1KADMIN(1)                        MIT Kerberos                        KADMIN(1)
2
3
4

NAME

6       kadmin - Kerberos V5 database administration program
7

SYNOPSIS

9       kadmin   [-O|-N]   [-r   realm]   [-p   principal]   [-q   query]  [[-c
10       cache_name]|[-k [-t keytab]]|-n] [-w password] [-s admin_server[:port]]
11       [command args...]
12
13       kadmin.local  [-r  realm]  [-p  principal]  [-q  query] [-d dbname] [-e
14       enc:salt ...]  [-m] [-x db_args] [command args...]
15

DESCRIPTION

17       kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
18       administration  system.  They provide nearly identical functionalities;
19       the difference is that kadmin.local directly accesses the KDC database,
20       while  kadmin  performs operations using kadmind(8).  Except as explic‐
21       itly noted otherwise, this man page will use "kadmin" to refer to  both
22       versions.   kadmin provides for the maintenance of Kerberos principals,
23       password policies, and service key tables (keytabs).
24
25       The remote kadmin client uses Kerberos to authenticate to kadmind using
26       the   service   principal  kadmin/ADMINHOST  (where  ADMINHOST  is  the
27       fully-qualified hostname of the admin server) or kadmin/admin.  If  the
28       credentials  cache  contains  a ticket for one of these principals, and
29       the -c credentials_cache option is specified, that ticket  is  used  to
30       authenticate  to kadmind.  Otherwise, the -p and -k options are used to
31       specify the client Kerberos principal name used to authenticate.   Once
32       kadmin  has determined the principal name, it requests a service ticket
33       from the KDC, and uses that service ticket to authenticate to kadmind.
34
35       Since kadmin.local directly accesses the KDC database, it usually  must
36       be  run  directly on the master KDC with sufficient permissions to read
37       the KDC database.  If the KDC database uses the LDAP  database  module,
38       kadmin.local can be run on any host which can access the LDAP server.
39

OPTIONS

41       -r realm
42              Use realm as the default database realm.
43
44       -p principal
45              Use  principal  to  authenticate.  Otherwise, kadmin will append
46              /admin to the primary principal name of the default ccache,  the
47              value  of  the  USER  environment  variable,  or the username as
48              obtained with getpwuid, in order of preference.
49
50       -k     Use a keytab to decrypt the KDC response  instead  of  prompting
51              for  a  password.   In  this case, the default principal will be
52              host/hostname.  If there is no  keytab  specified  with  the  -t
53              option, then the default keytab will be used.
54
55       -t keytab
56              Use  keytab  to decrypt the KDC response.  This can only be used
57              with the -k option.
58
59       -n     Requests anonymous processing.  Two types of  anonymous  princi‐
60              pals  are  supported.   For  fully anonymous Kerberos, configure
61              PKINIT on the KDC and configure pkinit_anchors in  the  client's
62              krb5.conf(5).   Then  use  the -n option with a principal of the
63              form @REALM (an empty principal name followed by the at-sign and
64              a  realm  name).   If  permitted by the KDC, an anonymous ticket
65              will be returned.  A second form of anonymous  tickets  is  sup‐
66              ported;  these  realm-exposed  tickets  hide the identity of the
67              client but not the client's realm.  For this mode, use kinit  -n
68              with  a  normal  principal  name.   If supported by the KDC, the
69              principal (but not realm) will  be  replaced  by  the  anonymous
70              principal.   As  of  release 1.8, the MIT Kerberos KDC only sup‐
71              ports fully anonymous operation.
72
73       -c credentials_cache
74              Use credentials_cache  as  the  credentials  cache.   The  cache
75              should  contain a service ticket for the kadmin/ADMINHOST (where
76              ADMINHOST is the fully-qualified hostname of the  admin  server)
77              or  kadmin/admin  service;  it can be acquired with the kinit(1)
78              program.  If this option is not specified, kadmin requests a new
79              service  ticket from the KDC, and stores it in its own temporary
80              ccache.
81
82       -w password
83              Use password instead of prompting for one.  Use this option with
84              care, as it may expose the password to other users on the system
85              via the process list.
86
87       -q query
88              Perform the specified query and then exit.
89
90       -d dbname
91              Specifies the name of the KDC database.  This  option  does  not
92              apply to the LDAP database module.
93
94       -s admin_server[:port]
95              Specifies the admin server which kadmin should contact.
96
97       -m     If  using  kadmin.local, prompt for the database master password
98              instead of reading it from a stash file.
99
100       -e enc:salt ...
101              Sets the keysalt list to be used for any new keys created.   See
102              Keysalt_lists in kdc.conf(5) for a list of possible values.
103
104       -O     Force use of old AUTH_GSSAPI authentication flavor.
105
106       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.
107
108       -x db_args
109              Specifies the database specific arguments.  See the next section
110              for supported options.
111
112       Starting with release 1.14, if any command-line arguments remain  after
113       the  options,  they  will  be treated as a single query to be executed.
114       This mode of operation is intended for scripts and behaves  differently
115       from the interactive mode in several respects:
116
117       · Query arguments are split by the shell, not by kadmin.
118
119       · Informational  and  warning  messages are suppressed.  Error messages
120         and query output (e.g. for get_principal) will still be displayed.
121
122       · Confirmation prompts are disabled (as if -force was given).  Password
123         prompts will still be issued as required.
124
125       · The exit status will be non-zero if the query fails.
126
127       The -q option does not carry these behavior differences; the query will
128       be processed as if it was entered interactively.  The -q option  cannot
129       be used in combination with a query in the remaining arguments.
130

