1KADMIN(1)                   General Commands Manual                  KADMIN(1)
2
3
4

NAME

6       kadmin - Kerberos V5 database administration program
7

SYNOPSIS

9       kadmin [-O | -N] [-r realm] [-p principal] [-q query]
10              [[-c cache_name] | [-k [-t keytab]] | -n] [-w password] [-s
11              admin_server[:port]
12
13       kadmin.local    [-r realm] [-p principal] [-q query]
14                       [-d dbname] [-e "enc:salt ..."] [-m] [-x db_args]
15

DESCRIPTION

17       kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
18       KADM5  administration  system.   Both  kadmin  and kadmin.local provide
19       identical functionalities; the difference is that kadmin.local runs  on
20       the  master  KDC  if  the  database is db2 and does not use Kerberos to
21       authenticate to the database. Except  as  explicitly  noted  otherwise,
22       this  man  page will use kadmin to refer to both versions.  kadmin pro‐
23       vides for the maintenance of Kerberos principals, KADM5  policies,  and
24       service key tables (keytabs).
25
26       The  remote  version uses Kerberos authentication and an encrypted RPC,
27       to operate securely from anywhere on the network.  It authenticates  to
28       the KADM5 server using the service principal kadmin/admin.  If the cre‐
29       dentials cache contains a ticket for the  kadmin/admin  principal,  and
30       the  -c  credentials_cache  option is specified, that ticket is used to
31       authenticate to KADM5.  Otherwise, the -p and -k options  are  used  to
32       specify  the client Kerberos principal name used to authenticate.  Once
33       kadmin has determined the principal name, it  requests  a  kadmin/admin
34       Kerberos  service  ticket from the KDC, and uses that service ticket to
35       authenticate to KADM5.
36
37       If the database is db2, the local client kadmin.local, is  intended  to
38       run  directly  on  the master KDC without Kerberos authentication.  The
39       local version provides all of the functionality  of  the  now  obsolete
40       kdb5_edit(8),  except for database dump and load, which is now provided
41       by the kdb5_util(8) utility.
42
43       If the database is LDAP, kadmin.local need not be run on the KDC.
44
45       kadmin.local can be configured to log updates for incremental  database
46       propagation.   Incremental  propagation  allows  slave  KDC  servers to
47       receive principal and policy updates incrementally instead of receiving
48       full  dumps  of  the  database.   This  facility  can be enabled in the
49       kdc.conf file with the iprop_enable option.  See the kdc.conf  documen‐
50       tation for other options for tuning incremental propagation parameters.
51
52

