diff options
Diffstat (limited to 'src/man/kadmin.1')
-rw-r--r-- | src/man/kadmin.1 | 1278 |
1 files changed, 1278 insertions, 0 deletions
diff --git a/src/man/kadmin.1 b/src/man/kadmin.1 new file mode 100644 index 0000000000..1a0d22a8ff --- /dev/null +++ b/src/man/kadmin.1 @@ -0,0 +1,1278 @@ +.TH "KADMIN" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" +.SH NAME +kadmin \- Kerberos V5 database administration program +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.\" Man page generated from reStructeredText. +. +.SH SYNOPSIS +.INDENT 0.0 +.TP +.B \fBkadmin\fP +.sp +[ \fB\-O\fP | \fB\-N\fP ] +[\fB\-r\fP \fIrealm\fP] +[\fB\-p\fP \fIprincipal\fP] +[\fB\-q\fP \fIquery\fP] +[[\fB\-c\fP \fIcache_name\fP] | [\fB\-k\fP [\fB\-t\fP \fIkeytab\fP ]] | \fB\-n\fP] +[\fB\-w\fP \fIpassword\fP] +[\fB\-s\fP \fIadmin_server\fP [:\fIport\fP]] +.TP +.B \fBkadmin.local\fP +.sp +[\fB\-r\fP \fIrealm\fP] +[\fB\-p\fP \fIprincipal\fP] +[\fB\-q\fP \fIquery\fP] +[\fB\-d\fP \fIdbname\fP] +[\fB\-e\fP "enc:salt ..."] +[\fB\-m\fP] +[\fB\-x\fP \fIdb_args\fP] +.UNINDENT +.SH DESCRIPTION +.sp +\fIkadmin\fP and \fIkadmin.local\fP are command\-line interfaces to the Kerberos V5 KADM5 administration system. +Both \fIkadmin\fP and \fIkadmin.local\fP provide identical functionalities; +the difference is that \fIkadmin.local\fP runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database. +Except as explicitly noted otherwise, this man page will use \fIkadmin\fP to refer to both versions. +\fIkadmin\fP provides for the maintenance of Kerberos principals, KADM5 policies, and service key tables (keytabs). +.sp +The remote version uses Kerberos authentication and an encrypted RPC, to operate securely from anywhere on the network. +It authenticates to the KADM5 server using the service principal \fIkadmin/admin\fP. +If the credentials cache contains a ticket for the \fIkadmin/admin\fP principal, and the \fI\-c\fP credentials_cache option is specified, +that ticket is used to authenticate to KADM5. +Otherwise, the \fI\-p\fP and \fI\-k\fP options are used to specify the client Kerberos principal name used to authenticate. +Once \fIkadmin\fP has determined the principal name, it requests a \fIkadmin/admin\fP Kerberos service ticket from the KDC, +and uses that service ticket to authenticate to KADM5. +.sp +If the database is db2, the local client \fIkadmin.local\fP is intended to run directly on the master KDC without Kerberos authentication. +The local version provides all of the functionality of the now obsolete kdb5_edit(8), except for database dump and load, +which is now provided by the \fIkdb5_util(8)\fP utility. +.sp +If the database is LDAP, \fIkadmin.local\fP need not be run on the KDC. +.sp +\fIkadmin.local\fP can be configured to log updates for incremental database propagation. +Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. +This facility can be enabled in the \fIkdc.conf\fP file with the \fIiprop_enable\fP option. +See the \fIkdc.conf\fP documentation for other options for tuning incremental propagation parameters. +.SH OPTIONS +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fB\-r\fP \fIrealm\fP +.sp +Use \fIrealm\fP as the default database realm. +.TP +.B \fB\-p\fP \fIprincipal\fP +.sp +Use \fIprincipal\fP to authenticate. Otherwise, \fIkadmin\fP will append "/admin" to the primary principal name of the default ccache, the +value of the \fIUSER\fP environment variable, or the username as obtained with \fIgetpwuid\fP, in order of preference. +.TP +.B \fB\-k\fP +.sp +Use a \fIkeytab\fP to decrypt the KDC response instead of prompting for a password on the TTY. In this case, the default principal +will be \fIhost/hostname\fP. If there is not a \fIkeytab\fP specified with the \fB\-t\fP option, then the default \fIkeytab\fP will be used. +.TP +.B \fB\-t\fP \fIkeytab\fP +.sp +Use \fIkeytab\fP to decrypt the KDC response. This can only be used with the \fB\-k\fP option. +.TP +.B \fB\-n\fP +.sp +Requests anonymous processing. Two types of anonymous principals are supported. +For fully anonymous Kerberos, configure