kadmin man page on aLinux

Man page or keyword search:  
man Server   7435 pages
apropos Keyword Search (all sections)
Output format
aLinux logo
[printable version]

KADMIN(8)							     KADMIN(8)

NAME
       kadmin - Kerberos V5 database administration program

SYNOPSYS
       kadmin [-O | -N] [-r realm] [-p principal] [-q query]
	      [[-c cache_name] | [-k [-t keytab]]] [-w password] [-s
	      admin_server[:port]

       kadmin.local    [-r realm] [-p principal] [-q query]
		       [-d dbname] [-e "enc:salt ..."] [-m]

DESCRIPTION
       kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
       KADM5  administration  system.	Both  kadmin  and kadmin.local provide
       identical functionalities; the difference is that kadmin.local runs  on
       the  master  KDC and does not use Kerberos to authenticate to the data‐
       base.  Except as explicitly noted otherwise, this  man  page  will  use
       kadmin  to refer to both versions.  kadmin provides for the maintenance
       of  Kerberos  principals,  KADM5	 policies,  and	 service  key	tables
       (keytabs).

       The  remote  version uses Kerberos authentication and an encrypted RPC,
       to operate securely from anywhere on the network.  It authenticates  to
       the KADM5 server using the service principal kadmin/admin.  If the cre‐
       dentials cache contains a ticket for the	 kadmin/admin  principal,  and
       the  -c	credentials_cache  option is specified, that ticket is used to
       authenticate to KADM5.  Otherwise, the -p and -k options	 are  used  to
       specify	the client Kerberos principal name used to authenticate.  Once
       kadmin has determined the principal name, it  requests  a  kadmin/admin
       Kerberos	 service  ticket from the KDC, and uses that service ticket to
       authenticate to KADM5.

       The local client kadmin.local, is intended to run directly on the  mas‐
       ter  KDC	 without  Kerberos authentication.  The local version provides
       all of the functionality of the now obsolete kdb5_edit(8),  except  for
       database dump and load, which is now provided by the kdb5_util(8) util‐
       ity.

OPTIONS
       -r realm
	      Use realm as the default database realm.

       -p principal
	      Use principal to authenticate.  Otherwise,  kadmin  will	append
	      "/admin"	to  the	 primary principal name of the default ccache,
	      the value of the USER environment variable, or the  username  as
	      obtained with getpwuid, in order of preference.

       -k     Use  a  keytab  to decrypt the KDC response instead of prompting
	      for a password on the TTY.  In this case, the default  principal
	      will  be host/hostname.  If there is not a keytab specified with
	      the -t option, then the default keytab will be used.

       -t keytab
	      Use keytab to decrypt the KDC response.  This can only  be  used
	      with the -k option.

       -c credentials_cache
	      Use  credentials_cache  as  the  credentials cache.  The creden‐
	      tials_cache should contain a service ticket for the kadmin/admin
	      service;	it can be acquired with the kinit(1) program.  If this
	      option is not specified, kadmin requests a  new  service	ticket
	      from the KDC, and stores it in its own temporary ccache.

       -w password
	      Use  password  instead  of  prompting for one on the TTY.	 Note:
	      placing the password for a Kerberos principal  with  administra‐
	      tion access into a shell script can be dangerous if unauthorized
	      users gain read access to the script.

       -q query
	      pass query directly to kadmin, which will perform query and then
	      exit.  This can be useful for writing scripts.

       -d dbname
	      Specifies the name of the Kerberos database.

       -s admin_server[:port]
	      Specifies the admin server which kadmin should contact.

       -m     Do not authenticate using a keytab.  This option will cause kad‐
	      min to prompt for the master database password.

       -e enc:salt_list
	      Sets the list of encryption types and salt types to be used  for
	      any new keys created.

       -O     Force use of old AUTH_GSSAPI authentication flavor.

       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.

DATE FORMAT
       Various commands in kadmin can take a variety of date formats, specify‐
       ing durations or absolute times.	 Examples of valid formats are:

	      1 month ago
	      2 hours ago
	      400000 seconds ago
	      last year
	      this Monday
	      next Monday
	      yesterday
	      tomorrow
	      now
	      second Monday
	      a fortnight ago
	      3/31/92 10:00:07 PST
	      January 23, 1987 10:05pm
	      22:00 GMT

       Dates which do not have the "ago" specifier default to  being  absolute
       dates,  unless they appear in a field where a duration is expected.  In
       that case the time specifier will be interpreted as relative.  Specify‐
       ing "ago" in a duration may result in unexpected behavior.

