diff options
Diffstat (limited to 'src/man/kadmin.1')
-rw-r--r-- | src/man/kadmin.1 | 1278 |
1 files changed, 0 insertions, 1278 deletions
diff --git a/src/man/kadmin.1 b/src/man/kadmin.1 deleted file mode 100644 index 1a0d22a8f..000000000 --- a/src/man/kadmin.1 +++ /dev/null @@ -1,1278 +0,0 @@ -.TH "KADMIN" "1" "January 06, 2012" "0.0.1" "MIT Kerberos" -.SH NAME -kadmin \- Kerberos V5 database administration program -. -.nr rst2man-indent-level 0 -. -.de1 rstReportMargin -\\$1 \\n[an-margin] -level \\n[rst2man-indent-level] -level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] -- -\\n[rst2man-indent0] -\\n[rst2man-indent1] -\\n[rst2man-indent2] -.. -.de1 INDENT -.\" .rstReportMargin pre: -. RS \\$1 -. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] -. nr rst2man-indent-level +1 -.\" .rstReportMargin post: -.. -.de UNINDENT -. RE -.\" indent \\n[an-margin] -.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] -.nr rst2man-indent-level -1 -.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] -.in \\n[rst2man-indent\\n[rst2man-indent-level]]u -.. -.\" Man page generated from reStructeredText. -. -.SH SYNOPSIS -.INDENT 0.0 -.TP -.B \fBkadmin\fP -.sp -[ \fB\-O\fP | \fB\-N\fP ] -[\fB\-r\fP \fIrealm\fP] -[\fB\-p\fP \fIprincipal\fP] -[\fB\-q\fP \fIquery\fP] -[[\fB\-c\fP \fIcache_name\fP] | [\fB\-k\fP [\fB\-t\fP \fIkeytab\fP ]] | \fB\-n\fP] -[\fB\-w\fP \fIpassword\fP] -[\fB\-s\fP \fIadmin_server\fP [:\fIport\fP]] -.TP -.B \fBkadmin.local\fP -.sp -[\fB\-r\fP \fIrealm\fP] -[\fB\-p\fP \fIprincipal\fP] -[\fB\-q\fP \fIquery\fP] -[\fB\-d\fP \fIdbname\fP] -[\fB\-e\fP "enc:salt ..."] -[\fB\-m\fP] -[\fB\-x\fP \fIdb_args\fP] -.UNINDENT -.SH DESCRIPTION -.sp -\fIkadmin\fP and \fIkadmin.local\fP are command\-line interfaces to the Kerberos V5 KADM5 administration system. -Both \fIkadmin\fP and \fIkadmin.local\fP provide identical functionalities; -the difference is that \fIkadmin.local\fP runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database. -Except as explicitly noted otherwise, this man page will use \fIkadmin\fP to refer to both versions. -\fIkadmin\fP provides for the maintenance of Kerberos principals, KADM5 policies, and service key tables (keytabs). -.sp -The remote version uses Kerberos authentication and an encrypted RPC, to operate securely from anywhere on the network. -It authenticates to the KADM5 server using the service principal \fIkadmin/admin\fP. -If the credentials cache contains a ticket for the \fIkadmin/admin\fP principal, and the \fI\-c\fP credentials_cache option is specified, -that ticket is used to authenticate to KADM5. -Otherwise, the \fI\-p\fP and \fI\-k\fP options are used to specify the client Kerberos principal name used to authenticate. -Once \fIkadmin\fP has determined the principal name, it requests a \fIkadmin/admin\fP Kerberos service ticket from the KDC, -and uses that service ticket to authenticate to KADM5. -.sp -If the database is db2, the local client \fIkadmin.local\fP is intended to run directly on the master KDC without Kerberos authentication. -The local version provides all of the functionality of the now obsolete kdb5_edit(8), except for database dump and load, -which is now provided by the \fIkdb5_util(8)\fP utility. -.sp -If the database is LDAP, \fIkadmin.local\fP need not be run on the KDC. -.sp -\fIkadmin.local\fP can be configured to log updates for incremental database propagation. -Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database. -This facility can be enabled in the \fIkdc.conf\fP file with the \fIiprop_enable\fP option. -See the \fIkdc.conf\fP documentation for other options for tuning incremental propagation parameters. -.SH OPTIONS -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fB\-r\fP \fIrealm\fP -.sp -Use \fIrealm\fP as the default database realm. -.TP -.B \fB\-p\fP \fIprincipal\fP -.sp -Use \fIprincipal\fP to authenticate. Otherwise, \fIkadmin\fP will append "/admin" to the primary principal name of the default ccache, the -value of the \fIUSER\fP environment variable, or the username as obtained with \fIgetpwuid\fP, in order of preference. -.TP -.B \fB\-k\fP -.sp -Use a \fIkeytab\fP to decrypt the KDC response instead of prompting for a password on the TTY. In this case, the default principal -will be \fIhost/hostname\fP. If there is not a \fIkeytab\fP specified with the \fB\-t\fP option, then the default \fIkeytab\fP will be used. -.TP -.B \fB\-t\fP \fIkeytab\fP -.sp -Use \fIkeytab\fP to decrypt the KDC response. This can only be used with the \fB\-k\fP option. -.TP -.B \fB\-n\fP -.sp -Requests anonymous processing. Two types of anonymous principals are supported. -For fully anonymous Kerberos, configure pkinit on the KDC and configure \fIpkinit_anchors\fP in the client\(aqs \fIkrb5.conf\fP. -Then use the \fI\-n\fP option with a principal of the form \fI@REALM\fP (an empty principal name followed by the at\-sign and a realm name). -If permitted by the KDC, an anonymous ticket will be returned. -A second form of anonymous tickets is supported; these realm\-exposed tickets hide the identity of the client but not the client\(aqs realm. -For this mode, use \fIkinit \-n\fP with a normal principal name. -If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. -As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation. -.TP -.B \fB\-c\fP \fIcredentials_cache\fP -.sp -Use \fIcredentials_cache\fP as the credentials cache. The \fIcredentials_cache\fP should contain a service ticket for the \fIkadmin/admin\fP service; -it can be acquired with the \fIkinit(1)\fP program. If this option is not specified, \fIkadmin\fP requests a new service ticket from -the KDC, and stores it in its own temporary ccache. -.TP -.B \fB\-w\fP \fIpassword\fP -.sp -Use \fIpassword\fP instead of prompting for one on the TTY. -.IP Note -. -Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if -unauthorized users gain read access to the script. -.RE -.TP -.B \fB\-q\fP \fIquery\fP -.sp -pass query directly to kadmin, which will perform query and then exit. This can be useful for writing scripts. -.TP -.B \fB\-d\fP \fIdbname\fP -.sp -Specifies the name of the Kerberos database. This option does not apply to the LDAP database. -.TP -.B \fB\-s\fP \fIadmin_server\fP [:port] -.sp -Specifies the admin server which \fIkadmin\fP should contact. -.UNINDENT -.sp -\fB\-m\fP Do not authenticate using a \fIkeytab\fP. This option will cause \fIkadmin\fP to prompt for the master database password. -.INDENT 0.0 -.TP -.B \fB\-e\fP enc:salt_list -.sp -Sets the list of encryption types and salt types to be used for any new keys created. -.UNINDENT -.sp -\fB\-O\fP Force use of old AUTH_GSSAPI authentication flavor. -.sp -\fB\-N\fP Prevent fallback to AUTH_GSSAPI authentication flavor. -.INDENT 0.0 -.TP -.B \fB\-x\fP \fIdb_args\fP -.sp -Specifies the database specific arguments. -.sp -Options supported for LDAP database are: -.INDENT 7.0 -.TP -.B \fB\-x\fP host=<hostname> -.sp -specifies the LDAP server to connect to by a LDAP URI. -.TP -.B \fB\-x\fP binddn=<bind_dn> -.sp -specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the -read and write rights on the realm container, principal container and the subtree that is referenced by the realm. -.TP -.B \fB\-x\fP bindpwd=<bind_password> -.sp -specifies the password for the above mentioned binddn. It is recommended not to use this option. -Instead, the password can be stashed using the \fIstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP -.UNINDENT -.UNINDENT -.UNINDENT -.UNINDENT -.SH DATE FORMAT -.sp -Many of the \fIkadmin\fP commands take a duration or time as an argument. The date can appear in a wide variety of formats, such as: -.sp -.nf -.ft C -1 month ago -2 hours ago -400000 seconds ago -last year -this Monday -next Monday -yesterday -tomorrow -now -second Monday -fortnight ago -3/31/92 10:00:07 PST -January 23, 1987 10:05pm -22:00 GMT -.ft P -.fi -.sp -Dates which do not have the "ago" specifier default to being absolute dates, unless they appear in a field where a duration is expected. -In that case the time specifier will be interpreted as relative. -Specifying "ago" in a duration may result in unexpected behavior. -.sp -The following is a list of all of the