OPTIONS

54       -r realm
55              Use realm as the default database realm.
56
57       -p principal
58              Use  principal  to  authenticate.  Otherwise, kadmin will append
59              "/admin" to the primary principal name of  the  default  ccache,
60              the  value  of the USER environment variable, or the username as
61              obtained with getpwuid, in order of preference.
62
63       -k     Use a keytab to decrypt the KDC response  instead  of  prompting
64              for  a password on the TTY.  In this case, the default principal
65              will be host/hostname.  If there is not a keytab specified  with
66              the -t option, then the default keytab will be used.
67
68       -t keytab
69              Use  keytab  to decrypt the KDC response.  This can only be used
70              with the -k option.   -n  Requests  anonymous  processing.   Two
71              types  of  anonymous principals are supported.  For fully anony‐
72              mous  Kerberos,  configure  pkinit  on  the  KDC  and  configure
73              pkinit_anchors  in  the  client's  krb5.conf.   Then  use the -n
74              option with a principal of the form @REALM (an  empty  principal
75              name followed by the at-sign and a realm name).  If permitted by
76              the KDC, an anonymous ticket will be returned.  A second form of
77              anonymous tickets is supported; these realm-exposed tickets hide
78              the identity of the client but not the client's realm.  For this
79              mode,  use  kinit -n with a normal principal name.  If supported
80              by the KDC, the principal (but not realm) will  be  replaced  by
81              the  anonymous  principal.   As of release 1.8, the MIT Kerberos
82              KDC only supports fully anonymous operation.
83
84       -c credentials_cache
85              Use credentials_cache as the  credentials  cache.   The  creden‐
86              tials_cache should contain a service ticket for the kadmin/admin
87              service; it can be acquired with the kinit(1) program.  If  this
88              option  is  not  specified, kadmin requests a new service ticket
89              from the KDC, and stores it in its own temporary ccache.
90
91       -w password
92              Use password instead of prompting for one  on  the  TTY.   Note:
93              placing  the  password for a Kerberos principal with administra‐
94              tion access into a shell script can be dangerous if unauthorized
95              users gain read access to the script.
96
97       -q query
98              pass query directly to kadmin, which will perform query and then
99              exit.  This can be useful for writing scripts.
100
101       -d dbname
102              Specifies the name of the Kerberos database.  This  option  does
103              not apply to the LDAP database.
104
105       -s admin_server[:port]
106              Specifies the admin server which kadmin should contact.
107
108       -m     Do not authenticate using a keytab.  This option will cause kad‐
109              min to prompt for the master database password.
110
111       -e enc:salt_list
112              Sets the list of encryption types and salt types to be used  for
113              any new keys created.
114
115       -O     Force use of old AUTH_GSSAPI authentication flavor.
116
117       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.
118
119       -x db_args
120              Specifies the database specific arguments.
121
122              Options supported for LDAP database are:
123
124              -x host=<hostname>
125                     specifies the LDAP server to connect to by a LDAP URI.
126
127              -x binddn=<bind_dn>
128                     specifies the DN of the object used by the administration
129                     server to bind to the LDAP server.   This  object  should
130                     have  the  read  and write rights on the realm container,
131                     principal container and the subtree that is referenced by
132                     the realm.
133
134              -x bindpwd=<bind_password>
135                     specifies the password for the above mentioned binddn. It
136                     is recommended not to  use  this  option.   Instead,  the
137                     password  can  be stashed using the stashsrvpw command of
138                     kdb5_ldap_util.
139

DATE FORMAT

141       Various commands in kadmin can take a variety of date formats, specify‐
142       ing durations or absolute times.  Examples of valid formats are:
143
144              1 month ago
145              2 hours ago
146              400000 seconds ago
147              last year
148              this Monday
149              next Monday
150              yesterday
151              tomorrow
152              now
153              second Monday
154              a fortnight ago
155              3/31/92 10:00:07 PST
156              January 23, 1987 10:05pm
157              22:00 GMT
158
159       Dates  which  do not have the "ago" specifier default to being absolute
160       dates, unless they appear in a field where a duration is expected.   In
161       that case the time specifier will be interpreted as relative.  Specify‐
162       ing "ago" in a duration may result in unexpected behavior.
163