COMMANDS
       add_principal [options] newprinc
	      creates  the principal newprinc, prompting twice for a password.
	      If no policy is specified with the -policy option, and the  pol‐
	      icy  named "default" exists, then that policy is assigned to the
	      principal; note that the assignment of the policy "default" only
	      occurs  automatically  when a principal is first created, so the
	      policy "default" must already exist for the assignment to occur.
	      This  assignment of "default" can be suppressed with the -clear‐
	      policy option.  This command requires the add  privilege.	  This
	      command has the aliases addprinc and ank.	 The options are:

	      -expire expdate
		     expiration date of the principal

	      -pwexpire pwexpdate
		     password expiration date

	      -maxlife maxlife
		     maximum ticket life for the principal

	      -maxrenewlife maxrenewlife
		     maximum renewable life of tickets for the principal

	      -kvno kvno
		     explicity set the key version number.

	      -policy policy
		     policy used by this principal.  If no policy is supplied,
		     then if the policy "default" exists and the  -clearpolicy
		     is not also specified, then the policy "default" is used;
		     otherwise, the principal will have no policy, and a warn‐
		     ing message will be printed.

	      -clearpolicy
		     -clearpolicy  prevents  the  policy  "default" from being
		     assigned when -policy is not specified.  This option  has
		     no effect if the policy "default" does not exist.

	      {-|+}allow_postdated
		     -allow_postdated  prohibits this principal from obtaining
		     postdated tickets.	 (Sets the KRB5_KDB_DISALLOW_POSTDATED
		     flag.)  +allow_postdated clears this flag.

	      {-|+}allow_forwardable
		     -allow_forwardable	 prohibits this principal from obtain‐
		     ing  forwardable  tickets.	  (Sets	 the   KRB5_KDB_DISAL‐
		     LOW_FORWARDABLE  flag.)   +allow_forwardable  clears this
		     flag.

	      {-|+}allow_renewable
		     -allow_renewable prohibits this principal from  obtaining
		     renewable tickets.	 (Sets the KRB5_KDB_DISALLOW_RENEWABLE
		     flag.)  +allow_renewable clears this flag.

	      {-|+}allow_proxiable
		     -allow_proxiable prohibits this principal from  obtaining
		     proxiable tickets.	 (Sets the KRB5_KDB_DISALLOW_PROXIABLE
		     flag.)  +allow_proxiable clears this flag.

	      {-|+}allow_dup_skey
		     -allow_dup_skey Disables user-to-user authentication  for
		     this principal by prohibiting this principal from obtain‐
		     ing  a  session  key  for	another	  user.	   (Sets   the
		     KRB5_KDB_DISALLOW_DUP_SKEY flag.)	+allow_dup_skey clears
		     this flag.

	      {-|+}requires_preauth
		     +requires_preauth requires this principal to preauthenti‐
		     cate   before   being   allowed   to  kinit.   (Sets  the
		     KRB5_KDB_REQUIRES_PRE_AUTH	  flag.)     -requires_preauth
		     clears this flag.

	      {-|+}requires_hwauth
		     +requires_hwauth  requires this principal to preauthenti‐
		     cate using a hardware  device  before  being  allowed  to
		     kinit.    (Sets   the   KRB5_KDB_REQUIRES_HW_AUTH	flag.)
		     -requires_hwauth clears this flag.

	      {-|+}allow_svr
		     -allow_svr prohibits the issuance of service tickets  for
		     this  principal.	(Sets the KRB5_KDB_DISALLOW_SVR flag.)
		     +allow_svr clears this flag.

	      {-|+}allow_tgs_req
		     -allow_tgs_req specifies that a  Ticket-Granting  Service
		     (TGS)  request for a service ticket for this principal is
		     not permitted.  This option is useless for	 most  things.
		     +allow_tgs_req   clears   this   flag.   The  default  is
		     +allow_tgs_req.   In  effect,  -allow_tgs_req  sets   the
		     KRB5_KDB_DISALLOW_TGT_BASED  flag on the principal in the
		     database.

