kadmin.local man page on OpenIndiana

Man page or keyword search:  
man Server   20441 pages
apropos Keyword Search (all sections)
Output format
OpenIndiana logo
[printable version]

kadmin(1M)		System Administration Commands		    kadmin(1M)

NAME
       kadmin, kadmin.local - Kerberos database administration program

SYNOPSIS
       /usr/sbin/kadmin [-r realm] [-p principal] [-q query]
	[-s admin_server [:port]] [ [-c credential_cache]
	| [-k [-t keytab]] | [-w password]] [-x db_args]...

       /usr/sbin/kadmin.local [-r realm] [-p principal]
	[-q query] [-d dbname] [-e "enc:salt..."] [-m] [-D]

DESCRIPTION
       kadmin  and kadmin.local are interactive command-line interfaces to the
       Kerberos V5 administration system. They provide for the maintenance  of
       Kerberos principals, policies, and service key tables (keytabs). kadmin
       and kadmin.local provide identical  functionality;  the	difference  is
       that  kadmin.local can run only on the master KDC and does not use Ker‐
       beros authentication.

       Except as explicitly noted otherwise, this  man	page  uses  kadmin  to
       refer to both versions.

       By default, both versions of kadmin attempt to determine your user name
       and perform operations on behalf	 of  your  "username/admin"  instance.
       Operations  performed  are  subject  to privileges granted or denied to
       this user instance by the Kerberos ACL file (see kadm5.acl(4)). You may
       perform administration as another user instance by using the -p option.

       The  remote  version,  kadmin,  uses  Kerberos  authentication  and  an
       encrypted RPC to operate securely from anywhere on the network. It nor‐
       mally prompts for a password and authenticates the user to the Kerberos
       administration server, kadmind, whose service principal is kadmin/fqdn.
       Some  options specific to the remote version permit the password prompt
       to be bypassed. The -c option searches the named credentials cache  for
       a  valid ticket for the kadmin/fqdn service and uses it to authenticate
       the user to the Kerberos admin server without a password. The -k option
       searches	 a  keytab for a credential to authenticate to the kadmin/fqdn
       service, and again no password is collected. If kadmin has collected  a
       password,  it  requests	a kadmin/fqdn Kerberos service ticket from the
       KDC, and uses that service ticket to interact with kadmind.

       The local version, kadmin.local, must be run with an effective  UID  of
       root,  and  normally uses a key from the /var/krb5/.k5.realm stash file
       (see kdb5_util(1M)) to decrypt information  from	 the  database	rather
       than  prompting for a password. The -m option will bypass the .k5.realm
       stash file and prompt for the master password.

OPTIONS
       The following options are supported:

       -c credentials_cache

	   Search credentials_cache for a service ticket for  the  kadmin/fqdn
	   service;  it	 can  be  acquired  with the kinit(1) program. If this
	   option is not specified, kadmin requests a new service ticket  from
	   the KDC, and stores it in its own temporary credentials cache.

       -d dbname

	   Specify a non-standard database name. [Local only]

       -D

	   Turn on debug mode. [Local only]

       -e "enc:salt ..."

	   Specify a different encryption type and/or key salt. [Local only]

       -k [-t keytab]

	   Use	the  default  keytab  (-k) or a specific keytab (-t keytab) to
	   decrypt the KDC response instead of prompting for  a	 password.  In
	   this	 case,	the  default  principal will be host/hostname. This is
	   primarily used for keytab maintenance.

       -m

	   Accept the database master password from the keyboard  rather  than
	   using the /var/krb5/.k5.realm stash file. [Local only]

       -p principal

	   Authenticate	 principal to the kadmin/fqdn service. Otherwise, kad‐
	   min will append /admin to the primary principal name of the default
	   credentials	cache,	the value of the USER environment variable, or
	   the username as obtained with getpwuid, in that  order  of  prefer‐
	   ence.

       -q query

	   Pass	 query	directly  to kadmin, which will perform query and then
	   exit. This can be useful for writing scripts.

       -r realm

	   Use realm as the default database realm.