allowable keywords. -.TS -center; -|l|l|. -_ -T{ -Months -T} T{ -january, jan, february, feb, march, mar, april, apr, may, june, jun, july, jul, august, aug, september, sep, sept, october, oct, november, nov, december, dec -T} -_ -T{ -Days -T} T{ -sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed, thursday, thurs, thur, thu, friday, fri, saturday, sat -T} -_ -T{ -Units -T} T{ -year, month, fortnight, week, day, hour, minute, min, second, sec -T} -_ -T{ -Relative -T} T{ -tomorrow, yesterday, today, now, last, this, next, first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago -T} -_ -T{ -Time Zones -T} T{ -kadmin recognizes abbreviations for most of the world\(aqs time zones. A complete listing appears in kadmin Time Zones. -T} -_ -T{ -12\-hour Time Delimiters -T} T{ -am, pm -T} -_ -.TE -.SH COMMANDS -.SS add_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBadd_principal\fP [options] \fInewprinc\fP -.sp -creates the principal \fInewprinc\fP, prompting twice for a password. If no policy is specified with the \fI\-policy\fP option, -and the policy named "default" exists, then that policy is assigned to the principal; -note that the assignment of the policy "default" only occurs automatically when a principal is first created, -so the policy "default" must already exist for the assignment to occur. -This assignment of "default" can be suppressed with the \fI\-clearpolicy\fP option. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -This command requires the \fIadd\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Aliases: -.sp -.nf -.ft C -addprinc ank -.ft P -.fi -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-x\fP \fIdb_princ_args\fP -.INDENT 7.0 -.INDENT 3.5 -.sp -Denotes the database specific options. -.sp -The options for LDAP database are: -.INDENT 0.0 -.TP -.B \fB\-x\fP dn=<dn> -.sp -Specifies the LDAP object that will contain the Kerberos principal being created. -.TP -.B \fB\-x\fP linkdn=<dn> -.sp -Specifies the LDAP object to which the newly created Kerberos principal object will point to. -.TP -.B \fB\-x\fP containerdn=<container_dn> -.sp -Specifies the container object under which the Kerberos principal is to be created. -.TP -.B \fB\-x\fP tktpolicy=<policy> -.sp -Associates a ticket policy to the Kerberos principal. -.UNINDENT -.UNINDENT -.UNINDENT -.IP Note -.INDENT 7.0 -.IP \(bu 2 -. -\fIcontainerdn\fP and \fIlinkdn\fP options cannot be specified with dn option. -.IP \(bu 2 -. -If \fIdn\fP or \fIcontainerdn\fP options are not specified while adding the principal, the principals are created under the prinicipal container configured in the realm or the realm container. -.IP \(bu 2 -. -\fIdn\fP and \fIcontainerdn\fP should be within the subtrees or principal container configured in the realm. -.UNINDENT -.RE -.TP -.B \fB\-expire\fP \fIexpdate\fP -.sp -expiration date of the principal -.TP -.B \fB\-pwexpire\fP \fIpwexpdate\fP -.sp -password expiration date -.TP -.B \fB\-maxlife\fP \fImaxlife\fP -.sp -maximum ticket life for the principal -.TP -.B \fB\-maxrenewlife\fP \fImaxrenewlife\fP -.sp -maximum renewable life of tickets for the principal -.TP -.B \fB\-kvno\fP \fIkvno\fP -.sp -explicitly set the key version number. -.TP -.B \fB\-policy\fP \fIpolicy\fP -.sp -policy used by this principal. -If no policy is supplied, then if the policy "default" exists and the \fI\-clearpolicy\fP is not also specified, -then the policy "default" is used; -otherwise, the principal will have no policy, and a warning message will be printed. -.TP -.B \fB\-clearpolicy\fP -.sp -\fI\-clearpolicy\fP prevents the policy "default" from being assigned when \fI\-policy\fP is not specified. -This option has no effect if the policy "default" does not exist. -.TP -.B {\- | +} \fBallow_postdated\fP -.sp -\fI\-allow_postdated\fP prohibits this principal from obtaining postdated tickets. -(Sets the \fIKRB5_KDB_DISALLOW_POSTDATED\fP flag.) \fI+allow_postdated\fP clears this flag. -.TP -.B {\- | +} \fBallow_forwardable\fP -.sp -\fI\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets. -(Sets the \fIKRB5_KDB_DISALLOW_FORWARDABLE\fP