1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
|
kadmin [-r _realm_] [[-p _principal_] [-k _keytab_]] [-q _query_]
If given the -p option, kadmin will use the specified
principal to authenticate. If the -p option is not given,
kadmin will default appending "/admin" to the first component
of the default principal of the default credentials cache. If
the default credentials cache does not exist, then kadmin will
default to $USER/admin (if the environment variable USER is
set). If $USER is not set, then the first component of the
principal will be the username as obtained from
getpwnam(getuid()). If given -k, kadmin will not prompt for a
password, but rather use the specified keytab. Also, if the
-k option is given, the default principal will be the
host/hostname. If -r is present, then kadmin will use the
specified realm as the default database realm rather than the
default realm for the local machine. Upon starting up, kadmin
will prompt for a password (unless the -k option has been
given). The program will then obtain tickets for
ovsec_admin/admin in the default realm (unless -r has been
specified, in which case it will use the specified realm).
The ticket is stored in a separate ccache. The lifetime for
these tickets is 5 minutes.
The -q option allows the passing of a request directly to
kadmin, which will then exit. This can be useful for writing
scripts. The query provided must be quoted as a single
argument to the program if there is more than one word in it.
DATE FORMAT
Various commands in kadmin can take a variety of date formats,
specifying durations or absolute times. Examples of valid
formats are:
1 month ago
2 hours ago
400000 seconds ago
last year
last Monday
yesterday
a fortnight ago
3/31/92 10:00:07 PST
January 23, 1987 10:05pm
22:00 GMT
Dates which do not have the "ago" specifier default to being
absolute dates, unless they appear in a field where a duration
is expected. In that case the time specifier will be
interpreted as relative. Specifying "ago" on a duration may
result in unexpected behaviour. The format follows that of
the public-domain "getdate" package. All date parameters must
be provided as a single word, which means that they must be
double-quoted if there are any spaces.
COMMAND DESCRIPTIONS
add_principal [options] _newprinc_
creates the principal _newprinc_, prompting twice for a
password. This command requires the "add" privilege. This
command has the aliases "addprinc", "ank".
OPTIONS
-expire _expdate_
expiration date of the principal
-pwexpire _pwexpdate_
password expiration date
-maxlife _maxlife_
maximum ticket life of the principal
-kvno _kvno_
explicity set the key version number. This is not
recommended.
-policy _policy_
policy used by this principal. If no policy is
supplied, the principal will default to having no
policy, and a warning message will be printed.
{-|+}allow_tgs_req
"-allow_tgs_req" specifies that a TGS request for a
ticket for a service ticket for this principal is not
permitted. This option is useless for most things.
"+allow_tgs_req" clears this flag. The default is
"+allow_tgs_req". In effect, "-allow_tgs_req" sets
the KRB5_KDB_DISALLOW_TGT_BASED flag on the principal
in the database.
{-|+}allow_tix
"-allow_tix" forbids the issuance of any tickets for
this principal. "+allow_tix" clears this flag. The
default is "+allow_tix". In effect, "-allow_tix" sets
the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in
the database.
{-|+}needchange
"+needchange" sets a flag in attributes field to force
a password change; "-needchange" clears it. The
default is "-needchange". In effect, "+needchange"
sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the
principal in the database.
{-|+}password_changing_service
"+password_changing_service" sets a flag in the
attributes field marking this as a password change
service principal (useless for most things).
"-password_changing_service" clears the flag. This
flag intentionally has a long name. The default is
"-password_changing_service". In effect,
"+password_changing_service" sets the
KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the
database.
-randkey
sets the key of the principal to a random value
-pw _password_
sets the key of the principal to the specified string
and does not prompt for a password. This is not
recommended.
EXAMPLE
kadmin: addprinc tlyu/deity
WARNING: no policy specified for "tlyu/deity@ATHENA.MIT.EDU";
defaulting to no policy.
Enter password for principal tlyu/deity@ATHENA.MIT.EDU:
Re-enter password for principal tlyu/deity@ATHENA.MIT.EDU:
Principal "tlyu/deity@ATHENA.MIT.EDU" created.
kadmin:
ERRORS
OVSEC_KADM_AUTH_ADD (requires "add" privilege)
OVSEC_KADM_DUP (principal exists already)
OVSEC_KADM_UNK_POLICY (policy does not exist)
OVSEC_KADM_PASS_Q_* (password quality violations)
delete_principal [-force] _principal_
deletes the specified principal from the database. This
command prompts for deletion, unless the "-force" option is
given. This command requires the "delete" privilege. Aliased
to "delprinc".
