDC response instead of prompting for
- a password. In this case, the default principal will be
- \fBhost/hostname\fP\&. If there is no keytab specified with the
- \fB\-t\fP option, then the default keytab will be used.
- .TP
- \fB\-t\fP \fIkeytab\fP
- Use \fIkeytab\fP to decrypt the KDC response. This can only be used
- with the \fB\-k\fP option.
- .TP
- \fB\-n\fP
- Requests anonymous processing. Two types of anonymous principals
- are supported. For fully anonymous Kerberos, configure PKINIT on
- the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
- krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal
- of the form \fB@REALM\fP (an empty principal name followed by the
- at\-sign and a realm name). If permitted by the KDC, an anonymous
- ticket will be returned. A second form of anonymous tickets is
- supported; these realm\-exposed tickets hide the identity of the
- client but not the client\(aqs realm. For this mode, use \fBkinit
- \-n\fP with a normal principal name. If supported by the KDC, the
- principal (but not realm) will be replaced by the anonymous
- principal. As of release 1.8, the MIT Kerberos KDC only supports
- fully anonymous operation.
- .TP
- \fB\-c\fP \fIcredentials_cache\fP
- Use \fIcredentials_cache\fP as the credentials cache. The cache
- should contain a service ticket for the \fBkadmin/admin\fP or
- \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified
- hostname of the admin server) service; it can be acquired with the
- kinit(1) program. If this option is not specified, kadmin
- requests a new service ticket from the KDC, and stores it in its
- own temporary ccache.
- .TP
- \fB\-w\fP \fIpassword\fP
- Use \fIpassword\fP instead of prompting for one. Use this option with
- care, as it may expose the password to other users on the system
- via the process list.
- .TP
- \fB\-q\fP \fIquery\fP
- Perform the specified query and then exit.
- .TP
- \fB\-d\fP \fIdbname\fP
- Specifies the name of the KDC database. This option does not
- apply to the LDAP database module.
- .TP
- \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
- Specifies the admin server which kadmin should contact.
- .TP
- \fB\-m\fP
- If using kadmin.local, prompt for the database master password
- instead of reading it from a stash file.
- .TP
- \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
- Sets the keysalt list to be used for any new keys created. See
- Keysalt_lists in kdc.conf(5) for a list of possible
- values.
- .TP
- \fB\-O\fP
- Force use of old AUTH_GSSAPI authentication flavor.
- .TP
- \fB\-N\fP
- Prevent fallback to AUTH_GSSAPI authentication flavor.
- .TP
- \fB\-x\fP \fIdb_args\fP
- Specifies the database specific arguments. See the next section
- for supported options.
- .UNINDENT
- .sp
- Starting with release 1.14, if any command\-line arguments remain after
- the options, they will be treated as a single query to be executed.
- This mode of operation is intended for scripts and behaves differently
- from the interactive mode in several respects:
- .INDENT 0.0
- .IP \(bu 2
- Query arguments are split by the shell, not by kadmin.
- .IP \(bu 2
- Informational and warning messages are suppressed. Error messages
- and query output (e.g. for \fBget_principal\fP) will still be
- displayed.
- .IP \(bu 2
- Confirmation prompts are disabled (as if \fB\-force\fP was given).
- Password prompts will still be issued as required.
- .IP \(bu 2
- The exit status will be non\-zero if the query fails.
- .UNINDENT
- .sp
- The \fB\-q\fP option does not carry these behavior differences; the query
- will be processed as if it was entered interactively. The \fB\-q\fP
- option cannot be used in combination with a query in the remaining
- arguments.
- .SH DATABASE OPTIONS
- .sp
- Database options can be used to override database\-specific defaults.
- Supported options for the DB2 module are:
- .INDENT 0.0
- .INDENT 3.5
- .INDENT 0.0
- .TP
- \fB\-x dbname=\fP*filename*
- Specifies the base filename of the DB2 database.