flag.) -\fI+allow_forwardable\fP clears this flag. -.TP -.B {\- | +} \fBallow_renewable\fP -.sp -\fI\-allow_renewable\fP prohibits this principal from obtaining renewable tickets. -(Sets the \fIKRB5_KDB_DISALLOW_RENEWABLE\fP flag.) -\fI+allow_renewable\fP clears this flag. -.TP -.B {\- | +} \fBallow_proxiable\fP -.sp -\fI\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets. -(Sets the \fIKRB5_KDB_DISALLOW_PROXIABLE\fP flag.) -\fI+allow_proxiable\fP clears this flag. -.TP -.B {\- | +} \fBallow_dup_skey\fP -.sp -\fI\-allow_dup_skey\fP disables user\-to\-user authentication for this principal by prohibiting this principal from obtaining a -session key for another user. -(Sets the \fIKRB5_KDB_DISALLOW_DUP_SKEY\fP flag.) -\fI+allow_dup_skey\fP clears this flag. -.TP -.B {\- | +} \fBrequires_preauth\fP -.sp -\fI+requires_preauth\fP requires this principal to preauthenticate before being allowed to kinit. -(Sets the \fIKRB5_KDB_REQUIRES_PRE_AUTH\fP flag.) -\fI\-requires_preauth\fP clears this flag. -.TP -.B {\- | +} \fBrequires_hwauth\fP -.sp -\fI+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit. -(Sets the \fIKRB5_KDB_REQUIRES_HW_AUTH\fP flag.) -\fI\-requires_hwauth\fP clears this flag. -.TP -.B {\- | +} \fBok_as_delegate\fP -.sp -\fI+ok_as_delegate\fP sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service, -which clients may use as a hint that credentials can and should be delegated when authenticating to the service. -(Sets the \fIKRB5_KDB_OK_AS_DELEGATE\fP flag.) -\fI\-ok_as_delegate\fP clears this flag. -.TP -.B {\- | +} \fBallow_svr\fP -.sp -\fI\-allow_svr\fP prohibits the issuance of service tickets for this principal. -(Sets the \fIKRB5_KDB_DISALLOW_SVR\fP flag.) -\fI+allow_svr\fP clears this flag. -.TP -.B {\- | +} \fBallow_tgs_req\fP -.sp -\fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted. -This option is useless for most things. -\fI+allow_tgs_req\fP clears this flag. -The default is +allow_tgs_req. -In effect, \fI\-allow_tgs_req sets\fP the \fIKRB5_KDB_DISALLOW_TGT_BASED\fP flag on the principal in the database. -.TP -.B {\- | +} \fBallow_tix\fP -.sp -\fI\-allow_tix\fP forbids the issuance of any tickets for this principal. -\fI+allow_tix\fP clears this flag. -The default is \fI+allow_tix\fP. In effect, \fI\-allow_tix\fP sets the \fIKRB5_KDB_DISALLOW_ALL_TIX\fP flag on the principal in the database. -.TP -.B {\- | +} \fBneedchange\fP -.sp -\fI+needchange\fP sets a flag in attributes field to force a password change; -\fI\-needchange\fP clears it. -The default is \fI\-needchange\fP. -In effect, \fI+needchange\fP sets the \fIKRB5_KDB_REQUIRES_PWCHANGE\fP flag on the principal in the database. -.TP -.B {\- | +} \fBpassword_changing_service\fP -.sp -\fI+password_changing_service\fP sets a flag in the attributes field marking this as a password change service principal -(useless for most things). -\fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name. -The default is \fI\-password_changing_service\fP. -In effect, \fI+password_changing_service\fP sets the \fIKRB5_KDB_PWCHANGE_SERVICE\fP flag on the principal in the database. -.TP -.B \fB\-randkey\fP -.sp -sets the key of the principal to a random value -.TP -.B \fB\-pw\fP \fIpassword\fP -.sp -sets the key of the principal to the specified string and does not prompt for a password. Note: using this option in a -shell script can be dangerous if unauthorized users gain read access to the script. -.TP -.B \fB\-e\fP "enc:salt ..." -.sp -uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if -there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2. -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: addprinc jennifer -WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU"; -defaulting to no policy. -Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password. -Re\-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again. -Principal "jennifer@ATHENA.MIT.EDU" created. -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_ADD (requires "add" privilege) -KADM5_BAD_MASK (shouldn\(aqt happen) -KADM5_DUP (principal exists already) -KADM5_UNK_POLICY (policy does not exist) -KADM5_PASS_Q_* (password quality violations) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS modify_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBmodify_principal\fP [options] \fIprincipal\fP -.sp -Modifies the specified principal, changing the fields as specified. The options are as above for \fIadd_principal\fP, except that -password changing and flags related to password changing are forbidden by this command. -In addition, the option \fI\-clearpolicy\fP will clear the current policy of a principal. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -This command requires the \fImodify\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -modprinc -.ft P -.fi -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-x\fP \fIdb_princ_args\fP -.sp -Denotes the database specific options. -.sp -The options for LDAP database are: -.INDENT 7.0 -.TP -.B \fB\-x\fP tktpolicy=<policy> -.sp -Associates a ticket policy to the Kerberos principal. -.TP -.B \fB\-x\fP linkdn=<dn> -.sp -Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not -already associated with a LDAP object. -.UNINDENT -.TP -.B \fB\-unlock\fP -.sp -Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between -them according to its password policy) so that it can successfully authenticate. -.UNINDENT -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_MODIFY (requires "modify" privilege) -KADM5_UNK_PRINC (principal does not exist) -KADM5_UNK_POLICY (policy does not exist) -KADM5_BAD_MASK (shouldn\(aqt happen) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS delete_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdelete_principal\fP [ \fI\-force\fP ] \fIprincipal\fP -.sp -Deletes the specified \fIprincipal\fP from the database. This command prompts for deletion, unless the \fI\-force\fP option is given. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -This command requires the \fIdelete\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -delprinc -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_DELETE (requires "delete" privilege) -KADM5_UNK_PRINC (principal does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS change_password -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBchange_password\fP [options] \fIprincipal\fP -.sp -Changes the password of \fIprincipal\fP. Prompts for a new password if neither \fI\-randkey\fP or \fI\-pw\fP is specified. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIchangepw\fP privilege, or that the principal that is running the program to be the same as the one changed. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -cpw -.ft P -.fi -.sp -The following options are available: -.INDENT 7.0 -.TP -.B \fB\-randkey\fP -.sp -Sets the key of the principal to a random value -.TP -.B \fB\-pw\fP \fIpassword\fP -.sp -Set the password to the specified string. Not recommended. -.TP -.B \fB\-e\fP "enc:salt ..." -.sp -Uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if -there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2. -See \fISupported_Encryption_Types_and_Salts\fP for possible values. -.TP -.B \fB\-keepold\fP -.sp -Keeps the previous kvno\(aqs keys around. This flag is usually not necessary except perhaps for TGS keys. Don\(aqt use this -flag unless you know what you\(aqre doing. This option is not supported for the LDAP database. -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: cpw systest -Enter password for principal systest@BLEEP.COM: -Re\-enter password for principal systest@BLEEP.COM: -Password for systest@BLEEP.COM changed. -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_MODIFY (requires the modify privilege) -KADM5_UNK_PRINC (principal does not exist) -KADM5_PASS_Q_* (password policy violation errors) -KADM5_PADD_REUSE (password is in principal\(aqs password -history) -KADM5_PASS_TOOSOON (current password minimum life not -expired) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS purgekeys -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBpurgekeys\fP [\fI\-keepkvno oldest_kvno_to_keep\fP ] \fIprincipal\fP -.sp -Purges previously retained old keys (e.g., from \fIchange_password \-keepold\fP) from \fIprincipal\fP. -If \fB\-keepkvno\fP is specified, then only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP. -.UNINDENT -.UNINDENT -.UNINDENT -.SS get_principal -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBget_principal\fP [\fI\-terse\fP] \fIprincipal\fP -.sp -Gets the attributes of principal. -With the \fB\-terse\fP option, outputs fields as quoted tab\-separated strings. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIinquire\fP privilege, or that the principal that is running the the program to be the same as the one being listed. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -getprinc -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: getprinc tlyu/admin -Principal: tlyu/admin@BLEEP.COM -Expiration date: [never] -Last password change: Mon Aug 12 14:16:47 EDT 1996 -Password expiration date: [none] -Maximum ticket life: 0 days 10:00:00 -Maximum renewable life: 7 days 00:00:00 -Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) -Last successful authentication: [never] -Last failed authentication: [never] -Failed password attempts: 0 -Number of keys: 2 -Key: vno 1, DES cbc mode with CRC\-32, no salt -Key: vno 1, DES cbc mode with CRC\-32, Version 4 -Attributes: -Policy: [none] - - -kadmin: getprinc \-terse systest -systest@BLEEP.COM 3 86400 604800 1 -785926535 753241234 785900000 -tlyu/admin@BLEEP.COM 786100034 0 0 -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_GET (requires the get (inquire) privilege) -KADM5_UNK_PRINC (principal does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS list_principals -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist_principals\fP [expression] -.sp -Retrieves all or some principal names. -Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs. -All principal names matching the expression are printed. -If no expression is provided, all principal names are printed. -If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIlist\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Aliases: -.sp -.nf -.ft C -listprincs get_principals get_princs -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: listprincs test* -test3@SECURE\-TEST.OV.COM -test2@SECURE\-TEST.OV.COM -test1@SECURE\-TEST.OV.COM -testuser@SECURE\-TEST.OV.COM -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS get_strings -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBget_strings\fP \fIprincipal\fP -.sp -Displays string attributes on \fIprincipal\fP. -String attributes are used to supply per\-principal configuration to some KDC plugin modules. -.sp -Alias: -.sp -.nf -.ft C -getstr -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS set_string -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP -.sp -Sets a string attribute on \fIprincipal\fP. -.sp -Alias: -.sp -.nf -.ft C -setstr -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS del_string -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdel_string\fP \fIprincipal\fP \fIkey\fP -.sp -Deletes a string attribute from \fIprincipal\fP. -.sp -Alias: -.sp -.nf -.ft C -delstr -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS add_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBadd_policy\fP [options] \fIpolicy\fP -.sp -Adds the named \fIpolicy\fP to the policy database. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIadd\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -addpol -.ft P -.fi -.sp -The following options are available: -.INDENT 7.0 -.TP -.B \fB\-maxlife\fP \fItime\fP -.sp -sets the maximum lifetime of a password -.TP -.B \fB\-minlife\fP \fItime\fP -.sp -sets the minimum lifetime of a password -.TP -.B \fB\-minlength\fP \fIlength\fP -.sp -sets the minimum length of a password -.TP -.B \fB\-minclasses\fP \fInumber\fP -.sp -sets the minimum number of character classes allowed in a password -.TP -.B \fB\-history\fP \fInumber\fP -.sp -sets the number of past keys kept for a principal. This option is not supported for LDAP database -.TP -.B \fB\-maxfailure\fP \fImaxnumber\fP -.sp -sets the maximum number of authentication failures before the