	      {-|+}allow_tix
		     -allow_tix forbids the issuance of any tickets  for  this
		     principal.	  +allow_tix clears this flag.	The default is
		     +allow_tix.  In effect, -allow_tix sets the KRB5_KDB_DIS‐
		     ALLOW_ALL_TIX flag on the principal in the database.

	      {-|+}needchange
		     +needchange  sets	a  flag in attributes field to force a
		     password change; -needchange clears it.  The  default  is
		     -needchange.     In    effect,   +needchange   sets   the
		     KRB5_KDB_REQUIRES_PWCHANGE flag on the principal  in  the
		     database.

	      {-|+}password_changing_service
		     +password_changing_service	 sets a flag in the attributes
		     field marking this as a password change service principal
		     (useless  for  most  things).  -password_changing_service
		     clears the flag.  This  flag  intentionally  has  a  long
		     name.   The  default  is  -password_changing_service.  In
		     effect,	 +password_changing_service	 sets	   the
		     KRB5_KDB_PWCHANGE_SERVICE	flag  on  the principal in the
		     database.

	      -randkey
		     sets the key of the principal to a random value

	      -pw password
		     sets the key of the principal to the specified string and
		     does not prompt for a password.  Note:  using this option
		     in a shell script can be dangerous if unauthorized	 users
		     gain read access to the script.

	      -e "enc:salt ..."
		     uses  the	specified  list	 of enctype-salttype pairs for
		     setting the key of the principal.	The quotes are	neces‐
		     sary  if there are multiple enctype-salttype pairs.  This
		     will not function against	kadmin	daemons	 earlier  than
		     krb5-1.2.

	      EXAMPLE:
		     kadmin: addprinc tlyu/admin
		     WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
		     defaulting to no policy.
		     Enter password for principal tlyu/admin@BLEEP.COM:
		     Re-enter password for principal tlyu/admin@BLEEP.COM:
		     Principal "tlyu/admin@BLEEP.COM" created.
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_ADD (requires "add" privilege)
		     KADM5_BAD_MASK (shouldn't happen)
		     KADM5_DUP (principal exists already)
		     KADM5_UNK_POLICY (policy does not exist)
		     KADM5_PASS_Q_* (password quality violations)

       delete_principal [-force] principal
	      deletes the specified principal from the database.  This command
	      prompts for deletion, unless the -force option  is  given.  This
	      command requires the delete privilege.  Aliased to delprinc.

	      EXAMPLE:
		     kadmin: delprinc mwm_user
		     Are you sure you want to delete the principal
		     "mwm_user@BLEEP.COM"? (yes/no): yes
		     Principal "mwm_user@BLEEP.COM" deleted.
		     Make sure that you have removed this principal from
		     all ACLs before reusing.
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_DELETE (reequires "delete" privilege)
		     KADM5_UNK_PRINC (principal does not exist)

       modify_principal [options] principal
	      modifies	the specified principal, changing the fields as speci‐
	      fied.  The options are as above for add_principal,  except  that
	      password	changing  and  flags  related to password changing are
	      forbidden by this command.  In addition, the option -clearpolicy
	      will  clear  the	current	 policy	 of a principal.  This command
	      requires the modify privilege.  Aliased to modprinc.

	      ERRORS:
		     KADM5_AUTH_MODIFY (requires "modify" privilege)
		     KADM5_UNK_PRINC (principal does not exist)
		     KADM5_UNK_POLICY (policy does not exist)
		     KADM5_BAD_MASK (shouldn't happen)

       change_password [options] principal
	      changes the password of principal.  Prompts for a	 new  password
	      if  neither -randkey or -pw is specified.	 Requires the changepw
	      privilege, or that the principal that is running the program  to
	      be  the same as the one changed.	Aliased to cpw.	 The following
	      options are available:

	      -randkey
		     sets the key of the principal to a random value

	      -pw password
		     set the password to the  specified	 string.   Not	recom‐
		     mended.

	      -e "enc:salt ..."
		     uses  the	specified  list	 of enctype-salttype pairs for
		     setting the key of the principal.	The quotes are	neces‐
		     sary  if there are multiple enctype-salttype pairs.  This
		     will not function against	kadmin	daemons	 earlier  than
		     krb5-1.2.