pkinit on the KDC and configure \fIpkinit_anchors\fP in the client\(aqs \fIkrb5.conf\fP. +Then use the \fI\-n\fP option with a principal of the form \fI@REALM\fP (an empty principal name followed by the at\-sign and a realm name). +If permitted by the KDC, an anonymous ticket will be returned. +A second form of anonymous tickets is supported; these realm\-exposed tickets hide the identity of the client but not the client\(aqs realm. +For this mode, use \fIkinit \-n\fP with a normal principal name. +If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. +As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. +.TP +.B \fB\-c\fP \fIcredentials_cache\fP +.sp +Use \fIcredentials_cache\fP as the credentials cache. The \fIcredentials_cache\fP should contain a service ticket for the \fIkadmin/admin\fP service; +it can be acquired with the \fIkinit(1)\fP program. If this option is not specified, \fIkadmin\fP requests a new service ticket from +the KDC, and stores it in its own temporary ccache. +.TP +.B \fB\-w\fP \fIpassword\fP +.sp +Use \fIpassword\fP instead of prompting for one on the TTY. +.IP Note +. +Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if +unauthorized users gain read access to the script. +.RE +.TP +.B \fB\-q\fP \fIquery\fP +.sp +pass query directly to kadmin, which will perform query and then exit. This can be useful for writing scripts. +.TP +.B \fB\-d\fP \fIdbname\fP +.sp +Specifies the name of the Kerberos database. This option does not apply to the LDAP database. +.TP +.B \fB\-s\fP \fIadmin_server\fP [:port] +.sp +Specifies the admin server which \fIkadmin\fP should contact. +.UNINDENT +.sp +\fB\-m\fP Do not authenticate using a \fIkeytab\fP. This option will cause \fIkadmin\fP to prompt for the master database password. +.INDENT 0.0 +.TP +.B \fB\-e\fP enc:salt_list +.sp +Sets the list of encryption types and salt types to be used for any new keys created. +.UNINDENT +.sp +\fB\-O\fP Force use of old AUTH_GSSAPI authentication flavor. +.sp +\fB\-N\fP Prevent fallback to AUTH_GSSAPI authentication flavor. +.INDENT 0.0 +.TP +.B \fB\-x\fP \fIdb_args\fP +.sp +Specifies the database specific arguments. +.sp +Options supported for LDAP database are: +.INDENT 7.0 +.TP +.B \fB\-x\fP host=<hostname> +.sp +specifies the LDAP server to connect to by a LDAP URI. +.TP +.B \fB\-x\fP binddn=<bind_dn> +.sp +specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the +read and write rights on the realm container, principal container and the subtree that is referenced by the realm. +.TP +.B \fB\-x\fP bindpwd=<bind_password> +.sp +specifies the password for the above mentioned binddn. It is recommended not to use this option. +Instead, the password can be stashed using the \fIstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP +.UNINDENT +.UNINDENT +.UNINDENT +.UNINDENT +.SH DATE FORMAT +.sp +Many of the \fIkadmin\fP commands take a duration or time as an argument. The date can appear in a wide variety of formats, such as: +.sp +.nf +.ft C +1 month ago +2 hours ago +400000 seconds ago +last year +this Monday +next Monday +yesterday +tomorrow +now +second Monday +fortnight ago +3/31/92 10:00:07 PST +January 23, 1987 10:05pm +22:00 GMT +.ft P +.fi +.sp +Dates which do not have the "ago" specifier default to being absolute dates, unless they appear in a field where a duration is expected. +In that case the time specifier will be interpreted as relative. +Specifying "ago" in a duration may result in unexpected behavior. +.sp +The following is a list of all of the allowable keywords. +.TS +center; +|l|l|. +_ +T{ +Months +T} T{ +january, jan, february, feb, march, mar, april, apr, may, june, jun, july, jul, august, aug, september, sep, sept, october, oct, november, nov, december, dec +T} +_ +T{ +Days +T} T{ +sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed, thursday, thurs, thur, thu, friday, fri, saturday, sat +T} +_ +T{ +Units +T} T{ +year, month, fortnight, week, day, hour, minute, min, second, sec +T} +_ +T{ +Relative +T} T{ +tomorrow, yesterday, today, now, last, this, next, first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago +T} +_ +T{ +Time Zones +T} T{ +kadmin recognizes abbreviations for most of the world\(aqs time zones. A complete listing appears in kadmin Time Zones. +T} +_ +T{ +12\-hour Time Delimiters +T} T{ +am, pm +T} +_ +.TE +.SH COMMANDS +.SS add_principal +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBadd_principal\fP [options] \fInewprinc\fP +.sp +creates the principal \fInewprinc\fP, prompting twice for a password. If no policy is specified with the \fI\-policy\fP option, +and the policy named "default" exists, then that policy is assigned to the principal; +note that the assignment of the policy "default" only occurs automatically when a principal is first created, +so the policy "default" must already exist for the assignment to occur. +This assignment of "default" can be suppressed with the \fI\-clearpolicy\fP option. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +This command requires the \fIadd\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Aliases: +.sp +.nf +.ft C +addprinc ank +.ft P +.fi +.sp +The options are: +.INDENT 7.0 +.TP +.B \fB\-x\fP \fIdb_princ_args\fP +.INDENT 7.0 +.INDENT 3.5 +.sp +Denotes the database specific options. +.sp +The options for LDAP database are: +.INDENT 0.0 +.TP +.B \fB\-x\fP dn=<dn> +.sp +Specifies the LDAP object that will contain the Kerberos principal being created. +.TP +.B \fB\-x\fP linkdn=<dn> +.sp +Specifies the LDAP object to which the newly created Kerberos principal object will point to. +.TP +.B \fB\-x\fP containerdn=<container_dn> +.sp +Specifies the container object under which the Kerberos principal is to be created. +.TP +.B \fB\-x\fP tktpolicy=<policy> +.sp +Associates a ticket policy to the Kerberos principal. +.UNINDENT +.UNINDENT +.UNINDENT +.IP Note +.INDENT 7.0 +.IP \(bu 2 +. +\fIcontainerdn\fP and \fIlinkdn\fP options cannot be specified with dn option. +.IP \(bu 2 +. +If \fIdn\fP or \fIcontainerdn\fP options are not specified while adding the principal, the principals are created under the prinicipal container configured in the realm or the realm container. +.IP \(bu 2 +. +\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or principal container configured in the realm. +.UNINDENT +.RE +.TP +.B \fB\-expire\fP \fIexpdate\fP +.sp +expiration date of the principal +.TP +.B \fB\-pwexpire\fP \fIpwexpdate\fP +.sp +password expiration date +.TP +.B \fB\-maxlife\fP \fImaxlife\fP +.sp +maximum ticket life for the principal +.TP +.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP +.sp +maximum renewable life of tickets for the principal +.TP +.B \fB\-kvno\fP \fIkvno\fP +.sp +explicitly set the key version number. +.TP +.B \fB\-policy\fP \fIpolicy\fP +.sp +policy used by this principal. +If no policy is supplied, then if the policy "default" exists and the \fI\-clearpolicy\fP is not also specified, +then the policy "default" is used; +otherwise, the principal will have no policy, and a warning message will be printed. +.TP +.B \fB\-clearpolicy\fP +.sp +\fI\-clearpolicy\fP prevents the policy "default" from being assigned when \fI\-policy\fP is not specified. +This option has no effect if the policy "default" does not exist. +.TP +.B {\- | +} \fBallow_postdated\fP +.sp +\fI\-allow_postdated\fP prohibits this principal from obtaining postdated tickets. +(Sets the \fIKRB5_KDB_DISALLOW_POSTDATED\fP flag.) \fI+allow_postdated\fP clears this flag. +.TP +.B {\- | +} \fBallow_forwardable\fP +.sp +\fI\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets. +(Sets the \fIKRB5_KDB_DISALLOW_FORWARDABLE\fP flag.) +\fI+allow_forwardable\fP clears this flag. +.TP +.B {\- | +} \fBallow_renewable\fP +.sp +\fI\-allow_renewable\fP prohibits this principal from obtaining renewable tickets. +(Sets the \fIKRB5_KDB_DISALLOW_RENEWABLE\fP flag.) +\fI+allow_renewable\fP clears this flag. +.TP +.B {\- | +} \fBallow_proxiable\fP +.sp +\fI\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets. +(Sets the \fIKRB5_KDB_DISALLOW_PROXIABLE\fP flag.) +\fI+allow_proxiable\fP clears this flag. +.TP +.B {\- | +} \fBallow_dup_skey\fP +.sp +\fI\-allow_dup_skey\fP disables user\-to\-user authentication for this principal by prohibiting this principal from obtaining a +session key for another user. +(Sets the \fIKRB5_KDB_DISALLOW_DUP_SKEY\fP flag.) +\fI+allow_dup_skey\fP clears this flag. +.TP +.B {\- | +} \fBrequires_preauth\fP +.sp +\fI+requires_preauth\fP requires this principal to preauthenticate before being allowed to kinit. +(Sets the \fIKRB5_KDB_REQUIRES_PRE_AUTH\fP flag.) +\fI\-requires_preauth\fP clears this flag. +.TP +.B {\- | +} \fBrequires_hwauth\fP +.sp +\fI+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit. +(Sets the \fIKRB5_KDB_REQUIRES_HW_AUTH\fP flag.) +\fI\-requires_hwauth\fP clears this flag. +.TP +.B {\- | +} \fBok_as_delegate\fP +.sp +\fI+ok_as_delegate\fP sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service, +which clients may use as a hint that credentials can and should be delegated when authenticating to the service. +(Sets the \fIKRB5_KDB_OK_AS_DELEGATE\fP flag.) +\fI\-ok_as_delegate\fP clears this flag. +.TP +.B {\- | +} \fBallow_svr\fP +.sp +\fI\-allow_svr\fP prohibits the issuance of service tickets for this principal. +(Sets the \fIKRB5_KDB_DISALLOW_SVR\fP flag.) +\fI+allow_svr\fP clears this flag. +.TP +.B {\- | +} \fBallow_tgs_req\fP +.sp +\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted. +This option is useless for most things. +\fI+allow_tgs_req\fP clears this flag. +The default is +allow_tgs_req. +In effect, \fI\-allow_tgs_req sets\fP the \fIKRB5_KDB_DISALLOW_TGT_BASED\fP flag on the principal in the database. +.TP +.B {\- | +} \fBallow_tix\fP +.sp +\fI\-allow_tix\fP forbids the issuance of any tickets for this principal. +\fI+allow_tix\fP clears this flag. +The default is \fI+allow_tix\fP. In effect, \fI\-allow_tix\fP sets the \fIKRB5_KDB_DISALLOW_ALL_TIX\fP flag on the principal in the database. +.TP +.B {\- | +} \fBneedchange\fP +.sp +\fI+needchange\fP sets a flag in attributes field to force a password change; +\fI\-needchange\fP clears it. +The default is \fI\-needchange\fP. +In effect, \fI+needchange\fP sets the \fIKRB5_KDB_REQUIRES_PWCHANGE\fP flag on the principal in the database. +.TP +.B {\- | +} \fBpassword_changing_service\fP +.sp +\fI+password_changing_service\fP sets a flag in the attributes field marking this as a password change service principal +(useless for most things). +\fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name. +The default is \fI\-password_changing_service\fP. +In effect, \fI+password_changing_service\fP sets the \fIKRB5_KDB_PWCHANGE_SERVICE\fP flag on the principal in the database. +.TP +.B \fB\-randkey\fP +.sp +sets the key of the principal to a random value +.TP +.B \fB\-pw\fP \fIpassword\fP +.sp +sets the key of the principal to the specified string and does not prompt for a password. Note: using this option in a +shell script can be dangerous if unauthorized users gain read access to the script. +.TP +.B \fB\-e\fP "enc:salt ..." +.sp +uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if +there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2. +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kadmin: addprinc jennifer +WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; +defaulting to no policy. +Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. +Re\-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. +Principal "jennifer@ATHENA.MIT.EDU" created. +kadmin: +.ft P +.fi +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_ADD (requires "add" privilege) +KADM5_BAD_MASK (shouldn\(aqt happen) +KADM5_DUP (principal exists already) +KADM5_UNK_POLICY (policy does not exist) +KADM5_PASS_Q_* (password quality violations) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS modify_principal +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBmodify_principal\fP [options] \fIprincipal\fP +.sp +Modifies the specified principal, changing the fields as specified. The options are as above for \fIadd_principal\fP, except that +password changing and flags related to password changing are forbidden by this command. +In addition, the option \fI\-clearpolicy\fP will clear the current policy of a principal. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +This command requires the \fImodify\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +modprinc +.ft P +.fi +.sp +The options are: +.INDENT 7.0 +.TP +.B \fB\-x\fP \fIdb_princ_args\fP +.sp +Denotes the database specific options. +.sp +The options for LDAP database are: +.INDENT 7.0 +.TP +.B \fB\-x\fP tktpolicy=<policy> +.sp +Associates a ticket policy to the Kerberos principal. +.TP +.B \fB\-x\fP linkdn=<dn> +.sp +Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not +already associated with a LDAP object. +.UNINDENT +.TP +.B \fB\-unlock\fP +.sp +Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between +them according to its password policy) so that it can successfully authenticate. +.UNINDENT +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_MODIFY (requires "modify" privilege) +KADM5_UNK_PRINC (principal does not exist) +KADM5_UNK_POLICY (policy does not exist) +KADM5_BAD_MASK (shouldn\(aqt happen) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS delete_principal +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBdelete_principal\fP [ \fI\-force\fP ] \fIprincipal\fP +.sp +Deletes the specified \fIprincipal\fP from the database. This command prompts for deletion, unless the \fI\-force\fP option is given. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +This command requires the \fIdelete\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +delprinc +.ft P +.fi +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_DELETE (requires "delete" privilege) +KADM5_UNK_PRINC (principal does not exist) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS change_password +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBchange_password\fP [options] \fIprincipal\fP +.sp +Changes the password of \fIprincipal\fP. Prompts for a new password if neither \fI\-randkey\fP or \fI\-pw\fP is specified. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIchangepw\fP privilege, or that the principal that is running the program to be the same as the one changed. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +cpw +.ft P +.fi +.sp +The following options are available: +.INDENT 7.0 +.TP +.B \fB\-randkey\fP +.sp +Sets the key of the principal to a random value +.TP +.B \fB\-pw\fP \fIpassword\fP +.sp +Set the password to the specified string. Not recommended. +.TP +.B \fB\-e\fP "enc:salt ..." +.sp +Uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if +there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2. +See \fISupported_Encryption_Types_and_Salts\fP for possible values. +.TP +.B \fB\-keepold\fP +.sp +Keeps the previous kvno\(aqs keys around. This flag is usually not necessary except perhaps for TGS keys. Don\(aqt use this +flag unless you know what you\(aqre doing. This option is not supported for the LDAP database. +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kadmin: cpw systest +Enter password for principal systest@BLEEP.COM: +Re\-enter password for principal systest@BLEEP.COM: +Password for systest@BLEEP.COM changed. +kadmin: +.ft P +.fi +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_MODIFY (requires the modify privilege) +KADM5_UNK_PRINC (principal does not exist) +KADM5_PASS_Q_* (password policy violation errors) +KADM5_PADD_REUSE (password is in principal\(aqs password +history) +KADM5_PASS_TOOSOON (current password minimum life not +expired) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS purgekeys +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBpurgekeys\fP [\fI\-keepkvno oldest_kvno_to_keep\fP ] \fIprincipal\fP +.sp +Purges previously retained old keys (e.g., from \fIchange_password \-keepold\fP) from \fIprincipal\fP. +If \fB\-keepkvno\fP is specified, then only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP. +.UNINDENT +.UNINDENT +.UNINDENT +.SS get_principal +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBget_principal\fP [\fI\-terse\fP] \fIprincipal\fP +.sp +Gets the attributes of principal. +With the \fB\-terse\fP option, outputs fields as quoted tab\-separated strings. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIinquire\fP privilege, or that the principal that is running the the program to be the same as the one being listed. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +getprinc +.ft P +.fi +.sp +EXAMPLES: +.sp +.nf +.ft C +kadmin: getprinc tlyu/admin +Principal: tlyu/admin@BLEEP.COM +Expiration date: [never] +Last password change: Mon Aug 12 14:16:47 EDT 1996 +Password expiration date: [none] +Maximum ticket life: 0 days 10:00:00 +Maximum renewable life: 7 days 00:00:00 +Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) +Last successful authentication: [never] +Last failed authentication: [never] +Failed password attempts: 0 +Number of keys: 2 +Key: vno 1, DES cbc mode with CRC\-32, no salt +Key: vno 1, DES cbc mode with CRC\-32, Version 4 +Attributes: +Policy: [none] + + +kadmin: getprinc \-terse systest +systest@BLEEP.COM 3 86400 604800 1 +785926535 753241234 785900000 +tlyu/admin@BLEEP.COM 786100034 0 0 +kadmin: +.ft P +.fi +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_GET (requires the get (inquire) privilege) +KADM5_UNK_PRINC (principal does not exist) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS list_principals +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBlist_principals\fP [expression] +.sp +Retrieves all or some principal names. +Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs. +All principal names matching the expression are printed. +If no expression is provided, all principal names are printed. +If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIlist\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Aliases: +.sp +.nf +.ft C +listprincs get_principals get_princs +.ft P +.fi +.sp +EXAMPLES: +.sp +.nf +.ft C +kadmin: listprincs test* +test3@SECURE\-TEST.OV.COM +test2@SECURE\-TEST.OV.COM +test1@SECURE\-TEST.OV.COM +testuser@SECURE\-TEST.OV.COM +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS get_strings +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBget_strings\fP \fIprincipal\fP +.sp +Displays string attributes on \fIprincipal\fP. +String attributes are used to supply per\-principal configuration to some KDC plugin modules. +.sp +Alias: +.sp +.nf +.ft C +getstr +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS set_string +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP +.sp +Sets a string attribute on \fIprincipal\fP. +.sp +Alias: +.sp +.nf +.ft C +setstr +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS del_string +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBdel_string\fP \fIprincipal\fP \fIkey\fP +.sp +Deletes a string attribute from \fIprincipal\fP. +.sp +Alias: +.sp +.nf +.ft C +delstr +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS add_policy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBadd_policy\fP [options] \fIpolicy\fP +.sp +Adds the named \fIpolicy\fP to the policy database. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIadd\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +addpol +.ft P +.fi +.sp +The following options are available: +.INDENT 7.0 +.TP +.B \fB\-maxlife\fP \fItime\fP +.sp +sets the maximum lifetime of a password +.TP +.B \fB\-minlife\fP \fItime\fP +.sp +sets the minimum lifetime of a password +.TP +.B \fB\-minlength\fP \fIlength\fP +.sp +sets the minimum length of a password +.TP +.B \fB\-minclasses\fP \fInumber\fP +.sp +sets the minimum number of character classes allowed in a password +.TP +.B \fB\-history\fP \fInumber\fP +.sp +sets the number of past keys kept for a principal. This option is not supported for LDAP database +.TP +.B \fB\-maxfailure\fP \fImaxnumber\fP +.sp +sets the maximum number of authentication failures before the principal is locked. +Authentication failures are only tracked for principals which require preauthentication. +.TP +.B \fB\-failurecountinterval\fP \fIfailuretime\fP +.sp +sets the allowable time between authentication