- .TP
- \fB\-x lockiter\fP
- Make iteration operations hold the lock for the duration of
- the entire operation, rather than temporarily releasing the
- lock while handling each principal. This is the default
- behavior, but this option exists to allow command line
- override of a [dbmodules] setting. First introduced in
- release 1.13.
- .TP
- \fB\-x unlockiter\fP
- Make iteration operations unlock the database for each
- principal, instead of holding the lock for the duration of the
- entire operation. First introduced in release 1.13.
- .UNINDENT
- .UNINDENT
- .UNINDENT
- .sp
- Supported options for the LDAP module are:
- .INDENT 0.0
- .INDENT 3.5
- .INDENT 0.0
- .TP
- \fB\-x host=\fP\fIldapuri\fP
- Specifies the LDAP server to connect to by a LDAP URI.
- .TP
- \fB\-x binddn=\fP\fIbind_dn\fP
- Specifies the DN used to bind to the LDAP server.
- .TP
- \fB\-x bindpwd=\fP\fIpassword\fP
- Specifies the password or SASL secret used to bind to the LDAP
- server. Using this option may expose the password to other
- users on the system via the process list; to avoid this,
- instead stash the password using the \fBstashsrvpw\fP command of
- kdb5_ldap_util(8)\&.
- .TP
- \fB\-x sasl_mech=\fP\fImechanism\fP
- Specifies the SASL mechanism used to bind to the LDAP server.
- The bind DN is ignored if a SASL mechanism is used. New in
- release 1.13.
- .TP
- \fB\-x sasl_authcid=\fP\fIname\fP
- Specifies the authentication name used when binding to the
- LDAP server with a SASL mechanism, if the mechanism requires
- one. New in release 1.13.
- .TP
- \fB\-x sasl_authzid=\fP\fIname\fP
- Specifies the authorization name used when binding to the LDAP
- server with a SASL mechanism. New in release 1.13.
- .TP
- \fB\-x sasl_realm=\fP\fIrealm\fP
- Specifies the realm used when binding to the LDAP server with
- a SASL mechanism, if the mechanism uses one. New in release
- 1.13.
- .TP
- \fB\-x debug=\fP\fIlevel\fP
- sets the OpenLDAP client library debug level. \fIlevel\fP is an
- integer to be interpreted by the library. Debugging messages
- are printed to standard error. New in release 1.12.
- .UNINDENT
- .UNINDENT
- .UNINDENT
- .SH COMMANDS
- .sp
- When using the remote client, available commands may be restricted
- according to the privileges specified in the kadm5.acl(5) file
- on the admin server.
- .SS add_principal
- .INDENT 0.0
- .INDENT 3.5
- \fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
- .UNINDENT
- .UNINDENT
- .sp
- Creates the principal \fInewprinc\fP, prompting twice for a password. If
- no password policy is specified with the \fB\-policy\fP option, and the
- policy named \fBdefault\fP is assigned to the principal if it exists.
- However, creating a policy named \fBdefault\fP will not automatically
- assign this policy to previously existing principals. This policy
- assignment can be suppressed with the \fB\-clearpolicy\fP option.
- .sp
- This command requires the \fBadd\fP privilege.
- .sp
- Aliases: \fBaddprinc\fP, \fBank\fP
- .sp
- Options:
- .INDENT 0.0
- .TP
- \fB\-expire\fP \fIexpdate\fP
- (getdate string) The expiration date of the principal.
- .TP
- \fB\-pwexpire\fP \fIpwexpdate\fP
- (getdate string) The password expiration date.
- .TP
- \fB\-maxlife\fP \fImaxlife\fP
- (duration or getdate string) The maximum ticket life
- for the principal.
- .TP
- \fB\-maxrenewlife\fP \fImaxrenewlife\fP
- (duration or getdate string) The maximum renewable
- life of tickets for the principal.
- .TP
- \fB\-kvno\fP \fIkvno\fP
- The initial key version number.