COMMANDS

165       add_principal [options] newprinc
166              creates the principal newprinc, prompting twice for a  password.
167              If  no policy is specified with the -policy option, and the pol‐
168              icy named "default" exists, then that policy is assigned to  the
169              principal; note that the assignment of the policy "default" only
170              occurs automatically when a principal is first created,  so  the
171              policy "default" must already exist for the assignment to occur.
172              This assignment of "default" can be suppressed with the  -clear‐
173              policy  option.   This command requires the add privilege.  This
174              command has the aliases addprinc and ank.  The options are:
175
176              -x db_princ_args
177                     Denotes the database specific options.  The  options  for
178                     LDAP database are:
179
180                     -x dn=<dn>
181                            Specifies  the  LDAP  object that will contain the
182                            Kerberos principal being created.
183
184                     -x linkdn=<dn>
185                            Specifies the LDAP object to which the newly  cre‐
186                            ated Kerberos principal object will point to.
187
188                     -x containerdn=<container_dn>
189                            Specifies  the  container  object  under which the
190                            Kerberos principal is to be created.
191
192                     -x tktpolicy=<policy>
193                            Associates a ticket policy to the Kerberos princi‐
194                            pal.
195
196              -expire expdate
197                     expiration date of the principal
198
199              -pwexpire pwexpdate
200                     password expiration date
201
202              -maxlife maxlife
203                     maximum ticket life for the principal
204
205              -maxrenewlife maxrenewlife
206                     maximum renewable life of tickets for the principal
207
208              -kvno kvno
209                     explicitly set the key version number.
210
211              -policy policy
212                     policy used by this principal.  If no policy is supplied,
213                     then if the policy "default" exists and the  -clearpolicy
214                     is not also specified, then the policy "default" is used;
215                     otherwise, the principal will have no policy, and a warn‐
216                     ing message will be printed.
217
218              -clearpolicy
219                     -clearpolicy  prevents  the  policy  "default" from being
220                     assigned when -policy is not specified.  This option  has
221                     no effect if the policy "default" does not exist.
222
223              {-|+}allow_postdated
224                     -allow_postdated  prohibits this principal from obtaining
225                     postdated tickets.  (Sets the KRB5_KDB_DISALLOW_POSTDATED
226                     flag.)  +allow_postdated clears this flag.
227
228              {-|+}allow_forwardable
229                     -allow_forwardable  prohibits this principal from obtain‐
230                     ing  forwardable  tickets.   (Sets  the   KRB5_KDB_DISAL‐
231                     LOW_FORWARDABLE  flag.)   +allow_forwardable  clears this
232                     flag.
233
234              {-|+}allow_renewable
235                     -allow_renewable prohibits this principal from  obtaining
236                     renewable tickets.  (Sets the KRB5_KDB_DISALLOW_RENEWABLE
237                     flag.)  +allow_renewable clears this flag.
238
239              {-|+}allow_proxiable
240                     -allow_proxiable prohibits this principal from  obtaining
241                     proxiable tickets.  (Sets the KRB5_KDB_DISALLOW_PROXIABLE
242                     flag.)  +allow_proxiable clears this flag.
243
244              {-|+}allow_dup_skey
245                     -allow_dup_skey Disables user-to-user authentication  for
246                     this principal by prohibiting this principal from obtain‐
247                     ing  a  session  key  for  another   user.    (Sets   the
248                     KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears
249                     this flag.
250
251              {-|+}requires_preauth
252                     +requires_preauth requires this principal to preauthenti‐
253                     cate   before   being   allowed   to  kinit.   (Sets  the
254                     KRB5_KDB_REQUIRES_PRE_AUTH   flag.)     -requires_preauth
255                     clears this flag.
256
257              {-|+}requires_hwauth
258                     +requires_hwauth  requires this principal to preauthenti‐
259                     cate using a hardware  device  before  being  allowed  to
260                     kinit.    (Sets   the   KRB5_KDB_REQUIRES_HW_AUTH  flag.)
261                     -requires_hwauth clears this flag.
262
263              {-|+}ok_as_delegate
264                     +ok_as_delegate sets the OK-AS-DELEGATE flag  on  tickets
265                     issued  for use with this principal as the service, which
266                     clients may use as a hint that credentials can and should
267                     be  delegated  when authenticating to the service.  (Sets
268                     the   KRB5_KDB_OK_AS_DELEGATE   flag.)    -ok_as_delegate
269                     clears this flag.
270
271              {-|+}allow_svr