       -s admin_server[:port]

	   Administer the specified admin server at the specified port	number
	   (port).  This  can  be useful in administering a realm not known to
	   your client.

       -w password

	   Use password instead of prompting for one. Note  that  placing  the
	   password for a Kerberos principal with administration access into a
	   shell script can be	dangerous  if  unauthorized  users  gain  read
	   access  to the script or can read arguments of this command through
	   ps(1).

       -x db_args

	   Pass database-specific arguments to kadmin. Supported arguments are
	   for LDAP and the Berkeley-db2 plug-in. These arguments are:

	   binddn=binddn

	       LDAP  simple bind DN for authorization on the directory server.
	       Overrides   the	 ldap_kadmind_dn    parameter	 setting    in
	       krb5.conf(4).

	   bindpwd=bindpwd

	       Bind password.

	   dbname=name

	       For the Berkeley-db2 plug-in, specifies a name for the Kerberos
	       database.

	   nconns=num

	       Maximum number of server connections.

	   port=num

	       Directory server connection port.

COMMANDS
       list_requests

	   Lists all the commands available for kadmin. Aliased by lr and ?.

       get_privs

	   Lists the current Kerberos administration privileges (ACLs) for the
	   principal  that  is	currently  running  kadmin. The privileges are
	   based on the /etc/krb5/kadm5.acl file on the master KDC. Aliased by
	   getprivs.

       add_principal [options] newprinc

	   Creates  a new principal, newprinc, prompting twice for a password.
	   If the -policy option is not specified and a policy	named  default
	   exists,  then the default policy is assigned to the principal; note
	   that the assignment of the default policy occurs automatically only
	   when	 a  principal  is  first  created,  so the default policy must
	   already exist for the assignment to occur. The automatic assignment
	   of  the  default  policy  can  be  suppressed with the -clearpolicy
	   option.  This  command  requires  the  add  privilege.  Aliased  by
	   addprinc and ank. The options are:

	   -expire expdate

	       Expiration  date of the principal. See the Time Formats section
	       for the valid absolute time formats that you  can  specify  for
	       expdate.

	   -pwexpire pwexpdate

	       Password	 expiration date. See the Time Formats section for the
	       valid absolute time formats that you can specify for pwexpdate.

	   -maxlife maxlife

	       Maximum ticket life for the principal.  See  the	 Time  Formats
	       section	for the valid time duration formats that you can spec‐
	       ify for maxlife.

	   -maxrenewlife maxrenewlife

	       Maximum renewable life of tickets for the  principal.  See  the
	       Time  Formats  section for the valid time duration formats that
	       you can specify for maxrenewlife.

	   -kvno kvno

	       Explicitly set the key version number.

	   -policy policy

	       Policy used by the principal. If both the -policy  and  -clear‐
	       policy options are not specified, the default policy is used if
	       it exists; otherwise, the principal will have no	 policy.  Also
	       note  that  the	password  and principal name must be different
	       when you add a new principal with  a  specific  policy  or  the
	       default policy.

	   -clearpolicy

	       -clearpolicy  prevents  the  default policy from being assigned
	       when -policy is not specified. This option has no effect if the
	       default policy does not exist.

	   {-|+}allow_postdated

	       -allow_postdated	 prohibits  the principal from obtaining post‐
	       dated tickets.  (Sets  the  KRB5_KDB_DISALLOW_POSTDATED	flag.)
	       +allow_postdated clears this flag.

	   {-|+}allow_forwardable

	       -allow_forwardable  prohibits the principal from obtaining for‐
	       wardable	 tickets.  (Sets   the	 KRB5_KDB_DISALLOW_FORWARDABLE
	       flag.) +allow_forwardable clears this flag.

	   {-|+}allow_renewable

	       -allow_renewable	 prohibits the principal from obtaining renew‐
	       able  tickets.  (Sets  the  KRB5_KDB_DISALLOW_RENEWABLE	flag.)
	       +allow_renewable clears this flag.