- .TP
- \fB\-policy\fP \fIpolicy\fP
- The password policy used by this principal. If not specified, the
- policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
- is specified).
- .TP
- \fB\-clearpolicy\fP
- Prevents any policy from being assigned when \fB\-policy\fP is not
- specified.
- .TP
- {\-|+}\fBallow_postdated\fP
- \fB\-allow_postdated\fP prohibits this principal from obtaining
- postdated tickets. \fB+allow_postdated\fP clears this flag.
- .TP
- {\-|+}\fBallow_forwardable\fP
- \fB\-allow_forwardable\fP prohibits this principal from obtaining
- forwardable tickets. \fB+allow_forwardable\fP clears this flag.
- .TP
- {\-|+}\fBallow_renewable\fP
- \fB\-allow_renewable\fP prohibits this principal from obtaining
- renewable tickets. \fB+allow_renewable\fP clears this flag.
- .TP
- {\-|+}\fBallow_proxiable\fP
- \fB\-allow_proxiable\fP prohibits this principal from obtaining
- proxiable tickets. \fB+allow_proxiable\fP clears this flag.
- .TP
- {\-|+}\fBallow_dup_skey\fP
- \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
- principal by prohibiting others from obtaining a service ticket
- encrypted in this principal\(aqs TGT session key.
- \fB+allow_dup_skey\fP clears this flag.
- .TP
- {\-|+}\fBrequires_preauth\fP
- \fB+requires_preauth\fP requires this principal to preauthenticate
- before being allowed to kinit. \fB\-requires_preauth\fP clears this
- flag. When \fB+requires_preauth\fP is set on a service principal,
- the KDC will only issue service tickets for that service principal
- if the client\(aqs initial authentication was performed using
- preauthentication.
- .TP
- {\-|+}\fBrequires_hwauth\fP
- \fB+requires_hwauth\fP requires this principal to preauthenticate
- using a hardware device before being allowed to kinit.
- \fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is
- set on a service principal, the KDC will only issue service tickets
- for that service principal if the client\(aqs initial authentication was
- performed using a hardware device to preauthenticate.
- .TP
- {\-|+}\fBok_as_delegate\fP
- \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
- issued with this principal as the service. Clients may use this
- flag as a hint that credentials should be delegated when
- authenticating to the service. \fB\-ok_as_delegate\fP clears this
- flag.
- .TP
- {\-|+}\fBallow_svr\fP
- \fB\-allow_svr\fP prohibits the issuance of service tickets for this
- principal. In release 1.17 and later, user\-to\-user service
- tickets are still allowed unless the \fB\-allow_dup_skey\fP flag is
- also set. \fB+allow_svr\fP clears this flag.
- .TP
- {\-|+}\fBallow_tgs_req\fP
- \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
- request for a service ticket for this principal is not permitted.
- \fB+allow_tgs_req\fP clears this flag.
- .TP
- {\-|+}\fBallow_tix\fP
- \fB\-allow_tix\fP forbids the issuance of any tickets for this
- principal. \fB+allow_tix\fP clears this flag.
- .TP
- {\-|+}\fBneedchange\fP
- \fB+needchange\fP forces a password change on the next initial
- authentication to this principal. \fB\-needchange\fP clears this
- flag.
- .TP
- {\-|+}\fBpassword_changing_service\fP
- \fB+password_changing_service\fP marks this principal as a password
- change service principal.
- .TP
- {\-|+}\fBok_to_auth_as_delegate\fP
- \fB+ok_to_auth_as_delegate\fP allows this principal to acquire
- forwardable tickets to itself from arbitrary users, for use with
- constrained delegation.
- .TP
- {\-|+}\fBno_auth_data_required\fP
- \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from
- being added to service tickets for the principal.