principal is locked. -Authentication failures are only tracked for principals which require preauthentication. -.TP -.B \fB\-failurecountinterval\fP \fIfailuretime\fP -.sp -sets the allowable time between authentication failures. -If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure, -the number of authentication failures is reset to 1. -.TP -.B \fB\-lockoutduration\fP \fIlockouttime\fP -.sp -sets the duration for which the principal is locked from authenticating if too many authentication failures occur without -the specified failure count interval elapsing. A duration of 0 means forever. -.UNINDENT -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_ADD (requires the add privilege) -KADM5_DUP (policy already exists) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS modify_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBmodify_policy\fP [options] \fIpolicy\fP -.sp -modifies the named \fIpolicy\fP. Options are as above for \fIadd_policy\fP. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fImodify\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -modpol -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_MODIFY (requires the modify privilege) -KADM5_UNK_POLICY (policy does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS delete_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBdelete_policy\fP [ \fI\-force\fP ] \fIpolicy\fP -.sp -deletes the named \fIpolicy\fP. Prompts for confirmation before deletion. -The command will fail if the policy is in use by any principals. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIdelete\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -delpol -.ft P -.fi -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: del_policy guests -Are you sure you want to delete the policy "guests"? -(yes/no): yes -kadmin: -.ft P -.fi -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_DELETE (requires the delete privilege) -KADM5_UNK_POLICY (policy does not exist) -KADM5_POLICY_REF (reference count on policy is not zero) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS get_policy -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP -.sp -displays the values of the named \fIpolicy\fP. -With the \fB\-terse\fP flag, outputs the fields as quoted strings separated by tabs. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIinquire\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -getpol -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: get_policy admin -Policy: admin -Maximum password life: 180 days 00:00:00 -Minimum password life: 00:00:00 -Minimum password length: 6 -Minimum number of password character classes: 2 -Number of old keys kept: 5 -Reference count: 17 - -kadmin: get_policy \-terse admin -admin 15552000 0 6 2 5 17 -kadmin: -.ft P -.fi -.sp -The \fIReference count\fP is the number of principals using that policy. -.sp -ERRORS: -.sp -.nf -.ft C -KADM5_AUTH_GET (requires the get privilege) -KADM5_UNK_POLICY (policy does not exist) -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS list_policies -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBlist_policies\fP [expression] -.sp -Retrieves all or some policy names. Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs. -All policy names matching the expression are printed. -If no expression is provided, all existing policy names are printed. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIlist\fP privilege. -.RE -.UNINDENT -.UNINDENT -.sp -Alias: -.sp -.nf -.ft C -listpols, get_policies, getpols. -.ft P -.fi -.sp -EXAMPLES: -.sp -.nf -.ft C -kadmin: listpols -test\-pol -dict\-only -once\-a\-min -test\-pol\-nopw - -kadmin: listpols t* -test\-pol -test\-pol\-nopw -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS ktadd -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBktadd\fP [[\fIprincipal\fP | \fB\-glob\fP \fIprinc\-exp\fP] -.sp -Adds a \fIprincipal\fP or all principals matching \fIprinc\-exp\fP to a keytab file. -It randomizes each principal\(aqs key in the process, to prevent a compromised admin account from reading out all of the keys from the database. -The rules for principal expression are the same as for the \fIkadmin\fP \fI\%list_principals\fP command. -.INDENT 7.0 -.INDENT 3.5 -.IP Note -. -Requires the \fIinquire\fP and \fIchangepw\fP privileges. -.sp -If you use the \fI\-glob\fP option, it also requires the \fIlist\fP administrative privilege. -.RE -.UNINDENT -.UNINDENT -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-k[eytab]\fP \fIkeytab\fP -.sp -Use \fIkeytab\fP as the keytab file. Otherwise, \fIktadd\fP will use the default keytab file (\fI/etc/krb5.keytab\fP). -.TP -.B \fB\-e\fP \fI"enc:salt..."