	   {-|+}allow_proxiable

	       -allow_proxiable	 prohibits the principal from obtaining proxi‐
	       able  tickets.  (Sets  the  KRB5_KDB_DISALLOW_PROXIABLE	flag.)
	       +allow_proxiable clears this flag.

	   {-|+}allow_dup_skey

	       -allow_dup_skey	disables  user-to-user	authentication for the
	       principal by prohibiting this principal from obtaining  a  ses‐
	       sion key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY
	       flag.) +allow_dup_skey clears this flag.

	   {-|+}requires_preauth

	       +requires_preauth requires  the	principal  to  preauthenticate
	       before	  being	    allowed	to     kinit.	  (Sets	   the
	       KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth clears this
	       flag.

	   {-|+}requires_hwauth

	       +requires_hwauth	 requires  the	principal  to  preauthenticate
	       using a hardware device before being allowed  to	 kinit.	 (Sets
	       the  KRB5_KDB_REQUIRES_HW_AUTH  flag.)  -requires_hwauth clears
	       this flag.

	   {-|+}allow_svr

	       -allow_svr prohibits the issuance of service  tickets  for  the
	       principal.  (Sets  the  KRB5_KDB_DISALLOW_SVR flag.) +allow_svr
	       clears this flag.

	   {-|+}allow_tgs_req

	       -allow_tgs_req specifies that a Ticket-Granting	Service	 (TGS)
	       request	for  a service ticket for the principal is not permit‐
	       ted. This option is useless  for	 most  things.	+allow_tgs_req
	       clears  this  flag.  The	 default is +allow_tgs_req. In effect,
	       -allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the
	       principal in the database.

	   {-|+}allow_tix

	       -allow_tix  forbids the issuance of any tickets for the princi‐
	       pal. +allow_tix clears this flag. The default is +allow_tix. In
	       effect,	-allow_tix  sets the KRB5_KDB_DISALLOW_ALL_TIX flag on
	       the principal in the database.

	   {-|+}needchange

	       +needchange sets a flag in attributes field to force a password
	       change;	-needchange  clears it. The default is -needchange. In
	       effect, +needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on
	       the principal in the database.

	   {-|+}password_changing_service

	       +password_changing_service  sets a flag in the attributes field
	       marking this as a password change  service  principal  (useless
	       for  most  things). -password_changing_service clears the flag.
	       This flag intentionally has a long name. The default is	-pass‐
	       word_changing_service.  In  effect,  +password_changing_service
	       sets the KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the
	       database.

	   -randkey

	       Sets the key of the principal to a random value.

	   -pw password

	       Sets  the key of the principal to the specified string and does
	       not prompt for a password. Note that using  this	 option	 in  a
	       shell  script  can be dangerous if unauthorized users gain read
	       access to the script.

	   -e "enc:salt ..."

	       Override	 the  list  of	 enctype:salttype   pairs   given   in
	       kdc.conf(4)  for	 setting  the key of the principal. The quotes
	       are necessary if there are multiple enctype:salttype pairs. One
	       key  for each similar enctype and same salttype will be created
	       and the first one listed will be used. For example, in  a  list
	       of two similar enctypes with the same salt, "des-cbc-crc:normal
	       des-cbc-md5:normal", one key will be created and it will be  of
	       type des-cbc-crc:normal.

	   Example:

		 kadmin: addprinc tlyu/admin
		 WARNING: no policy specified for "tlyu/admin@ACME.COM";
		 defaulting to no policy.
		 Enter password for principal tlyu/admin@ACME.COM:
		 Re-enter password for principal tlyu/admin@ACME.COM:
		 Principal "tlyu/admin@ACME.COM" created.
		 kadmin:

	   Errors:

	       KADM5_AUTH_ADD (requires add privilege)

	       KADM5_BAD_MASK (should not happen)

	       KADM5_DUP (principal exists already)

	       KADM5_UNK_POLICY (policy does not exist)

	       KADM5_PASS_Q_* (password quality violations)

       delete_principal [-force] principal

	   Deletes  the	 specified  principal  from the database. This command
	   prompts for deletion, unless the -force option is given. This  com‐
	   mand requires the delete privilege. Aliased by delprinc.