- .TP
- {\-|+}\fBlockdown_keys\fP
- \fB+lockdown_keys\fP prevents keys for this principal from leaving
- the KDC via kadmind. The chpass and extract operations are denied
- for a principal with this attribute. The chrand operation is
- allowed, but will not return the new keys. The delete and rename
- operations are also denied if this attribute is set, in order to
- prevent a malicious administrator from replacing principals like
- krbtgt/* or kadmin/* with new principals without the attribute.
- This attribute can be set via the network protocol, but can only
- be removed using kadmin.local.
- .TP
- \fB\-randkey\fP
- Sets the key of the principal to a random value.
- .TP
- \fB\-nokey\fP
- Causes the principal to be created with no key. New in release
- 1.12.
- .TP
- \fB\-pw\fP \fIpassword\fP
- Sets the password of the principal to the specified string and
- does not prompt for a password. Note: using this option in a
- shell script may expose the password to other users on the system
- via the process list.
- .TP
- \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
- Uses the specified keysalt list for setting the keys of the
- principal. See Keysalt_lists in kdc.conf(5) for a
- list of possible values.
- .TP
- \fB\-x\fP \fIdb_princ_args\fP
- Indicates database\-specific options. The options for the LDAP
- database module are:
- .INDENT 7.0
- .TP
- \fB\-x dn=\fP\fIdn\fP
- Specifies the LDAP object that will contain the Kerberos
- principal being created.
- .TP
- \fB\-x linkdn=\fP\fIdn\fP
- Specifies the LDAP object to which the newly created Kerberos
- principal object will point.
- .TP
- \fB\-x containerdn=\fP\fIcontainer_dn\fP
- Specifies the container object under which the Kerberos
- principal is to be created.
- .TP
- \fB\-x tktpolicy=\fP\fIpolicy\fP
- Associates a ticket policy to the Kerberos principal.
- .UNINDENT
- .sp
- \fBNOTE:\fP
- .INDENT 7.0
- .INDENT 3.5
- .INDENT 0.0
- .IP \(bu 2
- The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
- specified with the \fBdn\fP option.
- .IP \(bu 2
- If the \fIdn\fP or \fIcontainerdn\fP options are not specified while
- adding the principal, the principals are created under the
- principal container configured in the realm or the realm
- container.
- .IP \(bu 2
- \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
- principal container configured in the realm.
- .UNINDENT
- .UNINDENT
- .UNINDENT
- .UNINDENT
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: addprinc jennifer
- No policy specified for "jennifer@ATHENA.MIT.EDU";
- defaulting to no policy.
- Enter password for principal jennifer@ATHENA.MIT.EDU:
- Re\-enter password for principal jennifer@ATHENA.MIT.EDU:
- Principal "jennifer@ATHENA.MIT.EDU" created.
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS modify_principal
- .INDENT 0.0
- .INDENT 3.5
- \fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
- .UNINDENT
- .UNINDENT
- .sp
- Modifies the specified principal, changing the fields as specified.
- The options to \fBadd_principal\fP also apply to this command, except
- for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options. In addition, the
- option \fB\-clearpolicy\fP will clear the current policy of a principal.
- .sp
- This command requires the \fImodify\fP privilege.
- .sp
- Alias: \fBmodprinc\fP
- .sp
- Options (in addition to the \fBaddprinc\fP options):
- .INDENT 0.0
- .TP
- \fB\-unlock\fP
- Unlocks a locked principal (one which has received too many failed
- authentication attempts without enough time between them according
- to its password policy) so that it can successfully authenticate.
- .UNINDENT
- .SS rename_principal
- .INDENT 0.0
- .INDENT 3.5
- \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP
- .UNINDENT
- .UNINDENT
- .sp
- Renames the specified \fIold_principal\fP to \fInew_principal\fP\&. This
- command prompts for confirmation, unless the \fB\-force\fP option is
- given.
- .sp
- This command requires the \fBadd\fP and \fBdelete\fP privileges.
