1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
|
.\" $Source$
.\" $Author$
.\" $Id$
.\" Copyright 1995 by the Massachusetts Institute of Technology.
.\"
.\" Export of this software from the United States of America may
.\" require a specific license from the United States Government.
.\" It is the responsibility of any person or organization contemplating
.\" export to obtain such a license before exporting.
.\"
.\" WITHIN THAT CONSTRAINT, permission to use, copy, modify, and
.\" distribute this software and its documentation for any purpose and
.\" without fee is hereby granted, provided that the above copyright
.\" notice appear in all copies and that both that copyright notice and
.\" this permission notice appear in supporting documentation, and that
.\" the name of M.I.T. not be used in advertising or publicity pertaining
.\" to distribution of the software without specific, written prior
.\" permission. M.I.T. makes no representations about the suitability of
.\" this software for any purpose. It is provided "as is" without express
.\" or implied warranty.
.\"
.\"
.TH KADMIN5 8 "Kerberos Version 5.0" "MIT Project Athena"
.SH NAME
kadmin5 \- administer a Kerberos principal database over the network.
.SH SYNOPSIS
.B kadmin5
[
.B \-r
.I realm
] [
.B \-p
.I principal
] [
.B \-c
.I ccache
] [
.B \-l
.I deltatime
] [
.B \-d
] [
.B \-s
] [
.B \-m
]
[ command ... ]
.br
.SH FLAGS
.PP
.IP \-r
.B realm
specifies the default realm.
.IP \-p
.B principal
specifies a principal name to use instead of the default
.I user
.B /kadmin@realm.
.IP \-c
.B ccache
specifies a credentials cache to use instead of the default.
.IP \-l
.B deltatime
specifies the lifetime for an administrative ticket, if one needs to be
acquired.
.IP \-d
specifies that the credentials cache is to be deleted after use.
.IP \-s
specifies that the credentials cache is to be saved for further use.
.IP \-m
specifies that multiple operations will be permitted for only one entry of the
administrative principal's password.
.SH DESCRIPTION
This utility provides a network administration interface to the Kerberos
master database. Kerberos administrators use
.I kadmin5
to register new
users and services with the master database; to remove old users and services
from the master database; to modify information about existing database
entries; and to create service key tables from entries in the database.
.PP
The
.I kadmin5
communicates over the network with the
.I kadmind5
program, which runs on the system where the Kerberos master database resides.
.I kadmind5
performs the database operations which
.I kadmin5
specifies.
.PP
Principals who may perform administrative operations are controlled by the
.I kadmind5
access control list. The default administrative principal is
.I user
.B /kadmin@realm.
.PP
One command may be specified on the command line, or if no command is provided,
an interactive command loop is entered for the administrator to enter commands.
.PP
If a credentials cache is specified with
.I \-c
.B ccache,
then the default is not to delete the credentials cache. Otherwise, the
default is to delete it. The use of the
.I \-d
and
.I \-s
flags override this default behavior.
.PP
.SH AVAILABLE COMMANDS
The following is a list of commands and their aliases that the system
administrator may use to manipulate the database:
.IP show_principal,show
Show the Kerberos database entry for a principal.
.IP add_new_key,ank
Add new entry to Kerberos database (prompting for new password).
.IP change_pwd_key,cpw
Change key of an entry in the Kerberos database (prompting for new password).
.IP add_rnd_key,ark
Add new entry to Kerberos database, using a random key.
.IP change_rnd_key,crk
Change key of an entry in the Kerberos database (selecting a new random key).
.IP add_key_type,akt
Add new key type to an existing Kerberos principal (prompting for old
password).
.IP del_key_type,dkt
Delete key type from an existing Kerberos principal (prompting for old
password).
.IP delete_entry,delent,del
Delete an entry from the database.
.IP extract_srvtab,xst,ex_st
Extract service key table entry/entries.
.IP extract_v4_srvtab,xst4
Extract service key table entry/entries in V4 format.
.IP modify_entry,modent
Modify database entry.
.IP rename_entry,renent
Rename database entry.
.IP list_db,ldb
List database entries.
.IP change_working_directory,cwd,cd
Change working directory.
.IP print_working_directory,pwd
Print working directory.
.IP list_requests,lr,?
List available requests.
.IP quit,exit,q
Exit program.
.PP
.SH Principal Options
For the
.I add_new_key, add_rnd_key
and
.I modify_entry
commands, an optional list of principal options may be specified. The
following options may be specified:
.TP i
.I maxlife=<deltatime>
Specifies the maximum ticket life for the principal.
.TP i
.I maxrenewlife=<deltatime>
Specifies the maximum renewable ticket life for the principal.
.TP i
.I expiration=<date>
Specifies the expiration date and time of the principal.
.TP i
.I pwexpiration=<date>
Specifies the expiration date and time of the principal's password.
.TP i
.I [+/-]<flag-value>
Selects a particular flag value.
.PP
.SH SEE ALSO
kadmind5(8), kpasswd(1)
|