DATABASE OPTIONS

132       Database  options  can  be used to override database-specific defaults.
133       Supported options for the DB2 module are:
134
135          -x dbname=*filename*
136                 Specifies the base filename of the DB2 database.
137
138          -x lockiter
139                 Make iteration operations hold the lock for the  duration  of
140                 the  entire  operation, rather than temporarily releasing the
141                 lock while handling each  principal.   This  is  the  default
142                 behavior,  but this option exists to allow command line over‐
143                 ride of a [dbmodules] setting.  First introduced  in  release
144                 1.13.
145
146          -x unlockiter
147                 Make  iteration operations unlock the database for each prin‐
148                 cipal, instead of holding the lock for the  duration  of  the
149                 entire operation.  First introduced in release 1.13.
150
151       Supported options for the LDAP module are:
152
153          -x host=ldapuri
154                 Specifies the LDAP server to connect to by a LDAP URI.
155
156          -x binddn=bind_dn
157                 Specifies the DN used to bind to the LDAP server.
158
159          -x bindpwd=password
160                 Specifies  the  password  or  SASL secret used to bind to the
161                 LDAP server.  Using this option may expose  the  password  to
162                 other  users  on  the  system  via the process list; to avoid
163                 this, instead stash the password using the stashsrvpw command
164                 of kdb5_ldap_util(8).
165
166          -x sasl_mech=mechanism
167                 Specifies the SASL mechanism used to bind to the LDAP server.
168                 The bind DN is ignored if a SASL mechanism is used.   New  in
169                 release 1.13.
170
171          -x sasl_authcid=name
172                 Specifies  the  authentication  name used when binding to the
173                 LDAP server with a SASL mechanism, if the mechanism  requires
174                 one.  New in release 1.13.
175
176          -x sasl_authzid=name
177                 Specifies  the  authorization  name  used when binding to the
178                 LDAP server with a SASL mechanism.  New in release 1.13.
179
180          -x sasl_realm=realm
181                 Specifies the realm used when binding to the LDAP server with
182                 a  SASL mechanism, if the mechanism uses one.  New in release
183                 1.13.
184
185          -x debug=level
186                 sets the OpenLDAP client library debug level.   level  is  an
187                 integer to be interpreted by the library.  Debugging messages
188                 are printed to standard error.  New in release 1.12.
189