- .sp
- Alias: \fBrenprinc\fP
- .SS delete_principal
- .INDENT 0.0
- .INDENT 3.5
- \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP
- .UNINDENT
- .UNINDENT
- .sp
- Deletes the specified \fIprincipal\fP from the database. This command
- prompts for deletion, unless the \fB\-force\fP option is given.
- .sp
- This command requires the \fBdelete\fP privilege.
- .sp
- Alias: \fBdelprinc\fP
- .SS change_password
- .INDENT 0.0
- .INDENT 3.5
- \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
- .UNINDENT
- .UNINDENT
- .sp
- Changes the password of \fIprincipal\fP\&. Prompts for a new password if
- neither \fB\-randkey\fP or \fB\-pw\fP is specified.
- .sp
- This command requires the \fBchangepw\fP privilege, or that the
- principal running the program is the same as the principal being
- changed.
- .sp
- Alias: \fBcpw\fP
- .sp
- The following options are available:
- .INDENT 0.0
- .TP
- \fB\-randkey\fP
- Sets the key of the principal to a random value.
- .TP
- \fB\-pw\fP \fIpassword\fP
- Set the password to the specified string. Using this option in a
- script may expose the password to other users on the system via
- the process list.
- .TP
- \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
- Uses the specified keysalt list for setting the keys of the
- principal. See Keysalt_lists in kdc.conf(5) for a
- list of possible values.
- .TP
- \fB\-keepold\fP
- Keeps the existing keys in the database. This flag is usually not
- necessary except perhaps for \fBkrbtgt\fP principals.
- .UNINDENT
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: cpw systest
- Enter password for principal systest@BLEEP.COM:
- Re\-enter password for principal systest@BLEEP.COM:
- Password for systest@BLEEP.COM changed.
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS purgekeys
- .INDENT 0.0
- .INDENT 3.5
- \fBpurgekeys\fP [\fB\-all\fP|\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
- .UNINDENT
- .UNINDENT
- .sp
- Purges previously retained old keys (e.g., from \fBchange_password
- \-keepold\fP) from \fIprincipal\fP\&. If \fB\-keepkvno\fP is specified, then
- only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&. If
- \fB\-all\fP is specified, then all keys are purged. The \fB\-all\fP option
- is new in release 1.12.
- .sp
- This command requires the \fBmodify\fP privilege.
- .SS get_principal
- .INDENT 0.0
- .INDENT 3.5
- \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP
- .UNINDENT
- .UNINDENT
- .sp
- Gets the attributes of principal. With the \fB\-terse\fP option, outputs
- fields as quoted tab\-separated strings.
- .sp
- This command requires the \fBinquire\fP privilege, or that the principal
- running the the program to be the same as the one being listed.
- .sp
- Alias: \fBgetprinc\fP
- .sp
- Examples:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: getprinc tlyu/admin
- Principal: tlyu/admin@BLEEP.COM
- Expiration date: [never]
- Last password change: Mon Aug 12 14:16:47 EDT 1996
- Password expiration date: [never]
- Maximum ticket life: 0 days 10:00:00
- Maximum renewable life: 7 days 00:00:00
- Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
- Last successful authentication: [never]
- Last failed authentication: [never]
- Failed password attempts: 0
- Number of keys: 1
- Key: vno 1, aes256\-cts\-hmac\-sha384\-192
- MKey: vno 1
- Attributes:
- Policy: [none]
- kadmin: getprinc \-terse systest
- systest@BLEEP.COM 3 86400 604800 1
- 785926535 753241234 785900000
- tlyu/admin@BLEEP.COM 786100034 0 0
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS list_principals
- .INDENT 0.0
- .INDENT 3.5
- \fBlist_principals\fP [\fIexpression\fP]
- .UNINDENT
- .UNINDENT
- .sp
- Retrieves all or some principal names. \fIexpression\fP is a shell\-style
- glob expression that can contain the wild\-card characters \fB?\fP,
- \fB*\fP, and \fB[]\fP\&. All principal names matching the expression are
- printed. If no expression is provided, all principal names are
- printed. If the expression does not contain an \fB@\fP character, an
- \fB@\fP character followed by the local realm is appended to the
- expression.