272                     -allow_svr  prohibits the issuance of service tickets for
273                     this principal.  (Sets the  KRB5_KDB_DISALLOW_SVR  flag.)
274                     +allow_svr clears this flag.
275
276              {-|+}allow_tgs_req
277                     -allow_tgs_req  specifies  that a Ticket-Granting Service
278                     (TGS) request for a service ticket for this principal  is
279                     not  permitted.   This option is useless for most things.
280                     +allow_tgs_req  clears  this  flag.    The   default   is
281                     +allow_tgs_req.    In  effect,  -allow_tgs_req  sets  the
282                     KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in  the
283                     database.
284
285              {-|+}allow_tix
286                     -allow_tix  forbids  the issuance of any tickets for this
287                     principal.  +allow_tix clears this flag.  The default  is
288                     +allow_tix.  In effect, -allow_tix sets the KRB5_KDB_DIS‐
289                     ALLOW_ALL_TIX flag on the principal in the database.
290
291              {-|+}needchange
292                     +needchange sets a flag in attributes field  to  force  a
293                     password  change;  -needchange clears it.  The default is
294                     -needchange.    In   effect,   +needchange    sets    the
295                     KRB5_KDB_REQUIRES_PWCHANGE  flag  on the principal in the
296                     database.
297
298              {-|+}password_changing_service
299                     +password_changing_service sets a flag in the  attributes
300                     field marking this as a password change service principal
301                     (useless for  most  things).   -password_changing_service
302                     clears  the  flag.   This  flag  intentionally has a long
303                     name.  The  default  is  -password_changing_service.   In
304                     effect,      +password_changing_service      sets     the
305                     KRB5_KDB_PWCHANGE_SERVICE flag on the  principal  in  the
306                     database.
307
308              -randkey
309                     sets the key of the principal to a random value
310
311              -pw password
312                     sets the key of the principal to the specified string and
313                     does not prompt for a password.  Note:  using this option
314                     in  a shell script can be dangerous if unauthorized users
315                     gain read access to the script.
316
317              -e "enc:salt ..."
318                     uses the specified list  of  enctype-salttype  pairs  for
319                     setting  the key of the principal.  The quotes are neces‐
320                     sary if there are multiple enctype-salttype pairs.   This
321                     will  not  function  against  kadmin daemons earlier than
322                     krb5-1.2.
323
324              EXAMPLE:
325                     kadmin: addprinc tlyu/admin
326                     WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
327                     defaulting to no policy.
328                     Enter password for principal tlyu/admin@BLEEP.COM:
329                     Re-enter password for principal tlyu/admin@BLEEP.COM:
330                     Principal "tlyu/admin@BLEEP.COM" created.
331                     kadmin:
332
333                     kadmin: addprinc -x dn=cn=mwm_user,o=org mwm_user
334                     WARNING: no policy specified for "mwm_user@BLEEP.COM";
335                     defaulting to no policy.
336                     Enter password for principal mwm_user@BLEEP.COM:
337                     Re-enter password for principal mwm_user@BLEEP.COM:
338                     Principal "mwm_user@BLEEP.COM" created.
339                     kadmin:
340
341
342              ERRORS:
343                     KADM5_AUTH_ADD (requires "add" privilege)
344                     KADM5_BAD_MASK (shouldn't happen)
345                     KADM5_DUP (principal exists already)
346                     KADM5_UNK_POLICY (policy does not exist)
347                     KADM5_PASS_Q_* (password quality violations)
348
349       delete_principal [-force] principal
350              deletes the specified principal from the database.  This command
351              prompts  for  deletion,  unless the -force option is given. This
352              command requires the delete privilege.  Aliased to delprinc.
353
354
355              EXAMPLE:
356                     kadmin: delprinc mwm_user
357                     Are you sure you want to delete the principal
358                     "mwm_user@BLEEP.COM"? (yes/no): yes
359                     Principal "mwm_user@BLEEP.COM" deleted.
360                     Make sure that you have removed this principal from
361                     all ACLs before reusing.
362                     kadmin:
363
364              ERRORS:
365                     KADM5_AUTH_DELETE (requires "delete" privilege)
366                     KADM5_UNK_PRINC (principal does not exist)
367
368       modify_principal [options] principal
369              modifies the specified principal, changing the fields as  speci‐
370              fied.   The  options are as above for add_principal, except that
371              password changing and flags related  to  password  changing  are
372              forbidden by this command.  In addition, the option -clearpolicy
373              will clear the current policy  of  a  principal.   This  command
374              requires the modify privilege.  Aliased to modprinc.