COMMANDS

191       When using the remote client,  available  commands  may  be  restricted
192       according  to  the privileges specified in the kadm5.acl(5) file on the
193       admin server.
194
195   add_principal
196          add_principal [options] newprinc
197
198       Creates the principal newprinc, prompting twice for a password.  If  no
199       password  policy  is  specified with the -policy option, and the policy
200       named default is assigned to the principal if it exists.  However, cre‐
201       ating  a policy named default will not automatically assign this policy
202       to previously existing principals.  This policy assignment can be  sup‐
203       pressed with the -clearpolicy option.
204
205       This command requires the add privilege.
206
207       Aliases: addprinc, ank
208
209       Options:
210
211       -expire expdate
212              (getdate string) The expiration date of the principal.
213
214       -pwexpire pwexpdate
215              (getdate string) The password expiration date.
216
217       -maxlife maxlife
218              (duration  or  getdate  string)  The maximum ticket life for the
219              principal.
220
221       -maxrenewlife maxrenewlife
222              (duration or getdate string) The maximum renewable life of tick‐
223              ets for the principal.
224
225       -kvno kvno
226              The initial key version number.
227
228       -policy policy
229              The  password  policy used by this principal.  If not specified,
230              the policy default is used if it exists (unless -clearpolicy  is
231              specified).
232
233       -clearpolicy
234              Prevents  any  policy  from  being  assigned when -policy is not
235              specified.
236
237       {-|+}allow_postdated
238              -allow_postdated prohibits this principal from  obtaining  post‐
239              dated tickets.  +allow_postdated clears this flag.
240
241       {-|+}allow_forwardable
242              -allow_forwardable  prohibits this principal from obtaining for‐
243              wardable tickets.  +allow_forwardable clears this flag.
244
245       {-|+}allow_renewable
246              -allow_renewable prohibits this principal from obtaining  renew‐
247              able tickets.  +allow_renewable clears this flag.
248
249       {-|+}allow_proxiable
250              -allow_proxiable  prohibits this principal from obtaining proxi‐
251              able tickets.  +allow_proxiable clears this flag.
252
253       {-|+}allow_dup_skey
254              -allow_dup_skey disables user-to-user  authentication  for  this
255              principal by prohibiting this principal from obtaining a session
256              key for another user.  +allow_dup_skey clears this flag.
257
258       {-|+}requires_preauth
259              +requires_preauth requires  this  principal  to  preauthenticate
260              before  being  allowed  to kinit.  -requires_preauth clears this
261              flag.  When +requires_preauth is set on a service principal, the
262              KDC  will  only issue service tickets for that service principal
263              if the  client's  initial  authentication  was  performed  using
264              preauthentication.
265
266       {-|+}requires_hwauth
267              +requires_hwauth  requires  this  principal  to  preauthenticate
268              using  a  hardware  device  before  being  allowed   to   kinit.
269              -requires_hwauth clears this flag.  When +requires_hwauth is set
270              on a service principal, the KDC will only issue service  tickets
271              for  that  service principal if the client's initial authentica‐
272              tion was performed using a hardware device to preauthenticate.
273
274       {-|+}ok_as_delegate
275              +ok_as_delegate sets the okay as delegate flag on tickets issued
276              with  this  principal as the service.  Clients may use this flag
277              as a hint that credentials should be delegated when authenticat‐
278              ing to the service.  -ok_as_delegate clears this flag.
279
280       {-|+}allow_svr
281              -allow_svr  prohibits  the  issuance of service tickets for this
282              principal.  +allow_svr clears this flag.
283
284       {-|+}allow_tgs_req
285              -allow_tgs_req specifies that a  Ticket-Granting  Service  (TGS)
286              request  for  a service ticket for this principal is not permit‐
287              ted.  +allow_tgs_req clears this flag.
288
289       {-|+}allow_tix
290              -allow_tix forbids the issuance of any tickets for this  princi‐
291              pal.  +allow_tix clears this flag.
292
293       {-|+}needchange
294              +needchange forces a password change on the next initial authen‐
295              tication to this principal.  -needchange clears this flag.
296
297       {-|+}password_changing_service
298              +password_changing_service marks this principal  as  a  password