EXAMPLE
kadmin: delprinc testuser
Are you sure you want to delete the principal
"testuser@ATHENA.MIT.EDU"? (yes/no): yes
Principal "testuser@ATHENA.MIT.EDU" deleted.
Make sure that you have removed this principal from
all ACLs before reusing.
kadmin:
ERRORS
OVSEC_KADM_AUTH_DELETE (reequires "delete" privilege)
OVSEC_KADM_UNK_PRINC (principal does not exist)
modify_principal [options] _principal_
modifies the specified principal, changing the fields as
specified. The options are as above for "add_principal",
except that password changing is forbidden by this command.
In addition, the option "-clearpolicy" will remove clear the
current policy of a principal. This command requires the
"modify" privilege. Aliased to "modprinc".
ERRORS
OVSEC_KADM_AUTH_MODIFY (requires "modify" privilege)
OVSEC_KADM_UNK_PRINC (principal does not exist)
OVSEC_KADM_UNK_POLICY (policy does not exist)
OVSEC_KADM_BAD_MASK (shouldn't happen)
rename_principal [-force] _old_ _new_
rename the principal _old_ to _new_. Prompts for
confirmation, unless the "-force" option is given. Requires
both the "add" and "delete" privileges. Aliased to
"renprinc".
EXAMPLE
kadmin: renprinc tlyutest test0
Are you sure you want to rename the principal
"tlyutest@ATHENA.MIT.EDU" to
"test0@ATHENA.MIT.EDU"? (yes/no): yes
Principal "tlyutest@ATHENA.MIT.EDU" renamed to
"test0@ATHENA.MIT.EDU".
Make sure that you have removed "tlyutest@ATHENA.MIT.EDU" from
all ACLs before reusing.
kadmin:
ERRORS
OVSEC_KADM_AUTH_ADD (requires "add" privilege)
OVSEC_KADM_AUTH_DELETE (requires "delete" privilege)
OVSEC_KADM_UNK_PRINC (source principal does not exist)
OVSEC_KADM_DUP (target principal already exists)
change_password [options] _principal_
changes the password of _principal_. Prompts for a new
password if neither -randpass or -pw is specified. Requires
the "modify" privilege, or that the principal that is running
the program to be the same as the one changed. Aliased to
"cpw".
OPTIONS
-randkey
sets the key of the principal to a random value
-pw _password_
set the password to the specified string. Not
recommended.
EXAMPLE
kadmin: cpw systest
Enter password for principal systest@ATHENA.MIT.EDU:
Re-enter password for principal systest@ATHENA.MIT.EDU:
Password for systest@ATHENA.MIT.EDU changed.
kadmin:
ERRORS
OVSEC_KADM_AUTH_MODIFY (requires the modify privilege)
OVSEC_KADM_UNK_PRINC (principal does not exist)
OVSEC_KADM_PASS_Q_* (password policy violation errors)
OVSEC_KADM_PADD_REUSE (password is in principal's password
history)
OVSEC_KADM_PASS_TOOSOON (current password minimum life not
expired)
get_principal [-terse] _principal_
gets the attributes of _principal_. Requires the "get"
privilege, or that the principal that is running the the
program to be the same as the one being listed. With the
"-terse" option, outputs fields as tab-separated strings. Any
string fields get double-quoted. Alias "getprinc".
EXAMPLES
kadmin: getprinc tlyu/deity
Principal: tlyu/deity@ATHENA.MIT.EDU
Key version: 3
Maximum life: 1 day 00:00:00
Maximum renewable life: 7 days 00:00:00
Master key version: 1
Expires: Mon Jan 18 22:14:07 EDT 2038
Password expires: Mon Sep 19 14:40:00 EDT 1994
Password last changed: Mon Jan 31 02:06:40 EDT 1994
Last modified: by tlyu/admin@ATHENA.MIT.EDU
on Wed Jul 13 18:27:08 EDT 1994
Attributes: DISALLOW_FORWARDABLE, DISALLOW_PROXIABLE,
REQUIRES_HW_AUTH
Salt type: DEFAULT
kadmin: getprinc -terse systest
"systest@ATHENA.MIT.EDU" 3 86400 604800
1 785926535 753241234 785900000
"tlyu/admin@ATHENA.MIT.EDU" 786100034 0 0
kadmin:
ERRORS
OVSEC_KADM_AUTH_GET (requires the get privilege)
OVSEC_KADM_UNK_PRINC (principal does not exist)
add_policy [options] _policy_
adds the named policy to the policy database. Requires the
"add" privilege. Aliased to "addpol".