\fP -.sp -Use the specified list of enctype\-salttype pairs for setting the key of the principal. -The enctype\-salttype pairs may be delimited with commas or whitespace. -The quotes are necessary for whitespace\-delimited list. -If this option is not specified, then \fIsupported_enctypes\fP from \fIkrb5.conf\fP will be used. -See \fISupported_Encryption_Types_and_Salts\fP for all possible values. -.TP -.B \fB\-q\fP -.sp -Run in quiet mode. This causes \fIktadd\fP to display less verbose information. -.TP -.B \fB\-norandkey\fP -.sp -Do not randomize the keys. The keys and their version numbers stay unchanged. -That allows users to continue to use the passwords they know to login normally, -while simultaneously allowing scripts to login to the same account using a \fIkeytab\fP. -There is no significant security risk added since \fIkadmin.local\fP must be run by root on the KDC anyway. -This option is only available in \fIkadmin.local\fP and cannot be specified in combination with \fI\-e\fP option. -.UNINDENT -.IP Note -. -An entry for each of the principal\(aqs unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. -.RE -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu -Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with - kvno 3, encryption type DES\-CBC\-CRC added to keytab - WRFILE:/tmp/foo\-new\-keytab -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SS ktremove -.INDENT 0.0 -.INDENT 3.5 -.INDENT 0.0 -.TP -.B \fBktremove\fP \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP] -.sp -Removes entries for the specified \fIprincipal\fP from a keytab. Requires no permissions, since this does not require database access. -.sp -If the string "all" is specified, all entries for that principal are removed; -if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. -Otherwise, the value specified is parsed as an integer, and all entries whose \fIkvno\fP match that integer are removed. -.sp -The options are: -.INDENT 7.0 -.TP -.B \fB\-k[eytab]\fP \fIkeytab\fP -.sp -Use keytab as the keytab file. Otherwise, \fIktremove\fP will use the default keytab file (\fI/etc/krb5.keytab\fP). -.TP -.B \fB\-q\fP -.sp -Run in quiet mode. This causes \fIktremove\fP to display less verbose information. -.UNINDENT -.sp -EXAMPLE: -.sp -.nf -.ft C -kadmin: ktremove \-k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin all -Entry for principal kadmin/admin with kvno 3 removed - from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab. -kadmin: -.ft P -.fi -.UNINDENT -.UNINDENT -.UNINDENT -.SH FILES -.IP Note -. -The first three files are specific to db2 database. -.RE -.TS -center; -|l|l|. -_ -T{ -principal.db -T} T{ -default name for Kerberos principal database -T} -_ -T{ -<dbname>.kadm5 -T} T{ -KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information. -T} -_ -T{ -<dbname>.kadm5.lock -T} T{ -Lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., \fIkadmin\fP will exit with an error if this file does not exist. -T} -_ -T{ -kadm5.acl -T} T{ -File containing list of principals and their \fIkadmin\fP administrative privileges. See kadmind(8) for a description. -T} -_ -T{ -kadm5.keytab -T} T{ -\fIkeytab\fP file for \fIkadmin/admin\fP principal. -T} -_ -T{ -kadm5.dict -T} T{ -file containing dictionary of strings explicitly disallowed as passwords. -T} -_ -.TE -.SH HISTORY -.sp -The \fIkadmin\fP program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. -.SH SEE ALSO -.sp -kerberos(1), kpasswd(1), kadmind(8) -.SH AUTHOR -MIT -.SH COPYRIGHT -2011, MIT -.\" Generated by docutils manpage writer. -. |