375
376              -x db_princ_args
377                     Denotes  the  database  specific options. The options for
378                     LDAP database are:
379
380                     -x tktpolicy=<policy>
381                            Associates a ticket policy to the Kerberos princi‐
382                            pal.
383
384                     -x linkdn=<dn>
385                            Associates   a  Kerberos  principal  with  a  LDAP
386                            object. This option is honored only  if  the  Ker‐
387                            beros  principal  is not already associated with a
388                            LDAP object.
389
390              -unlock
391                     Unlocks a locked principal (one which  has  received  too
392                     many  failed  authentication attempts without enough time
393                     between them according to its password policy) so that it
394                     can successfully authenticate.
395
396              ERRORS:
397                     KADM5_AUTH_MODIFY     (requires    "modify"    privilege)
398                     KADM5_UNK_PRINC (principal does not exist) KADM5_UNK_POL‐
399                     ICY  (policy  does  not  exist) KADM5_BAD_MASK (shouldn't
400                     happen)
401
402       change_password [options] principal
403              changes the password of principal.  Prompts for a  new  password
404              if  neither -randkey or -pw is specified.  Requires the changepw
405              privilege, or that the principal that is running the program  to
406              be  the same as the one changed.  Aliased to cpw.  The following
407              options are available:
408
409              -randkey
410                     sets the key of the principal to a random value
411
412              -pw password
413                     set the password to the  specified  string.   Not  recom‐
414                     mended.
415
416              -e "enc:salt ..."
417                     uses  the  specified  list  of enctype-salttype pairs for
418                     setting the key of the principal.  The quotes are  neces‐
419                     sary  if there are multiple enctype-salttype pairs.  This
420                     will not function against  kadmin  daemons  earlier  than
421                     krb5-1.2.
422
423              -keepold
424                     Keeps the previous kvno's keys around.  This flag is usu‐
425                     ally not necessary except perhaps for  TGS  keys.   Don't
426                     use  this  flag  unless  you know what you're doing. This
427                     option is not supported for the LDAP database.
428
429              EXAMPLE:
430                     kadmin: cpw systest
431                     Enter password for principal systest@BLEEP.COM:
432                     Re-enter password for principal systest@BLEEP.COM:
433                     Password for systest@BLEEP.COM changed.
434                     kadmin:
435
436              ERRORS:
437                     KADM5_AUTH_MODIFY (requires the modify privilege)
438                     KADM5_UNK_PRINC (principal does not exist)
439                     KADM5_PASS_Q_* (password policy violation errors)
440                     KADM5_PADD_REUSE (password is in principal's password
441                     history)
442                     KADM5_PASS_TOOSOON (current password minimum life not
443                     expired)
444
445       purgekeys [-keepkvno oldest_kvno_to_keep] principal
446              purges previously retained old keys (e.g., from  change_password
447              -keepold)  from principal.  If -keepkvno is specified, then only
448              purges keys with kvnos lower than oldest_kvno_to_keep.
449
450       get_principal [-terse] principal
451              gets the attributes of principal.  Requires the  inquire  privi‐
452              lege,  or  that the principal that is running the the program to
453              be the same as the one being listed.  With  the  -terse  option,
454              outputs fields as quoted tab-separated strings.  Alias getprinc.
455
456
457              EXAMPLES:
458                     kadmin: getprinc tlyu/admin
459                     Principal: tlyu/admin@BLEEP.COM
460                     Expiration date: [never]
461                     Last password change: Mon Aug 12 14:16:47 EDT 1996
462                     Password expiration date: [none]
463                     Maximum ticket life: 0 days 10:00:00
464                     Maximum renewable life: 7 days 00:00:00
465                     Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
466                     Last successful authentication: [never]
467                     Last failed authentication: [never]
468                     Failed password attempts: 0
469                     Number of keys: 2
470                     Key: vno 1, DES cbc mode with CRC-32, no salt
471                     Key: vno 1, DES cbc mode with CRC-32, Version 4
472                     Attributes:
473                     Policy: [none]
474                     kadmin: getprinc -terse systest
475                     systest@BLEEP.COM   3    86400     604800    1
476                     785926535 753241234 785900000
477                     tlyu/admin@BLEEP.COM     786100034 0    0
478                     kadmin:
479
480              ERRORS:
481                     KADM5_AUTH_GET (requires the get (inquire) privilege)
482                     KADM5_UNK_PRINC (principal does not exist)
483
484       list_principals [expression]
485              Retrieves  all  or some principal names.  Expression is a shell-