299              change service principal.
300
301       {-|+}ok_to_auth_as_delegate
302              +ok_to_auth_as_delegate  allows  this  principal to acquire for‐
303              wardable tickets to itself from arbitrary users,  for  use  with
304              constrained delegation.
305
306       {-|+}no_auth_data_required
307              +no_auth_data_required  prevents  PAC or AD-SIGNEDPATH data from
308              being added to service tickets for the principal.
309
310       {-|+}lockdown_keys
311              +lockdown_keys prevents keys for this principal from leaving the
312              KDC  via  kadmind.  The chpass and extract operations are denied
313              for a principal with this attribute.  The  chrand  operation  is
314              allowed,  but  will  not  return  the  new keys.  The delete and
315              rename operations are also denied if this attribute is  set,  in
316              order  to prevent a malicious administrator from replacing prin‐
317              cipals like krbtgt/* or kadmin/* with new principals without the
318              attribute.   This attribute can be set via the network protocol,
319              but can only be removed using kadmin.local.
320
321       -randkey
322              Sets the key of the principal to a random value.
323
324       -nokey Causes the principal to be created with no key.  New in  release
325              1.12.
326
327       -pw password
328              Sets  the  password of the principal to the specified string and
329              does not prompt for a password.  Note: using this  option  in  a
330              shell  script may expose the password to other users on the sys‐
331              tem via the process list.
332
333       -e enc:salt,...
334              Uses the specified keysalt list for  setting  the  keys  of  the
335              principal.   See Keysalt_lists in kdc.conf(5) for a list of pos‐
336              sible values.
337
338       -x db_princ_args
339              Indicates database-specific options.  The options for  the  LDAP
340              database module are:
341
342              -x dn=dn
343                     Specifies  the LDAP object that will contain the Kerberos
344                     principal being created.
345
346              -x linkdn=dn
347                     Specifies the LDAP object to which the newly created Ker‐
348                     beros principal object will point.
349
350              -x containerdn=container_dn
351                     Specifies  the  container object under which the Kerberos
352                     principal is to be created.
353
354              -x tktpolicy=policy
355                     Associates a ticket policy to the Kerberos principal.
356
357              NOTE:
358
359                 · The containerdn and linkdn options cannot be specified with
360                   the dn option.
361
362                 · If  the  dn  or containerdn options are not specified while
363                   adding the principal, the principals are created under  the
364                   principal  container  configured  in the realm or the realm
365                   container.
366
367                 · dn and containerdn should be within the subtrees or princi‐
368                   pal container configured in the realm.
369
370       Example:
371
372          kadmin: addprinc jennifer
373          WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
374          defaulting to no policy.
375          Enter password for principal jennifer@ATHENA.MIT.EDU:
376          Re-enter password for principal jennifer@ATHENA.MIT.EDU:
377          Principal "jennifer@ATHENA.MIT.EDU" created.
378          kadmin:
379
380   modify_principal
381          modify_principal [options] principal
382
383       Modifies  the  specified  principal,  changing the fields as specified.
384       The options to add_principal also apply to this command, except for the
385       -randkey,  -pw,  and  -e options.  In addition, the option -clearpolicy
386       will clear the current policy of a principal.
387
388       This command requires the modify privilege.
389
390       Alias: modprinc
391
392       Options (in addition to the addprinc options):
393
394       -unlock
395              Unlocks a locked principal (one  which  has  received  too  many
396              failed  authentication attempts without enough time between them
397              according to its password policy) so that  it  can  successfully
398              authenticate.
399
400   rename_principal
401          rename_principal [-force] old_principal new_principal
402
403       Renames  the  specified  old_principal  to new_principal.  This command
404       prompts for confirmation, unless the -force option is given.
405
406       This command requires the add and delete privileges.
407
408       Alias: renprinc
409
410   delete_principal
411          delete_principal [-force] principal
412
413       Deletes the  specified  principal  from  the  database.   This  command