failures. +If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure, +the number of authentication failures is reset to 1. +.TP +.B \fB\-lockoutduration\fP \fIlockouttime\fP +.sp +sets the duration for which the principal is locked from authenticating if too many authentication failures occur without +the specified failure count interval elapsing. A duration of 0 means forever. +.UNINDENT +.sp +EXAMPLES: +.sp +.nf +.ft C +kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests +kadmin: +.ft P +.fi +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_ADD (requires the add privilege) +KADM5_DUP (policy already exists) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS modify_policy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBmodify_policy\fP [options] \fIpolicy\fP +.sp +modifies the named \fIpolicy\fP. Options are as above for \fIadd_policy\fP. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fImodify\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +modpol +.ft P +.fi +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_MODIFY (requires the modify privilege) +KADM5_UNK_POLICY (policy does not exist) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS delete_policy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBdelete_policy\fP [ \fI\-force\fP ] \fIpolicy\fP +.sp +deletes the named \fIpolicy\fP. Prompts for confirmation before deletion. +The command will fail if the policy is in use by any principals. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIdelete\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +delpol +.ft P +.fi +.sp +EXAMPLE: +.sp +.nf +.ft C +kadmin: del_policy guests +Are you sure you want to delete the policy "guests"? +(yes/no): yes +kadmin: +.ft P +.fi +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_DELETE (requires the delete privilege) +KADM5_UNK_POLICY (policy does not exist) +KADM5_POLICY_REF (reference count on policy is not zero) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS get_policy +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP +.sp +displays the values of the named \fIpolicy\fP. +With the \fB\-terse\fP flag, outputs the fields as quoted strings separated by tabs. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIinquire\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +getpol +.ft P +.fi +.sp +EXAMPLES: +.sp +.nf +.ft C +kadmin: get_policy admin +Policy: admin +Maximum password life: 180 days 00:00:00 +Minimum password life: 00:00:00 +Minimum password length: 6 +Minimum number of password character classes: 2 +Number of old keys kept: 5 +Reference count: 17 + +kadmin: get_policy \-terse admin +admin 15552000 0 6 2 5 17 +kadmin: +.ft P +.fi +.sp +The \fIReference count\fP is the number of principals using that policy. +.sp +ERRORS: +.sp +.nf +.ft C +KADM5_AUTH_GET (requires the get privilege) +KADM5_UNK_POLICY (policy does not exist) +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS list_policies +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBlist_policies\fP [expression] +.sp +Retrieves all or some policy names. Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs. +All policy names matching the expression are printed. +If no expression is provided, all existing policy names are printed. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIlist\fP privilege. +.RE +.UNINDENT +.UNINDENT +.sp +Alias: +.sp +.nf +.ft C +listpols, get_policies, getpols. +.ft P +.fi +.sp +EXAMPLES: +.sp +.nf +.ft C +kadmin: listpols +test\-pol +dict\-only +once\-a\-min +test\-pol\-nopw + +kadmin: listpols t* +test\-pol +test\-pol\-nopw +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS ktadd +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBktadd\fP [[\fIprincipal\fP | \fB\-glob\fP \fIprinc\-exp\fP] +.sp +Adds a \fIprincipal\fP or all principals matching \fIprinc\-exp\fP to a keytab file. +It randomizes each principal\(aqs key in the process, to prevent a compromised admin account from reading out all of the keys from the database. +The rules for principal expression are the same as for the \fIkadmin\fP \fI\%list_principals\fP command. +.INDENT 7.0 +.INDENT 3.5 +.IP Note +. +Requires the \fIinquire\fP and \fIchangepw\fP privileges. +.sp +If you use the \fI\-glob\fP option, it also requires the \fIlist\fP administrative privilege. +.RE +.UNINDENT +.UNINDENT +.sp +The options are: +.INDENT 7.0 +.TP +.B \fB\-k[eytab]\fP \fIkeytab\fP +.sp +Use \fIkeytab\fP as the keytab file. Otherwise, \fIktadd\fP will use the default keytab file (\fI/etc/krb5.keytab\fP). +.TP +.B \fB\-e\fP \fI"enc:salt..."