	   Example:

		 kadmin: delprinc mwm_user
		 Are you sure you want to delete the principal
		 "mwm_user@ACME.COM"? (yes/no): yes
		 Principal "mwm_user@ACME.COM" deleted.
		 Make sure that you have removed this principal from
		 all kadmind ACLs before reusing.
		 kadmin:

	   Errors:

	       KADM5_AUTH_DELETE (requires delete privilege)

	       KADM5_UNK_PRINC (principal does not exist)

       modify_principal [options] principal

	   Modifies the specified principal, changing the fields as specified.
	   The options are as above for add_principal,	except	that  password
	   changing  is	 forbidden  by	this  command. In addition, the option
	   -clearpolicy will clear the current policy  of  a  principal.  This
	   command requires the modify privilege. Aliased by modprinc.

	   Errors:

	       KADM5_AUTH_MODIFY (requires modify privilege)

	       KADM5_UNK_PRINC (principal does not exist)

	       KADM5_UNK_POLICY (policy does not exist)

	       KADM5_BAD_MASK (should not happen)

       change_password [options] principal

	   Changes  the	 password  of principal. Prompts for a new password if
	   neither -randkey or -pw is specified. Requires the changepw	privi‐
	   lege,  or  that the principal that is running the program to be the
	   same as the one changed. Aliased by cpw. The following options  are
	   available:

	   -randkey

	       Sets the key of the principal to a random value.

	   -pw password

	       Sets the password to the specified string. Not recommended.

	   -e "enc:salt ..."

	       Override	  the	list   of   enctype:salttype  pairs  given  in
	       kdc.conf(4) for setting the key of the  principal.  The	quotes
	       are necessary if there are multiple enctype:salttype pairs. For
	       each key, the first matching similar enctype and same  salttype
	       in the list will be used to set the new key(s).

	   -keepold

	       Keeps  the previous kvno's keys around. There is no easy way to
	       delete the old keys, and this flag  is  usually	not  necessary
	       except  perhaps	for  TGS  keys as it will allow existing valid
	       TGTs to continue to work.

	   Example:

		 kadmin: cpw systest
		 Enter password for principal systest@ACME.COM:
		 Re-enter password for principal systest@ACME.COM:
		 Password for systest@ACME.COM changed.
		 kadmin:

	   Errors:

	       KADM5_AUTH_MODIFY (requires the modify privilege)

	       KADM5_UNK_PRINC (principal does not exist)

	       KADM5_PASS_Q_* (password policy violation errors)

	       KADM5_PASS_REUSE (password is in principal's password history)

	       KADM5_PASS_TOOSOON (current password minimum life not expired)

       get_principal [-terse] principal

	   Gets the attributes of principal. Requires the  inquire  privilege,
	   or that the principal that is running the program to be the same as
	   the one being listed. With the -terse  option,  outputs  fields  as
	   quoted tab-separated strings. Aliased by getprinc.

	   Examples:

		 kadmin: getprinc tlyu/admin
		 Principal: tlyu/admin@ACME.COM
		 Expiration date: [never]
		 Last password change: Thu Jan 03 12:17:46 CET 2008
		 Password expiration date: [none]
		 Maximum ticket life: 24855 days 03:14:07
		 Maximum renewable life: 24855 days 03:14:07
		 Last modified: Thu Jan 03 12:17:46 CET 2008 (root/admin@ACME.COM)
		 Last successful authentication: [never]
		 Last failed authentication: [never]
		 Failed password attempts: 0
		 Number of keys: 5
		 Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
		 Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
		 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
		 Key: vno 2, ArcFour with HMAC/md5, no salt
		 Key: vno 2, DES cbc mode with RSA-MD5, no salt
		 Attributes: REQUIRES_PRE_AUTH
		 Policy: [none]
		 kadmin: getprinc -terse tlyu/admin
		 "tlyu/admin@ACME.COM"	 0	 1199359066	 0	 2147483647
		 "root/admin@ACME.COM"	 1199359066	 128	 2	 0	 "[none]"	21474836
		 47	 0	 0	 0	 5	 1	 2	 18	 0	 1	2
		 17	 0	 1	 2	 16	 0	 1	 2	 23	 0	12
			3	0
		 kadmin:

	   Errors:

	       KADM5_AUTH_GET (requires the get [inquire] privilege)

	       KADM5_UNK_PRINC (principal does not exist)

       list_principals [expression]

	   Retrieves  all or some principal names. expression is a shell-style
	   glob expression that can contain the wild-card characters ?, *, and
	   []'s.  All  principal names matching the expression are printed. If
	   no expression is provided, all principal names are printed. If  the
	   expression does not contain an "@" character, an "@" character fol‐
	   lowed by the local realm is appended to  the	 expression.  Requires
	   the list privilege. Aliased by listprincs, get_principals, and get‐
	   princs.

	   Examples:

		 kadmin: listprincs test*
		 test3@ACME.COM
		 test2@ACME.COM
		 test1@ACME.COM
		 testuser@ACME.COM
		 kadmin:

       add_policy [options] policy

	   Adds the named policy to the	 policy	 database.  Requires  the  add
	   privilege. Aliased by addpol. The following options are available:

	   -maxlife maxlife

	       sets  the  maximum lifetime of a password. See the Time Formats
	       section for the valid time duration formats that you can	 spec‐
	       ify for maxlife.

	   -minlife minlife

	       sets  the  minimum lifetime of a password. See the Time Formats
	       section for the valid time duration formats that you can	 spec‐
	       ify for minlife.

	   -minlength length

	       sets the minimum length of a password.

	   -minclasses number

	       sets the minimum number of character classes allowed in a pass‐
	       word. The valid values are:

	   1

	       only letters (himom)

	   2

	       both letters and numbers (hi2mom)

	   3

	       letters, numbers, and punctuation (hi2mom!)

	   -history number

	       sets the number of past keys kept for a principal.

	   Errors:

	       KADM5_AUTH_ADD (requires the add privilege)

	       KADM5_DUP (policy already exists)

       delete_policy [-force] policy

	   Deletes the named policy. Unless the -force	option	is  specified,
	   prompts  for confirmation before deletion. The command will fail if
	   the policy is in use by any principals. Requires the delete	privi‐
	   lege. Aliased by delpol.

	   Example:

		 kadmin: del_policy guests
		 Are you sure you want to delete the
		 policy "guests"? (yes/no): yes
		 Policy "guests" deleted.
		 kadmin:

	   Errors:

	       KADM5_AUTH_DELETE (requires the delete privilege)

	       KADM5_UNK_POLICY (policy does not exist)

	       KADM5_POLICY_REF (reference count on policy is not zero)

       modify_policy [options] policy

	   Modifies  the  named	 policy.  Options are as above for add_policy.
	   Requires the modify privilege. Aliased by modpol.

	   Errors:

	       KADM5_AUTH_MODIFY (requires the modify privilege)

	       KADM5_UNK_POLICY (policy does not exist)

       get_policy [-terse] policy

	   Displays the values of the named policy. Requires the inquire priv‐
	   ilege.  With	 the -terse flag, outputs the fields as quoted strings
	   separated by tabs. Aliased by getpol.

	   Examples:

		 kadmin: get_policy admin
		 Policy: admin
		 Maximum password life: 180 days 00:00:00
		 Minimum password life: 00:00:00
		 Minimum password length: 6
		 Minimum number of password character classes: 2
		 Number of old keys kept: 5
		 Reference count: 17
		 kadmin: get_policy -terse
		 admin admin	15552000  0    6    2	 5    17
		 kadmin:

	   Errors:

	       KADM5_AUTH_GET (requires the get privilege)

	       KADM5_UNK_POLICY (policy does not exist)

       list_policies [expression]

	   Retrieves all or some policy names.	expression  is	a  shell-style
	   glob expression that can contain the wild-card characters ?, *, and
	   []'s. All policy names matching the expression are printed.	If  no
	   expression  is  provided,  all  existing  policy names are printed.
	   Requires the list privilege. Aliased by listpols, get_policies, and
	   getpols.