- .sp
- This command requires the \fBlist\fP privilege.
- .sp
- Alias: \fBlistprincs\fP, \fBget_principals\fP, \fBgetprincs\fP
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: listprincs test*
- test3@SECURE\-TEST.OV.COM
- test2@SECURE\-TEST.OV.COM
- test1@SECURE\-TEST.OV.COM
- testuser@SECURE\-TEST.OV.COM
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS get_strings
- .INDENT 0.0
- .INDENT 3.5
- \fBget_strings\fP \fIprincipal\fP
- .UNINDENT
- .UNINDENT
- .sp
- Displays string attributes on \fIprincipal\fP\&.
- .sp
- This command requires the \fBinquire\fP privilege.
- .sp
- Alias: \fBgetstrs\fP
- .SS set_string
- .INDENT 0.0
- .INDENT 3.5
- \fBset_string\fP \fIprincipal\fP \fIname\fP \fIvalue\fP
- .UNINDENT
- .UNINDENT
- .sp
- Sets a string attribute on \fIprincipal\fP\&. String attributes are used to
- supply per\-principal configuration to the KDC and some KDC plugin
- modules. The following string attribute names are recognized by the
- KDC:
- .INDENT 0.0
- .TP
- \fBrequire_auth\fP
- Specifies an authentication indicator which is required to
- authenticate to the principal as a service. Multiple indicators
- can be specified, separated by spaces; in this case any of the
- specified indicators will be accepted. (New in release 1.14.)
- .TP
- \fBsession_enctypes\fP
- Specifies the encryption types supported for session keys when the
- principal is authenticated to as a server. See
- Encryption_types in kdc.conf(5) for a list of the
- accepted values.
- .TP
- \fBotp\fP
- Enables One Time Passwords (OTP) preauthentication for a client
- \fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array
- of objects, each having optional \fBtype\fP and \fBusername\fP fields.
- .TP
- \fBpkinit_cert_match\fP
- Specifies a matching expression that defines the certificate
- attributes required for the client certificate used by the
- principal during PKINIT authentication. The matching expression
- is in the same format as those used by the \fBpkinit_cert_match\fP
- option in krb5.conf(5)\&. (New in release 1.16.)
- .UNINDENT
- .sp
- This command requires the \fBmodify\fP privilege.
- .sp
- Alias: \fBsetstr\fP
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- set_string host/foo.mit.edu session_enctypes aes128\-cts
- set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS del_string
- .INDENT 0.0
- .INDENT 3.5
- \fBdel_string\fP \fIprincipal\fP \fIkey\fP
- .UNINDENT
- .UNINDENT
- .sp
- Deletes a string attribute from \fIprincipal\fP\&.
- .sp
- This command requires the \fBdelete\fP privilege.
- .sp
- Alias: \fBdelstr\fP
- .SS add_policy
- .INDENT 0.0
- .INDENT 3.5
- \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
- .UNINDENT
- .UNINDENT
- .sp
- Adds a password policy named \fIpolicy\fP to the database.
- .sp
- This command requires the \fBadd\fP privilege.
- .sp
- Alias: \fBaddpol\fP
- .sp
- The following options are available:
- .INDENT 0.0
- .TP
- \fB\-maxlife\fP \fItime\fP
- (duration or getdate string) Sets the maximum
- lifetime of a password.
- .TP
- \fB\-minlife\fP \fItime\fP
- (duration or getdate string) Sets the minimum
- lifetime of a password.
- .TP
- \fB\-minlength\fP \fIlength\fP
- Sets the minimum length of a password.
- .TP
- \fB\-minclasses\fP \fInumber\fP
- Sets the minimum number of character classes required in a
- password. The five character classes are lower case, upper case,
- numbers, punctuation, and whitespace/unprintable characters.
