1KADMIN(1)                 BSD General Commands Manual                KADMIN(1)
2

NAME

4     kadmin — Kerberos administration utility
5

SYNOPSIS

7     kadmin [-p string | --principal=string] [-K string | --keytab=string]
8            [-c file | --config-file=file] [-k file | --key-file=file]
9            [-r realm | --realm=realm] [-a host | --admin-server=host]
10            [-s port number | --server-port=port number] [-l | --local]
11            [-h | --help] [-v | --version] [command]
12

DESCRIPTION

14     The kadmin program is used to make modifications to the Kerberos data‐
15     base, either remotely via the kadmind(8) daemon, or locally (with the -l
16     option).
17
18     Supported options:
19
20     -p string, --principal=string
21             principal to authenticate as
22
23     -K string, --keytab=string
24             keytab for authentication principal
25
26     -c file, --config-file=file
27             location of config file
28
29     -k file, --key-file=file
30             location of master key file
31
32     -r realm, --realm=realm
33             realm to use
34
35     -a host, --admin-server=host
36             server to contact
37
38     -s port number, --server-port=port number
39             port to use
40
41     -l, --local
42             local admin mode
43
44     If no command is given on the command line, kadmin will prompt for com‐
45     mands to process. Some of the commands that take one or more principals
46     as argument (delete, ext_keytab, get, modify, and passwd) will accept a
47     glob style wildcard, and perform the operation on all matching princi‐
48     pals.
49
50     Commands include:
51
52     add [-r | --random-key] [--random-password] [-p string |
53     --password=string] [--key=string] [--max-ticket-life=lifetime]
54     [--max-renewable-life=lifetime] [--attributes=attributes]
55     [--expiration-time=time] [--pw-expiration-time=time]
56     [--policy=policy-name] principal...
57
58           Adds a new principal to the database. The options not passed on the
59           command line will be promped for.  The only policy supported by
60           Heimdal servers is ‘default’.
61
62     add_enctype [-r | --random-key] principal enctypes...
63
64           Adds a new encryption type to the principal, only random key are
65           supported.
66
67     delete principal...
68
69           Removes a principal.
70
71     del_enctype principal enctypes...
72
73           Removes some enctypes from a principal; this can be useful if the
74           service belonging to the principal is known to not handle certain
75           enctypes.
76
77     ext_keytab [-k string | --keytab=string] principal...
78
79           Creates a keytab with the keys of the specified principals.
80           Requires get-keys rights, otherwise the principal's keys are
81           changed and saved in the keytab.
82
83     get [-l | --long] [-s | --short] [-t | --terse] [-o string |
84     --column-info=string] principal...
85
86           Lists the matching principals, short prints the result as a table,
87           while long format produces a more verbose output. Which columns to
88           print can be selected with the -o option. The argument is a comma
89           separated list of column names optionally appended with an equal
90           sign (‘=’) and a column header. Which columns are printed by
91           default differ slightly between short and long output.
92
93           The default terse output format is similar to -s -o principal=,
94           just printing the names of matched principals.
95
96           Possible column names include: principal, princ_expire_time,
97           pw_expiration, last_pwd_change, max_life, max_rlife, mod_time,
98           mod_name, attributes, kvno, mkvno, last_success, last_failed,
99           fail_auth_count, policy, and keytypes.
100
101     modify [-a attributes | --attributes=attributes]
102     [--max-ticket-life=lifetime] [--max-renewable-life=lifetime]
103     [--expiration-time=time] [--pw-expiration-time=time] [--kvno=number]
104     [--policy=policy-name] principal...
105
106           Modifies certain attributes of a principal. If run without command
107           line options, you will be prompted. With command line options, it
108           will only change the ones specified.
109
110           Only policy supported by Heimdal is ‘default’.
111
112           Possible attributes are: new-princ, support-desmd5,
113           pwchange-service, disallow-svr, requires-pw-change,
114           requires-hw-auth, requires-pre-auth, disallow-all-tix,
115           disallow-dup-skey, disallow-proxiable, disallow-renewable,
116           disallow-tgt-based, disallow-forwardable, disallow-postdated
117
118           Attributes may be negated with a "-", e.g.,
119
120           kadmin -l modify -a -disallow-proxiable user
121
122     passwd [--keepold] [-r | --random-key] [--random-password] [-p string |
123     --password=string] [--key=string] principal...
124
125           Changes the password of an existing principal.
126
127     password-quality principal password
128
129           Run the password quality check function locally.  You can run this
130           on the host that is configured to run the kadmind process to verify
131           that your configuration file is correct.  The verification is done
132           locally, if kadmin is run in remote mode, no rpc call is done to
133           the server.
134
135     privileges
136
137           Lists the operations you are allowed to perform. These include add,
138           add_enctype, change-password, delete, del_enctype, get, get-keys,
139           list, and modify.
140
141     rename from to
142
143           Renames a principal. This is normally transparent, but since keys
144           are salted with the principal name, they will have a non-standard
145           salt, and clients which are unable to cope with this will fail.
146           Kerberos 4 suffers from this.
147
148     check [realm]
149
150           Check database for strange configurations on important principals.
151           If no realm is given, the default realm is used.
152
153     When running in local mode, the following commands can also be used:
154
155     dump [-d | --decrypt] [-fformat | --format=format] [dump-file]
156
157           Writes the database in “machine readable text” form to the speci‐
158           fied file, or standard out. If the database is encrypted, the dump
159           will also have encrypted keys, unless --decrypt is used.  If
160           --format=MIT is used then the dump will be in MIT format.  Other‐
161           wise it will be in Heimdal format.
162
163     init [--realm-max-ticket-life=string] [--realm-max-renewable-life=string]
164     realm
165
166           Initializes the Kerberos database with entries for a new realm.
167           It's possible to have more than one realm served by one server.
168
169     load file
170
171           Reads a previously dumped database, and re-creates that database
172           from scratch.
173
174     merge file
175
176           Similar to load but just modifies the database with the entries in
177           the dump file.
178
179     stash [-e enctype | --enctype=enctype] [-k keyfile | --key-file=keyfile]
180     [--convert-file] [--master-key-fd=fd]
181
182           Writes the Kerberos master key to a file used by the KDC.
183

SEE ALSO

185     kadmind(8), kdc(8)
186
187HEIMDAL                          Feb 22, 2007                          HEIMDAL
Impressum