414       prompts for deletion, unless the -force option is given.
415
416       This command requires the delete privilege.
417
418       Alias: delprinc
419
420   change_password
421          change_password [options] principal
422
423       Changes  the password of principal.  Prompts for a new password if nei‐
424       ther -randkey or -pw is specified.
425
426       This command requires the changepw privilege,  or  that  the  principal
427       running the program is the same as the principal being changed.
428
429       Alias: cpw
430
431       The following options are available:
432
433       -randkey
434              Sets the key of the principal to a random value.
435
436       -pw password
437              Set  the password to the specified string.  Using this option in
438              a script may expose the password to other users  on  the  system
439              via the process list.
440
441       -e enc:salt,...
442              Uses  the  specified  keysalt  list  for setting the keys of the
443              principal.  See Keysalt_lists in kdc.conf(5) for a list of  pos‐
444              sible values.
445
446       -keepold
447              Keeps  the  existing keys in the database.  This flag is usually
448              not necessary except perhaps for krbtgt principals.
449
450       Example:
451
452          kadmin: cpw systest
453          Enter password for principal systest@BLEEP.COM:
454          Re-enter password for principal systest@BLEEP.COM:
455          Password for systest@BLEEP.COM changed.
456          kadmin:
457
458   purgekeys
459          purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal
460
461       Purges previously retained old keys (e.g., from change_password  -keep‐
462       old)  from principal.  If -keepkvno is specified, then only purges keys
463       with kvnos lower than oldest_kvno_to_keep.  If -all is specified,  then
464       all keys are purged.  The -all option is new in release 1.12.
465
466       This command requires the modify privilege.
467
468   get_principal
469          get_principal [-terse] principal
470
471       Gets  the  attributes  of  principal.   With the -terse option, outputs
472       fields as quoted tab-separated strings.
473
474       This command requires the inquire privilege, or that the principal run‐
475       ning the the program to be the same as the one being listed.
476
477       Alias: getprinc
478
479       Examples:
480
481          kadmin: getprinc tlyu/admin
482          Principal: tlyu/admin@BLEEP.COM
483          Expiration date: [never]
484          Last password change: Mon Aug 12 14:16:47 EDT 1996
485          Password expiration date: [none]
486          Maximum ticket life: 0 days 10:00:00
487          Maximum renewable life: 7 days 00:00:00
488          Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
489          Last successful authentication: [never]
490          Last failed authentication: [never]
491          Failed password attempts: 0
492          Number of keys: 2
493          Key: vno 1, des-cbc-crc
494          Key: vno 1, des-cbc-crc:v4
495          Attributes:
496          Policy: [none]
497
498          kadmin: getprinc -terse systest
499          systest@BLEEP.COM   3    86400     604800    1
500          785926535 753241234 785900000
501          tlyu/admin@BLEEP.COM     786100034 0    0
502          kadmin:
503
504   list_principals
505          list_principals [expression]
506
507       Retrieves  all  or  some  principal names.  expression is a shell-style
508       glob expression that can contain the wild-card characters ?, *, and [].
509       All principal names matching the expression are printed.  If no expres‐
510       sion is provided, all principal names are printed.  If  the  expression
511       does  not  contain an @ character, an @ character followed by the local
512       realm is appended to the expression.
513
514       This command requires the list privilege.
515
516       Alias: listprincs, get_principals, get_princs
517
518       Example:
519
520          kadmin:  listprincs test*
521          test3@SECURE-TEST.OV.COM
522          test2@SECURE-TEST.OV.COM
523          test1@SECURE-TEST.OV.COM
524          testuser@SECURE-TEST.OV.COM
525          kadmin:
526
527   get_strings
528          get_strings principal
529
530       Displays string attributes on principal.
531
532       This command requires the inquire privilege.
533
534       Alias: getstr
535
536   set_string
537          set_string principal name value
538
539       Sets a string attribute on principal.  String attributes  are  used  to
540       supply  per-principal configuration to the KDC and some KDC plugin mod‐
541       ules.  The following string attribute names are recognized by the KDC:
542
543       require_auth
544              Specifies an  authentication  indicator  which  is  required  to
545              authenticate to the principal as a service.  Multiple indicators
546              can be specified, separated by spaces; in this case any  of  the