	      -keepold
		     Keeps  the previous kvno's keys around.  There is no easy
		     way to delete the old keys, and this flag is usually  not
		     necessary	except	perhaps	 for TGS keys.	Don't use this
		     flag unless you know what you're doing.

	      EXAMPLE:
		     kadmin: cpw systest
		     Enter password for principal systest@BLEEP.COM:
		     Re-enter password for principal systest@BLEEP.COM:
		     Password for systest@BLEEP.COM changed.
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_MODIFY (requires the modify privilege)
		     KADM5_UNK_PRINC (principal does not exist)
		     KADM5_PASS_Q_* (password policy violation errors)
		     KADM5_PADD_REUSE (password is in principal's password
		     history)
		     KADM5_PASS_TOOSOON (current password minimum life not
		     expired)

       get_principal [-terse] principal
	      gets the attributes of principal.	 Requires the  inquire	privi‐
	      lege,  or	 that the principal that is running the the program to
	      be the same as the one being listed.  With  the  -terse  option,
	      outputs fields as quoted tab-separated strings.  Alias getprinc.

	      EXAMPLES:
		     kadmin: getprinc tlyu/admin
		     Principal: tlyu/admin@BLEEP.COM
		     Expiration date: [never]
		     Last password change: Mon Aug 12 14:16:47 EDT 1996
		     Password expiration date: [none]
		     Maximum ticket life: 0 days 10:00:00
		     Maximum renewable life: 7 days 00:00:00
		     Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
		     Last successful authentication: [never]
		     Last failed authentication: [never]
		     Failed password attempts: 0
		     Number of keys: 2
		     Key: vno 1, DES cbc mode with CRC-32, no salt
		     Key: vno 1, DES cbc mode with CRC-32, Version 4
		     Attributes:
		     Policy: [none]
		     kadmin: getprinc -terse systest
		     systest@BLEEP.COM	 3    86400	604800	  1
		     785926535 753241234 785900000
		     tlyu/admin@BLEEP.COM     786100034 0    0
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_GET (requires the get (inquire) privilege)
		     KADM5_UNK_PRINC (principal does not exist)

       list_principals [expression]
	      Retrieves	 all  or some principal names.	Expression is a shell-
	      style glob expression that can contain the wild-card  characters
	      ?, *, and []'s.  All principal names matching the expression are
	      printed.	If no expression is provided, all principal names  are
	      printed.	 If  the expression does not contain an "@" character,
	      an "@" character followed by the local realm is appended to  the
	      expression.   Requires  the  list priviledge.  Alias listprincs,
	      get_principals, get_princs.

	      EXAMPLES:
		     kadmin:  listprincs test*
		     test3@SECURE-TEST.OV.COM
		     test2@SECURE-TEST.OV.COM
		     test1@SECURE-TEST.OV.COM
		     testuser@SECURE-TEST.OV.COM
		     kadmin:

       add_policy [options] policy
	      adds the named policy to the policy database.  Requires the  add
	      privilege.  Aliased to addpol.  The following options are avail‐
	      able:

	      -maxlife time
		     sets the maximum lifetime of a password

	      -minlife time
		     sets the minimum lifetime of a password

	      -minlength length
		     sets the minimum length of a password

	      -minclasses number
		     sets the minimum number of character classes allowed in a
		     password

	      -history number
		     sets the number of past keys kept for a principal

	      ERRORS:
		     KADM5_AUTH_ADD (requires the add privilege)
		     KADM5_DUP (policy already exists)

       delete_policy [-force] policy
	      deletes the named policy.	 Prompts for confirmation before dele‐
	      tion.  The command will fail if the policy  is  in  use  by  any
	      principals.  Requires the delete privilege.  Alias delpol.

	      EXAMPLE:
		     kadmin: del_policy guests
		     Are you sure you want to delete the policy "guests"?
		     (yes/no): yes
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_DELETE (requires the delete privilege)
		     KADM5_UNK_POLICY (policy does not exist)
		     KADM5_POLICY_REF (reference count on policy is not zero)

       modify_policy [options] policy
	      modifies the named policy.  Options are as above for add_policy.
	      Requires the modify privilege.  Alias modpol.

	      ERRORS:
		     KADM5_AUTH_MODIFY (requires the modify privilege)
		     KADM5_UNK_POLICY (policy does not exist)

       get_policy [-terse] policy
	      displays the values of the named policy.	Requires  the  inquire
	      privilege.   With	 the -terse flag, outputs the fields as quoted
	      strings separated by tabs.  Alias getpol.