\fP +.sp +Use the specified list of enctype\-salttype pairs for setting the key of the principal. +The enctype\-salttype pairs may be delimited with commas or whitespace. +The quotes are necessary for whitespace\-delimited list. +If this option is not specified, then \fIsupported_enctypes\fP from \fIkrb5.conf\fP will be used. +See \fISupported_Encryption_Types_and_Salts\fP for all possible values. +.TP +.B \fB\-q\fP +.sp +Run in quiet mode. This causes \fIktadd\fP to display less verbose information. +.TP +.B \fB\-norandkey\fP +.sp +Do not randomize the keys. The keys and their version numbers stay unchanged. +That allows users to continue to use the passwords they know to login normally, +while simultaneously allowing scripts to login to the same account using a \fIkeytab\fP. +There is no significant security risk added since \fIkadmin.local\fP must be run by root on the KDC anyway. +This option is only available in \fIkadmin.local\fP and cannot be specified in combination with \fI\-e\fP option. +.UNINDENT +.IP Note +. +An entry for each of the principal\(aqs unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. +.RE +.sp +EXAMPLE: +.sp +.nf +.ft C +kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu +Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with + kvno 3, encryption type DES\-CBC\-CRC added to keytab + WRFILE:/tmp/foo\-new\-keytab +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SS ktremove +.INDENT 0.0 +.INDENT 3.5 +.INDENT 0.0 +.TP +.B \fBktremove\fP \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP] +.sp +Removes entries for the specified \fIprincipal\fP from a keytab. Requires no permissions, since this does not require database access. +.sp +If the string "all" is specified, all entries for that principal are removed; +if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. +Otherwise, the value specified is parsed as an integer, and all entries whose \fIkvno\fP match that integer are removed. +.sp +The options are: +.INDENT 7.0 +.TP +.B \fB\-k[eytab]\fP \fIkeytab\fP +.sp +Use keytab as the keytab file. Otherwise, \fIktremove\fP will use the default keytab file (\fI/etc/krb5.keytab\fP). +.TP +.B \fB\-q\fP +.sp +Run in quiet mode. This causes \fIktremove\fP to display less verbose information. +.UNINDENT +.sp +EXAMPLE: +.sp +.nf +.ft C +kadmin: ktremove \-k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin all +Entry for principal kadmin/admin with kvno 3 removed + from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. +kadmin: +.ft P +.fi +.UNINDENT +.UNINDENT +.UNINDENT +.SH FILES +.IP Note +. +The first three files are specific to db2 database. +.RE +.TS +center; +|l|l|. +_ +T{ +principal.db +T} T{ +default name for Kerberos principal database +T} +_ +T{ +<dbname>.kadm5 +T} T{ +KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information. +T} +_ +T{ +<dbname>.kadm5.lock +T} T{ +Lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., \fIkadmin\fP will exit with an error if this file does not exist. +T} +_ +T{ +kadm5.acl +T} T{ +File containing list of principals and their \fIkadmin\fP administrative privileges. See kadmind(8) for a description. +T} +_ +T{ +kadm5.keytab +T} T{ +\fIkeytab\fP file for \fIkadmin/admin\fP principal. +T} +_ +T{ +kadm5.dict +T} T{ +file containing dictionary of strings explicitly disallowed as passwords. +T} +_ +.TE +.SH HISTORY +.sp +The \fIkadmin\fP program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. +.SH SEE ALSO +.sp +kerberos(1), kpasswd(1), kadmind(8) +.SH AUTHOR +MIT +.SH COPYRIGHT +2011, MIT +.\" Generated by docutils manpage writer. +. |