547              specified indicators will be accepted.  (New in release 1.14.)
548
549       session_enctypes
550              Specifies  the  encryption types supported for session keys when
551              the principal is authenticated to  as  a  server.   See  Encryp‐
552              tion_types in kdc.conf(5) for a list of the accepted values.
553
554       otp    Enables  One Time Passwords (OTP) preauthentication for a client
555              principal.  The value is a JSON string representing an array  of
556              objects, each having optional type and username fields.
557
558       This command requires the modify privilege.
559
560       Alias: setstr
561
562       Example:
563
564          set_string host/foo.mit.edu session_enctypes aes128-cts
565          set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
566
567   del_string
568          del_string principal key
569
570       Deletes a string attribute from principal.
571
572       This command requires the delete privilege.
573
574       Alias: delstr
575
576   add_policy
577          add_policy [options] policy
578
579       Adds a password policy named policy to the database.
580
581       This command requires the add privilege.
582
583       Alias: addpol
584
585       The following options are available:
586
587       -maxlife time
588              (duration  or  getdate  string)  Sets  the maximum lifetime of a
589              password.
590
591       -minlife time
592              (duration or getdate string) Sets  the  minimum  lifetime  of  a
593              password.
594
595       -minlength length
596              Sets the minimum length of a password.
597
598       -minclasses number
599              Sets the minimum number of character classes required in a pass‐
600              word.  The five character classes are lower  case,  upper  case,
601              numbers, punctuation, and whitespace/unprintable characters.
602
603       -history number
604              Sets  the number of past keys kept for a principal.  This option
605              is not supported with the LDAP KDC database module.
606
607       -maxfailure maxnumber
608              Sets the number of authentication failures before the  principal
609              is locked.  Authentication failures are only tracked for princi‐
610              pals which require preauthentication.   The  counter  of  failed
611              attempts resets to 0 after a successful attempt to authenticate.
612              A maxnumber value of 0 (the default) disables lockout.
613
614       -failurecountinterval failuretime
615              (duration or getdate string) Sets  the  allowable  time  between
616              authentication  failures.   If an authentication failure happens
617              after failuretime has elapsed since the  previous  failure,  the
618              number  of authentication failures is reset to 1.  A failuretime
619              value of 0 (the default) means forever.
620
621       -lockoutduration lockouttime
622              (duration or getdate string) Sets the  duration  for  which  the
623              principal  is locked from authenticating if too many authentica‐
624              tion failures occur without the specified failure count interval
625              elapsing.   A  duration  of  0 (the default) means the principal
626              remains locked out until it is  administratively  unlocked  with
627              modprinc -unlock.
628
629       -allowedkeysalts
630              Specifies  the key/salt tuples supported for long-term keys when
631              setting  or   changing   a   principal's   password/keys.    See
632              Keysalt_lists  in kdc.conf(5) for a list of the accepted values,
633              but note that key/salt tuples  must  be  separated  with  commas
634              (',') only.  To clear the allowed key/salt policy use a value of
635              '-'.
636
637       Example:
638
639          kadmin: add_policy -maxlife "2 days" -minlength 5 guests
640          kadmin:
641
642   modify_policy
643          modify_policy [options] policy
644
645       Modifies the password policy named policy.  Options  are  as  described
646       for add_policy.
647
648       This command requires the modify privilege.
649
650       Alias: modpol
651
652   delete_policy
653          delete_policy [-force] policy
654
655       Deletes  the  password  policy  named policy.  Prompts for confirmation
656       before deletion.  The command will fail if the policy is in use by  any
657       principals.
658
659       This command requires the delete privilege.
660
661       Alias: delpol
662
663       Example:
664
665          kadmin: del_policy guests
666          Are you sure you want to delete the policy "guests"?
667          (yes/no): yes
668          kadmin:
669
670   get_policy
671          get_policy [ -terse ] policy
672
673       Displays  the  values  of  the  password policy named policy.  With the