OPTIONS
-maxlife _time_
sets the maximum lifetime of a password
-minlife _time_
sets the minimum lifetime of a password
-minlength _length_
sets the minimum length of a password
-minclasses _number_
sets the minimum number of character classes allowed
in a password
-history _number_
sets the number of past keys kept for a principal
ERRORS
OVSEC_KADM_AUTH_ADD (requires the add privilege)
OVSEC_KADM_DUP (policy already exists)
delete_policy _policy_
deletes the named policy. Prompts for confirmation before
deletion. The command will fail if the policy is in use by
any principals. Requires the "delete" privilege. Alias
"delpol".
EXAMPLE
kadmin: del_policy guests
Are you sure you want to delete the policy "guests"?
(yes/no): yes
Policy "guests" deleted.
kadmin:
ERRORS
OVSEC_KADM_AUTH_DELETE (requires the delete privilege)
OVSEC_KADM_UNK_POLICY (policy does not exist)
OVSEC_KADM_POLICY_REF (reference count on policy is not zero)
modify_policy [options] _policy_
modifies the named policy. Options are as above for
"add_policy". Requires the "modify" privilege". Alias
"modpol".
ERRORS
OVSEC_KADM_AUTH_MODIFY (requires the modify privilege)
OVSEC_KADM_UNK_POLICY (policy does not exist)
get_policy [-terse] _policy_
displays the values of the named policy. Requires the "get"
privilege. With the "-terse" flag, outputs the fields as
strings separated by tabs. All string fields get
double-quoted. Alias "getpol".
EXAMPLES
kadmin: get_policy admin
Policy: admin
Maximum password life: 180 days 00:00:00
Minimum password life: 00:00:00
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 17
kadmin: get_policy -terse admin
"admin" 15552000 0 6 2 5 17
kadmin:
ERRORS
OVSEC_KADM_AUTH_GET (requires the get privilege)
OVSEC_KADM_UNK_POLICY (policy does not exist)
get_privs
returns the administrative privileges of the current user.
Alias "getprivs".
EXAMPLE
kadmin: get_privs
Principal tlyu/admin@ATHENA.MIT.EDU
has privileges: GET, ADD, MODIFY, DELETE, CHSTAB
kadmin:
OPEN POINTS
Implementation will most likely be in tcl, which implies that
scripts can be written to be run directly by kadmin. This
will require some more spec'ing out.
get_srvtab is being pulled out into a separate program, to be
spec'ed out and documented at a later time.
----------------------------------------------------------------------------
get_srvtab [-v4] [-file _name_] {_principal..._}|{-host _host_ _service..._}
Creates a srvtab (a krb4 srvtab if -v4 is specified). If
given a list of principals, randomizes the keys for the
principals named, creating them if necessary, and stores the
keys in the new srvtab. If -host is given, then the named service
principals are randomized/created for the named host and
placed in the new srvtab. The naming convention for the files
is hostname-new-srvtab if -host is given, overwriting anything
previously in such a file. If -host is not given, then the
filename defaults to the principal-new-srvtab, using only the
first component of the principal name.
If the principals need to be created, the command will prompt
for confirmation. This command requires the "chstab"
privilege, and only certain service names can be obtained this
way. (The services are specified in a configuration file on
the server.) In addition, certain hosts may be excluded from
this command. The "modify" privilege is necessary in order to
use this command on arbitrary principals.
This command is aliased to "gst"
EXAMPLE
kadmin: get_srvtab -host dragons-lair host rvdsrv discuss
WARNING: hostname canonicalized to "dragons-lair.mit.edu"
Principal "host/dragons-lair.mit.edu@ATHENA.MIT.EDU"
updated to kvno 3.
WARNING: principal
"rvdsrv/dragons-lair.mit.edu@ATHENA.MIT.EDU"
does not exist. Create? (y/n): y
Created principal
"rvdsrv/dragons-lair.mit.edu@ATHENA.MIT.EDU".
Principal "discuss/dragons-lair.mit.edu@ATHENA.MIT.EDU"
updated to kvno 3.
Wrote keytab "WRFILE:dragons-lair-new-srvtab".
kadmin:
ERRORS
"Operation requires the chstab privilege"
"Operation requires the modify privilege"
|