486              style glob expression that can contain the wild-card  characters
487              ?, *, and []'s.  All principal names matching the expression are
488              printed.  If no expression is provided, all principal names  are
489              printed.   If  the expression does not contain an "@" character,
490              an "@" character followed by the local realm is appended to  the
491              expression.   Requires  the  list  privilege.  Alias listprincs,
492              get_principals, get_princs.
493
494              EXAMPLES:
495                     kadmin:  listprincs test*
496                     test3@SECURE-TEST.OV.COM
497                     test2@SECURE-TEST.OV.COM
498                     test1@SECURE-TEST.OV.COM
499                     testuser@SECURE-TEST.OV.COM
500                     kadmin:
501
502       get_strings principal
503              displays string attributes on principal.  String attributes  are
504              used  to  supply  per-principal configuration to some KDC plugin
505              modules.  Alias getstrs.
506
507       set_string principal key value
508              sets a string attribute on principal.  Alias setstr.
509
510       del_string principal key
511              deletes a string attribute from principal.  Alias delstr.
512
513       add_policy [options] policy
514              adds the named policy to the policy database.  Requires the  add
515              privilege.  Aliased to addpol.  The following options are avail‐
516              able:
517
518              -maxlife time
519                     sets the maximum lifetime of a password
520
521              -minlife time
522                     sets the minimum lifetime of a password
523
524              -minlength length
525                     sets the minimum length of a password
526
527              -minclasses number
528                     sets the minimum number of character classes allowed in a
529                     password
530
531              -history number
532                     sets  the  number of past keys kept for a principal. This
533                     option is not supported for LDAP database
534
535              -maxfailure maxnumber
536                     sets the maximum number of authentication failures before
537                     the  principal  is  locked.   Authentication failures are
538                     only tracked for principals which require  preauthentica‐
539                     tion.
540
541              -failurecountinterval failuretime
542                     sets  the allowable time between authentication failures.
543                     If an authentication failure  happens  after  failuretime
544                     has  elapsed  since  the  previous failure, the number of
545                     authentication failures is reset to 1.  A  failure  count
546                     interval of 0 means forever.
547
548              -lockoutduration lockouttime
549                     sets  the duration for which the principal is locked from
550                     authenticating if too many authentication failures  occur
551                     without the specified failure count interval elapsing.  A
552                     duration of 0 means forever.
553
554
555              EXAMPLES:
556                     kadmin: add_policy -maxlife "2 days" -minlength 5 guests
557                     kadmin:
558
559              ERRORS:
560                     KADM5_AUTH_ADD (requires the add privilege)
561                     KADM5_DUP (policy already exists)
562
563       delete_policy [-force] policy
564              deletes the named policy.  Prompts for confirmation before dele‐
565              tion.   The  command  will  fail  if the policy is in use by any
566              principals.  Requires the delete privilege.  Alias delpol.
567
568
569              EXAMPLE:
570                     kadmin: del_policy guests
571                     Are you sure you want to delete the policy "guests"?
572                     (yes/no): yes
573                     kadmin:
574
575              ERRORS:
576                     KADM5_AUTH_DELETE (requires the delete privilege)
577                     KADM5_UNK_POLICY (policy does not exist)
578                     KADM5_POLICY_REF (reference count on policy is not zero)
579
580       modify_policy [options] policy
581              modifies the named policy.  Options are as above for add_policy.
582              Requires the modify privilege.  Alias modpol.
583
584
585              ERRORS:
586                     KADM5_AUTH_MODIFY (requires the modify privilege)
587                     KADM5_UNK_POLICY (policy does not exist)
588
589       get_policy [-terse] policy
590              displays  the  values of the named policy.  Requires the inquire
591              privilege.  With the -terse flag, outputs the fields  as  quoted
592              strings separated by tabs.  Alias getpol.
593
594              EXAMPLES:
595                     kadmin: get_policy admin
596                     Policy: admin
597                     Maximum password life: 180 days 00:00:00
598                     Minimum password life: 00:00:00
599                     Minimum password length: 6
600                     Minimum number of password character classes: 2
601                     Number of old keys kept: 5
602                     Reference count: 17
603                     kadmin: get_policy -terse admin
604                     admin     15552000  0    6    2    5    17
605                     kadmin:
606
607              ERRORS:
608                     KADM5_AUTH_GET (requires the get privilege)
609                     KADM5_UNK_POLICY (policy does not exist)
610
611       list_policies [expression]
612              Retrieves all or some policy names.  Expression is a shell-style
613              glob expression that can contain the wild-card characters ?,  *,
614              and []'s.  All policy names matching the expression are printed.
615              If no expression is provided,  all  existing  policy  names  are
616              printed.    Requires   the   list  privilege.   Alias  listpols,
617              get_policies, getpols.
618
619
620              EXAMPLES:
621                     kadmin:  listpols
622                     test-pol
623                     dict-only
624                     once-a-min
625                     test-pol-nopw
626                     kadmin:  listpols t*
627                     test-pol
628                     test-pol-nopw
629                     kadmin:
630
631       ktadd [-k keytab] [-q] [-e keysaltlist]
632              [-norandkey] [[principal | -glob princ-exp] [...]
633              Adds a principal or  all  principals  matching  princ-exp  to  a
634              keytab.   It  randomizes each principal's key in the process, to
635              prevent a compromised admin account from reading out all of  the
636              keys  from the database.  However, kadmin.local has the -norand‐
637              key option, which leaves the  keys  and  their  version  numbers
638              unchanged,  similar to the Kerberos V4 ext_srvtab command.  That
639              allows users to continue to use the passwords they know to login
640              normally,  while simultaneously allowing scripts to login to the
641              same account using a keytab.  There is no  significant  security
642              risk  added  since  kadmin.local  must be run by root on the KDC
643              anyway.
644
645              Requires the inquire and changepw privileges.  An entry for each
646              of  the  principal's  unique encryption types is added, ignoring
647              multiple keys with the same encryption type but  different  salt
648              types.   If the -k argument is not specified, the default keytab
649              /etc/krb5.keytab is used.  If the -q option is  specified,  less
650              verbose status information is displayed.
651
652              The -glob option requires the list privilege.  princ-exp follows
653              the same rules described for the list_principals command.
654
655
656              EXAMPLE:
657                     kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
658                     Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
659                          kvno 3, encryption type DES-CBC-CRC added to keytab
660                          WRFILE:/tmp/foo-new-keytab
661                     kadmin:
662
663       ktremove [-k keytab] [-q] principal [kvno | all | old]
664              Removes entries for  the  specified  principal  from  a  keytab.
665              Requires  no  permissions,  since this does not require database
666              access.  If the string "all" is specified, all entries for  that
667              principal  are  removed;  if  the string "old" is specified, all
668              entries for that principal except those with  the  highest  kvno
669              are  removed.   Otherwise,  the  value specified is parsed as an
670              integer, and all entries  whose  kvno  match  that  integer  are
671              removed.   If  the  -k  argument  is  not specified, the default
672              keytab /etc/krb5.keytab is used.  If the -q option is specified,
673              less verbose status information is displayed.
674
675
676              EXAMPLE:
677                     kadmin: ktremove -k /var/kerberos/krb5kdc/kadmind.keytab kadmin/admin
678                     Entry for principal kadmin/admin with kvno 3 removed
679                          from keytab WRFILE:/var/kerberos/krb5kdc/kadmind.keytab.
680                     kadmin:
681

FILES

683       principal.db         default name for Kerberos principal database
684
685       <dbname>.kadm5       KADM5  administrative  database.   (This  would be
686                            "principal.kadm5", if you use the default database
687                            name.)  Contains policy information.
688
689       <dbname>.kadm5.lock  lock  file  for the KADM5 administrative database.
690                            This file works backwards  from  most  other  lock
691                            files.   I.e.,  kadmin  will exit with an error if
692                            this file does not exist.
693
694       Note:                The above three files are specific  to  db2  data‐
695                            base.
696
697       kadm5.acl            file  containing list of principals and their kad‐
698                            min administrative privileges.  See kadmind(8) for
699                            a description.
700
701       kadm5.keytab         keytab file for kadmin/admin principal.
702
703       kadm5.dict           file  containing  dictionary of strings explicitly
704                            disallowed as passwords.
705

HISTORY

707       The kadmin program was originally written by  Tom  Yu  at  MIT,  as  an
708       interface to the OpenVision Kerberos administration program.
709

SEE ALSO

711       kerberos(1), kpasswd(1), kadmind(8)
712

BUGS

714       Command output needs to be cleaned up.
715
716
717
718                                                                     KADMIN(1)
Impressum