	   Examples:

		 kadmin: listpols
		 test-pol dict-only once-a-min test-pol-nopw
		 kadmin: listpols t*
		 test-pol test-pol-nopw kadmin:

       ktadd [-k keytab] [-q] [-e enctype:salt]

	   Adds	 a principal or all principals matching princ-exp to a keytab,
	   randomizing each principal's key in the process.

	   ktadd requires the inquire and changepw privileges.	An  entry  for
	   each	 of the principal's unique encryption types is added, ignoring
	   multiple keys with the same	encryption  type  but  different  salt
	   types.  If  the  -k	argument  is not specified, the default keytab
	   file, /etc/krb5/krb5.keytab, is used.

	   The "-e enctype:salt" option overrides the list of  enctypes	 given
	   in  krb5.conf(4),  in the permitted_enctypes parameter. If "-e enc‐
	   type:salt" is not used and permitted_enctypes  is  not  defined  in
	   krb5.conf(4),  a  key  for  each enctype supported by the system on
	   which kadmin is run will  be	 created  and  added  to  the  keytab.
	   Restricting	the  enctypes of keys in the keytab is useful when the
	   system for which keys are being created does not support  the  same
	   set of enctypes as the KDC. Note that ktadd modifies the enctype of
	   the keys in the principal database as well.

	   If the -q option is specified,  less	 status	 information  is  dis‐
	   played.  Aliased  by xst. The -glob option requires the list privi‐
	   lege. Also, note that if you use -glob to create a keytab, you need
	   to remove /etc/krb5/kadm5.keytab and create it again if you want to
	   use -p */admin with kadmin.

       princ-exp

	   princ-exp follows the same rules described for the  list_principals
	   command.

	   Example:

		 kadmin: ktadd -k /tmp/new-keytab nfs/chicago
		 Entry for principal nfs/chicago with kvno 2,
		 encryption type DES-CBC-CRC added to keytab
		 WRFILE:/tmp/new-keytab.
		 kadmin:

       ktremove [-k keytab] [-q] principal [kvno | all | old]

	   Removes entries for the specified principal from a keytab. Requires
	   no privileges, since this does not require database access. If  all
	   is specified, all entries for that principal are removed; if old is
	   specified, all entries for that principal  except  those  with  the
	   highest  kvno are removed. Otherwise, the value specified is parsed
	   as an integer, and all entries whose kvno match  that  integer  are
	   removed.  If	 the  -k argument is not specified, the default keytab
	   file, /etc/krb5/krb5.keytab, is used. If the -q  option  is	speci‐
	   fied, less status information is displayed. Aliased by ktrem.

	   Example:

		 kadmin: ktremove -k /tmp/new-keytab nfs/chicago
		 Entry for principal nfs/chicago with kvno 2
		 removed from keytab
		 WRFILE:/tmp/new-keytab.
		 kadmin:

       quit

	   Quits kadmin. Aliased by exit and q.

   Time Formats
       Various commands in kadmin can take a variety of time formats, specify‐
       ing time durations or  absolute	times.	The  kadmin  option  variables
       maxrenewlife,  maxlife, and minlife are time durations, whereas expdate
       and pwexpdate are absolute times.

       Examples:

	     kadmin: modprinc -expire "12/31 7pm" jdb
	     kadmin: modprinc -maxrenewlife "2 fortnight" jdb
	     kadmin: modprinc -pwexpire "this sunday" jdb
	     kadmin: modprinc -expire never jdb
	     kadmin: modprinc -maxlife "7:00:00pm tomorrow" jdb

       Note that times which do not have the "ago" specifier default to	 being
       absolute	 times,	 unless	 they  appear  in  a field where a duration is
       expected. In that case, the time specifier will be interpreted as rela‐
       tive. Specifying "ago" in a duration can result in unexpected behavior.

       The following time formats and units can be combined to specify a time.
       The time and date format examples are based on the  date	 and  time  of
       July 2, 1999, 1:35:30 p.m.