- .TP
- \fB\-history\fP \fInumber\fP
- Sets the number of past keys kept for a principal. This option is
- not supported with the LDAP KDC database module.
- .UNINDENT
- .INDENT 0.0
- .TP
- \fB\-maxfailure\fP \fImaxnumber\fP
- Sets the number of authentication failures before the principal is
- locked. Authentication failures are only tracked for principals
- which require preauthentication. The counter of failed attempts
- resets to 0 after a successful attempt to authenticate. A
- \fImaxnumber\fP value of 0 (the default) disables lockout.
- .UNINDENT
- .INDENT 0.0
- .TP
- \fB\-failurecountinterval\fP \fIfailuretime\fP
- (duration or getdate string) Sets the allowable time
- between authentication failures. If an authentication failure
- happens after \fIfailuretime\fP has elapsed since the previous
- failure, the number of authentication failures is reset to 1. A
- \fIfailuretime\fP value of 0 (the default) means forever.
- .UNINDENT
- .INDENT 0.0
- .TP
- \fB\-lockoutduration\fP \fIlockouttime\fP
- (duration or getdate string) Sets the duration for
- which the principal is locked from authenticating if too many
- authentication failures occur without the specified failure count
- interval elapsing. A duration of 0 (the default) means the
- principal remains locked out until it is administratively unlocked
- with \fBmodprinc \-unlock\fP\&.
- .TP
- \fB\-allowedkeysalts\fP
- Specifies the key/salt tuples supported for long\-term keys when
- setting or changing a principal\(aqs password/keys. See
- Keysalt_lists in kdc.conf(5) for a list of the
- accepted values, but note that key/salt tuples must be separated
- with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use
- a value of \(aq\-\(aq.
- .UNINDENT
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS modify_policy
- .INDENT 0.0
- .INDENT 3.5
- \fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
- .UNINDENT
- .UNINDENT
- .sp
- Modifies the password policy named \fIpolicy\fP\&. Options are as described
- for \fBadd_policy\fP\&.
- .sp
- This command requires the \fBmodify\fP privilege.
- .sp
- Alias: \fBmodpol\fP
- .SS delete_policy
- .INDENT 0.0
- .INDENT 3.5
- \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP
- .UNINDENT
- .UNINDENT
- .sp
- Deletes the password policy named \fIpolicy\fP\&. Prompts for confirmation
- before deletion. The command will fail if the policy is in use by any
- principals.
- .sp
- This command requires the \fBdelete\fP privilege.
- .sp
- Alias: \fBdelpol\fP
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: del_policy guests
- Are you sure you want to delete the policy "guests"?
- (yes/no): yes
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS get_policy
- .INDENT 0.0
- .INDENT 3.5
- \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
- .UNINDENT
- .UNINDENT
- .sp
- Displays the values of the password policy named \fIpolicy\fP\&. With the
- \fB\-terse\fP flag, outputs the fields as quoted strings separated by
- tabs.
- .sp
- This command requires the \fBinquire\fP privilege.
- .sp
- Alias: \fBgetpol\fP
- .sp
- Examples:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: get_policy admin
- Policy: admin
- Maximum password life: 180 days 00:00:00
- Minimum password life: 00:00:00
- Minimum password length: 6
- Minimum number of password character classes: 2
- Number of old keys kept: 5
- Reference count: 17
- kadmin: get_policy \-terse admin
- admin 15552000 0 6 2 5 17
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .sp
- The "Reference count" is the number of principals using that policy.
- With the LDAP KDC database module, the reference count field is not
- meaningful.
- .SS list_policies
- .INDENT 0.0
- .INDENT 3.5
- \fBlist_policies\fP [\fIexpression\fP]
- .UNINDENT
- .UNINDENT
- .sp
- Retrieves all or some policy names. \fIexpression\fP is a shell\-style
- glob expression that can contain the wild\-card characters \fB?\fP,
- \fB*\fP, and \fB[]\fP\&. All policy names matching the expression are
- printed. If no expression is provided, all existing policy names are
- printed.