674       -terse flag, outputs the fields as quoted strings separated by tabs.
675
676       This command requires the inquire privilege.
677
678       Alias: getpol
679
680       Examples:
681
682          kadmin: get_policy admin
683          Policy: admin
684          Maximum password life: 180 days 00:00:00
685          Minimum password life: 00:00:00
686          Minimum password length: 6
687          Minimum number of password character classes: 2
688          Number of old keys kept: 5
689          Reference count: 17
690
691          kadmin: get_policy -terse admin
692          admin     15552000  0    6    2    5    17
693          kadmin:
694
695       The "Reference count" is the number of principals  using  that  policy.
696       With  the  LDAP  KDC  database module, the reference count field is not
697       meaningful.
698
699   list_policies
700          list_policies [expression]
701
702       Retrieves all or some policy names.  expression is a  shell-style  glob
703       expression that can contain the wild-card characters ?, *, and [].  All
704       policy names matching the expression are printed.  If no expression  is
705       provided, all existing policy names are printed.
706
707       This command requires the list privilege.
708
709       Aliases: listpols, get_policies, getpols.
710
711       Examples:
712
713          kadmin:  listpols
714          test-pol
715          dict-only
716          once-a-min
717          test-pol-nopw
718
719          kadmin:  listpols t*
720          test-pol
721          test-pol-nopw
722          kadmin:
723
724   ktadd
725          ktadd [options] principal
726          ktadd [options] -glob princ-exp
727
728
729       Adds  a  principal,  or  all principals matching princ-exp, to a keytab
730       file.  Each principal's keys are randomized in the process.  The  rules
731       for princ-exp are described in the list_principals command.
732
733       This  command  requires  the inquire and changepw privileges.  With the
734       -glob form, it also requires the list privilege.
735
736       The options are:
737
738       -k[eytab] keytab
739              Use keytab as the keytab file.  Otherwise, the default keytab is
740              used.
741
742       -e enc:salt,...
743              Uses  the specified keysalt list for setting the new keys of the
744              principal.  See Keysalt_lists in kdc.conf(5) for a list of  pos‐
745              sible values.
746
747       -q     Display less verbose information.
748
749       -norandkey
750              Do  not  randomize  the keys. The keys and their version numbers
751              stay unchanged.  This option cannot be specified in  combination
752              with the -e option.
753
754       An  entry for each of the principal's unique encryption types is added,
755       ignoring multiple keys with the same encryption type but different salt
756       types.
757
758       Example:
759
760          kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
761          Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
762               encryption type aes256-cts-hmac-sha1-96 added to keytab
763               FILE:/tmp/foo-new-keytab
764          kadmin:
765
766   ktremove
767          ktremove [options] principal [kvno | all | old]
768
769       Removes entries for the specified principal from a keytab.  Requires no
770       permissions, since this does not require database access.
771
772       If the string "all" is specified, all entries for  that  principal  are
773       removed; if the string "old" is specified, all entries for that princi‐
774       pal except those with the highest kvno  are  removed.   Otherwise,  the
775       value  specified  is  parsed  as an integer, and all entries whose kvno
776       match that integer are removed.
777
778       The options are:
779
780       -k[eytab] keytab
781              Use keytab as the keytab file.  Otherwise, the default keytab is
782              used.
783
784       -q     Display less verbose information.
785
786       Example:
787
788          kadmin: ktremove kadmin/admin all
789          Entry for principal kadmin/admin with kvno 3 removed from keytab
790               FILE:/etc/krb5.keytab
791          kadmin:
792
793   lock
794       Lock  database  exclusively.   Use  with extreme caution!  This command
795       only works with the DB2 KDC database module.
796
797   unlock
798       Release the exclusive database lock.
799
800   list_requests
801       Lists available for kadmin requests.
802
803       Aliases: lr, ?
804
805   quit
806       Exit program.  If the database was locked, the lock is released.
807
808       Aliases: exit, q
809

HISTORY

811       The kadmin program was originally written by  Tom  Yu  at  MIT,  as  an
812       interface to the OpenVision Kerberos administration program.
813

SEE ALSO

815       kpasswd(1), kadmind(8)
816

AUTHOR

818       MIT
819
821       1985-2017, MIT
822
823
824
825
8261.15.1                                                               KADMIN(1)
Impressum