	      EXAMPLES:
		     kadmin: get_policy admin
		     Policy: admin
		     Maximum password life: 180 days 00:00:00
		     Minimum password life: 00:00:00
		     Minimum password length: 6
		     Minimum number of password character classes: 2
		     Number of old keys kept: 5
		     Reference count: 17
		     kadmin: get_policy -terse admin
		     admin     15552000	 0    6	   2	5    17
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_GET (requires the get privilege)
		     KADM5_UNK_POLICY (policy does not exist)

       list_policies [expression]
	      Retrieves all or some policy names.  Expression is a shell-style
	      glob  expression that can contain the wild-card characters ?, *,
	      and []'s.	 All policy names matching the expression are printed.
	      If  no  expression  is  provided,	 all existing policy names are
	      printed.	 Requires  the	list  priviledge.    Alias   listpols,
	      get_policies, getpols.

	      EXAMPLES:
		     kadmin:  listpols
		     test-pol
		     dict-only
		     once-a-min
		     test-pol-nopw
		     kadmin:  listpols t*
		     test-pol
		     test-pol-nopw
		     kadmin:

       ktadd [-k keytab] [-q] [-e keysaltlist]
	      [principal | -glob princ-exp] [...]
	      Adds  a  principal  or  all  principals  matching princ-exp to a
	      keytab,  randomizing  each  principal's  key  in	the   process.
	      Requires the inquire and changepw privileges.  An entry for each
	      of the principal's unique encryption types  is  added,  ignoring
	      multiple	keys  with the same encryption type but different salt
	      types.  If the -k argument is not specified, the default	keytab
	      /etc/krb5.keytab	is  used.  If the -q option is specified, less
	      verbose status information is displayed.

	      The -glob option requires the list privilege.  princ-exp follows
	      the same rules described for the list_principals command.

	      EXAMPLE:
		     kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
		     Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
			  kvno 3, encryption type DES-CBC-CRC added to keytab
			  WRFILE:/tmp/foo-new-keytab
		     kadmin:

       ktremove [-k keytab] [-q] principal [kvno | all | old]
	      Removes  entries	for  the  specified  principal	from a keytab.
	      Requires no permissions, since this does	not  require  database
	      access.	If the string "all" is specified, all entries for that
	      principal are removed; if the string  "old"  is  specified,  all
	      entries  for  that  principal except those with the highest kvno
	      are removed.  Otherwise, the value specified  is	parsed	as  an
	      integer,	and  all  entries  whose  kvno	match that integer are
	      removed.	If the -k  argument  is	 not  specifeid,  the  default
	      keytab /etc/krb5.keytab is used.	If the -q option is specified,
	      less verbose status information is displayed.

	      EXAMPLE:
		     kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
		     Entry for principal kadmin/admin with kvno 3 removed
			  from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
		     kadmin:

FILES
       principal.db	    default name for Kerberos principal database

       <dbname>.kadm5	    KADM5 administrative  database.   (This  would  be
			    "principal.kadm5", if you use the default database
			    name.)  Contains policy information.

       <dbname>.kadm5.lock  lock file for the KADM5  administrative  database.
			    This  file	works  backwards  from most other lock
			    files.  I.e., kadmin will exit with	 an  error  if
			    this file does not exist.

       kadm5.acl	    file  containing list of principals and their kad‐
			    min administrative privileges.  See kadmind(8) for
			    a description.

       kadm5.keytab	    keytab file for kadmin/admin principal.

       kadm5.dict	    file  containing  dictionary of strings explicitly
			    disallowed as passwords.

HISTORY
       The kadmin prorgam was originally written by  Tom  Yu  at  MIT,	as  an
       interface to the OpenVision Kerberos administration program.

SEE ALSO
       kerberos(1), kpasswd(1), kadmind(8)

BUGS
       Command output needs to be cleaned up.

       There is no way to delete a key kept around from a "-keepold" option to
       a password-changing command, other than to do a password change without
       the  "-keepold"	option, which will of course cause problems if the key
       is a TGS key.  There will be more powerful key-manipulation commands in
       the future.

								     KADMIN(8)
[top]

List of man pages available for aLinux

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net