- .sp
- This command requires the \fBlist\fP privilege.
- .sp
- Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&.
- .sp
- Examples:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: listpols
- test\-pol
- dict\-only
- once\-a\-min
- test\-pol\-nopw
- kadmin: listpols t*
- test\-pol
- test\-pol\-nopw
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS ktadd
- .INDENT 0.0
- .INDENT 3.5
- .nf
- \fBktadd\fP [options] \fIprincipal\fP
- \fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP
- .fi
- .sp
- .UNINDENT
- .UNINDENT
- .sp
- Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a
- keytab file. Each principal\(aqs keys are randomized in the process.
- The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP
- command.
- .sp
- This command requires the \fBinquire\fP and \fBchangepw\fP privileges.
- With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
- .sp
- The options are:
- .INDENT 0.0
- .TP
- \fB\-k[eytab]\fP \fIkeytab\fP
- Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
- used.
- .TP
- \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
- Uses the specified keysalt list for setting the new keys of the
- principal. See Keysalt_lists in kdc.conf(5) for a
- list of possible values.
- .TP
- \fB\-q\fP
- Display less verbose information.
- .TP
- \fB\-norandkey\fP
- Do not randomize the keys. The keys and their version numbers stay
- unchanged. This option cannot be specified in combination with the
- \fB\-e\fP option.
- .UNINDENT
- .sp
- An entry for each of the principal\(aqs unique encryption types is added,
- ignoring multiple keys with the same encryption type but different
- salt types.
- .sp
- Alias: \fBxst\fP
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
- Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
- encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab
- FILE:/tmp/foo\-new\-keytab
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS ktremove
- .INDENT 0.0
- .INDENT 3.5
- \fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP]
- .UNINDENT
- .UNINDENT
- .sp
- Removes entries for the specified \fIprincipal\fP from a keytab. Requires
- no permissions, since this does not require database access.
- .sp
- If the string "all" is specified, all entries for that principal are
- removed; if the string "old" is specified, all entries for that
- principal except those with the highest kvno are removed. Otherwise,
- the value specified is parsed as an integer, and all entries whose
- kvno match that integer are removed.
- .sp
- The options are:
- .INDENT 0.0
- .TP
- \fB\-k[eytab]\fP \fIkeytab\fP
- Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
- used.
- .TP
- \fB\-q\fP
- Display less verbose information.
- .UNINDENT
- .sp
- Alias: \fBktrem\fP
- .sp
- Example:
- .INDENT 0.0
- .INDENT 3.5
- .sp
- .nf
- .ft C
- kadmin: ktremove kadmin/admin all
- Entry for principal kadmin/admin with kvno 3 removed from keytab
- FILE:/etc/krb5.keytab
- kadmin:
- .ft P
- .fi
- .UNINDENT
- .UNINDENT
- .SS lock
- .sp
- Lock database exclusively. Use with extreme caution! This command
- only works with the DB2 KDC database module.
- .SS unlock
- .sp
- Release the exclusive database lock.
- .SS list_requests
- .sp
- Lists available for kadmin requests.
- .sp
- Aliases: \fBlr\fP, \fB?\fP
- .SS quit
- .sp
- Exit program. If the database was locked, the lock is released.
- .sp
- Aliases: \fBexit\fP, \fBq\fP
- .SH HISTORY
- .sp
- The kadmin program was originally written by Tom Yu at MIT, as an
- interface to the OpenVision Kerberos administration program.
- .SH ENVIRONMENT
- .sp
- See kerberos(7) for a description of Kerberos environment
- variables.
- .SH SEE ALSO
- .sp
- kpasswd(1), kadmind(8), kerberos(7)
- .SH AUTHOR
- MIT
- .SH COPYRIGHT
- 1985-2022, MIT
- .\" Generated by docutils manpage writer.
- .
|