       ┌────────────────────────────────────────────────────────────┐
       │Time Format			Examples		    │
       │hh[:mm][:ss][am/pm/a.m./p.m.]	1p.m., 1:35, 1:35:30pm	    │
       └────────────────────────────────────────────────────────────┘

       Variable			     Description
       hh			     hour  (12-hour clock, lead‐
				     ing zero permitted but  not
				     required)
       mm			     minutes
       ss			     seconds

       ┌───────────────────────────────────────────────────────────┐
       │Date Format		      Examples			   │
       │mm/dd[/yy]		      07/02, 07/02/99		   │
       │yyyy-mm-dd		      1999-07-02		   │
       │dd-month-yyyy		      02-July-1999		   │
       │month [,yyyy]		      Jul 02, July 02,1999	   │
       │dd month[ yyyy]		      02 JULY, 02 july 1999	   │
       └───────────────────────────────────────────────────────────┘

       Variable Description
       dd			     day
       mm			     month
       yy			     year  within  century (00-38 is 2000 to
				     2038; 70-99 is 1970 to 1999)
       yyyy			     year including century
       month			     locale's full or abbreviated month name

       ┌───────────────────────────────────────────────────────────┐
       │Time Units		      Examples			   │
       │[+|- #] year		      "-2 year"			   │
       │[+|- #] month		      "2 months"		   │
       │[+|- #] fortnight					   │
       │[+|- #] week						   │
       │[+|- #] day						   │
       │[+|- #] hour						   │
       │[+|- #] minute						   │
       │[+|- #] min						   │
       │[+|- #] second						   │
       │[+|- #] sec						   │
       │tomorrow						   │
       │yesterday						   │
       │today							   │
       │now							   │
       │this			      "this year"		   │
       │last			      "last saturday"		   │
       │next			      "next month"		   │
       │sunday							   │
       │monday							   │
       │tuesday							   │
       │wednesday						   │
       │thursday						   │
       │friday							   │
       │saturday						   │
       │never							   │
       └───────────────────────────────────────────────────────────┘

       You can also use the following time modifiers:  first,  second,	third,
       fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth,
       and ago.

ENVIRONMENT VARIABLES
       See environ(5) for descriptions of the following environment  variables
       that affect the execution of kadmin:

       PAGER

	   The	command to use as a filter for paging output. This can also be
	   used to specify options. The default is more(1).

FILES
       /var/krb5/principal

	   Kerberos principal database.

       /var/krb5/principal.ulog

	   The update log file for incremental propagation.

       /var/krb5/principal.kadm5

	   Kerberos administrative database. Contains policy information.

       /var/krb5/principal.kadm5.lock

	   Lock file for the Kerberos administrative database. This file works
	   backwards  from  most  other	 lock files (that is, kadmin will exit
	   with an error if this file does not exist).

       /var/krb5/kadm5.dict

	   Dictionary of strings explicitly disallowed as passwords.

       /etc/krb5/kadm5.acl

	   List of principals and their kadmin administrative privileges.

       /etc/krb5/kadm5.keytab

	   Keytab for kadmind principals: kadmin/fqdn, changepw/fqdn, and kad‐
	   min/changepw.

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │system/security/kerberos-5   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Committed			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       kpasswd(1),    more(1),	  gkadmin(1M),	 kadmind(1M),	kdb5_util(1M),
       kdb5_ldap_util(1M),    kproplog(1M),	kadm5.acl(4),	  kdc.conf(4),
       krb5.conf(4), attributes(5), environ(5), kerberos(5), krb5envvar(5)

HISTORY
       The  kadmin  program  was  originally  written  by Tom Yu at MIT, as an
       interface to the OpenVision Kerberos administration program.

DIAGNOSTICS
       The kadmin command is currently incompatible with the MIT kadmind  dae‐
       mon  interface,	so  you	 cannot use this command to administer an MIT-
       based Kerberos database. However, clients running the Solaris implemen‐
       tation of Kerberos can still use an MIT-based KDC.

SunOS 5.11			  29 Feb 2008			    kadmin(1M)
[top]

List of man pages available for OpenIndiana

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net