1KADMIN(1)                        MIT Kerberos                        KADMIN(1)
2
3
4

NAME

6       kadmin - Kerberos V5 database administration program
7

SYNOPSIS

9       kadmin   [-O|-N]   [-r   realm]   [-p   principal]   [-q   query]  [[-c
10       cache_name]|[-k [-t keytab]]|-n] [-w password] [-s admin_server[:port]]
11       [command args...]
12
13       kadmin.local  [-r  realm]  [-p  principal]  [-q  query] [-d dbname] [-e
14       enc:salt ...]  [-m] [-x db_args] [command args...]
15

DESCRIPTION

17       kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
18       administration  system.  They provide nearly identical functionalities;
19       the difference is that kadmin.local directly accesses the KDC database,
20       while  kadmin  performs operations using kadmind(8).  Except as explic‐
21       itly noted otherwise, this man page will use "kadmin" to refer to  both
22       versions.   kadmin provides for the maintenance of Kerberos principals,
23       password policies, and service key tables (keytabs).
24
25       The remote kadmin client uses Kerberos to authenticate to kadmind using
26       the service principal kadmin/admin or kadmin/ADMINHOST (where ADMINHOST
27       is the fully-qualified hostname of the admin server).  If  the  creden‐
28       tials  cache  contains a ticket for one of these principals, and the -c
29       credentials_cache option is specified, that ticket is used to authenti‐
30       cate  to kadmind.  Otherwise, the -p and -k options are used to specify
31       the client Kerberos principal name used to authenticate.   Once  kadmin
32       has  determined  the  principal name, it requests a service ticket from
33       the KDC, and uses that service ticket to authenticate to kadmind.
34
35       Since kadmin.local directly accesses the KDC database, it usually  must
36       be  run directly on the primary KDC with sufficient permissions to read
37       the KDC database.  If the KDC database uses the LDAP  database  module,
38       kadmin.local can be run on any host which can access the LDAP server.
39

OPTIONS

41       -r realm
42              Use realm as the default database realm.
43
44       -p principal
45              Use  principal  to  authenticate.  Otherwise, kadmin will append
46              /admin to the primary principal name of the default ccache,  the
47              value  of  the USER environment variable, or the username as ob‐
48              tained with getpwuid, in order of preference.
49
50       -k     Use a keytab to decrypt the KDC response  instead  of  prompting
51              for  a  password.   In  this case, the default principal will be
52              host/hostname.  If there is no keytab specified with the -t  op‐
53              tion, then the default keytab will be used.
54
55       -t keytab
56              Use  keytab  to decrypt the KDC response.  This can only be used
57              with the -k option.
58
59       -n     Requests anonymous processing.  Two types of  anonymous  princi‐
60              pals  are  supported.   For  fully anonymous Kerberos, configure
61              PKINIT on the KDC and configure pkinit_anchors in  the  client's
62              krb5.conf(5).   Then  use  the -n option with a principal of the
63              form @REALM (an empty principal name followed by the at-sign and
64              a  realm  name).   If  permitted by the KDC, an anonymous ticket
65              will be returned.  A second form of anonymous  tickets  is  sup‐
66              ported;  these  realm-exposed  tickets  hide the identity of the
67              client but not the client's realm.  For this mode, use kinit  -n
68              with  a  normal  principal  name.   If supported by the KDC, the
69              principal (but not realm) will  be  replaced  by  the  anonymous
70              principal.   As  of  release 1.8, the MIT Kerberos KDC only sup‐
71              ports fully anonymous operation.
72
73       -c credentials_cache
74              Use credentials_cache  as  the  credentials  cache.   The  cache
75              should  contain  a  service  ticket for the kadmin/admin or kad‐
76              min/ADMINHOST (where ADMINHOST is the  fully-qualified  hostname
77              of  the  admin  server)  service;  it  can  be acquired with the
78              kinit(1) program.  If this option is not specified,  kadmin  re‐
79              quests  a  new service ticket from the KDC, and stores it in its
80              own temporary ccache.
81
82       -w password
83              Use password instead of prompting for one.  Use this option with
84              care, as it may expose the password to other users on the system
85              via the process list.
86
87       -q query
88              Perform the specified query and then exit.
89
90       -d dbname
91              Specifies the name of the KDC database.  This  option  does  not
92              apply to the LDAP database module.
93
94       -s admin_server[:port]
95              Specifies the admin server which kadmin should contact.
96
97       -m     If  using  kadmin.local, prompt for the database master password
98              instead of reading it from a stash file.
99
100       -e "enc:salt ..."
101              Sets the keysalt list to be used for any new keys created.   See
102              Keysalt_lists in kdc.conf(5) for a list of possible values.
103
104       -O     Force use of old AUTH_GSSAPI authentication flavor.
105
106       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.
107
108       -x db_args
109              Specifies the database specific arguments.  See the next section
110              for supported options.
111
112       Starting with release 1.14, if any command-line arguments remain  after
113       the  options,  they  will  be treated as a single query to be executed.
114       This mode of operation is intended for scripts and behaves  differently
115       from the interactive mode in several respects:
116
117       • Query arguments are split by the shell, not by kadmin.
118
119       • Informational  and  warning  messages are suppressed.  Error messages
120         and query output (e.g. for get_principal) will still be displayed.
121
122       • Confirmation prompts are disabled (as if -force was given).  Password
123         prompts will still be issued as required.
124
125       • The exit status will be non-zero if the query fails.
126
127       The -q option does not carry these behavior differences; the query will
128       be processed as if it was entered interactively.  The -q option  cannot
129       be used in combination with a query in the remaining arguments.
130

DATABASE OPTIONS

132       Database  options  can  be used to override database-specific defaults.
133       Supported options for the DB2 module are:
134
135          -x dbname=*filename*
136                 Specifies the base filename of the DB2 database.
137
138          -x lockiter
139                 Make iteration operations hold the lock for the  duration  of
140                 the  entire  operation, rather than temporarily releasing the
141                 lock while handling each principal.  This is the default  be‐
142                 havior, but this option exists to allow command line override
143                 of a [dbmodules] setting.  First introduced in release 1.13.
144
145          -x unlockiter
146                 Make iteration operations unlock the database for each  prin‐
147                 cipal,  instead  of  holding the lock for the duration of the
148                 entire operation.  First introduced in release 1.13.
149
150       Supported options for the LDAP module are:
151
152          -x host=ldapuri
153                 Specifies the LDAP server to connect to by a LDAP URI.
154
155          -x binddn=bind_dn
156                 Specifies the DN used to bind to the LDAP server.
157
158          -x bindpwd=password
159                 Specifies the password or SASL secret used  to  bind  to  the
160                 LDAP  server.   Using  this option may expose the password to
161                 other users on the system via  the  process  list;  to  avoid
162                 this, instead stash the password using the stashsrvpw command
163                 of kdb5_ldap_util(8).
164
165          -x sasl_mech=mechanism
166                 Specifies the SASL mechanism used to bind to the LDAP server.
167                 The  bind  DN is ignored if a SASL mechanism is used.  New in
168                 release 1.13.
169
170          -x sasl_authcid=name
171                 Specifies the authentication name used when  binding  to  the
172                 LDAP  server with a SASL mechanism, if the mechanism requires
173                 one.  New in release 1.13.
174
175          -x sasl_authzid=name
176                 Specifies the authorization name used  when  binding  to  the
177                 LDAP server with a SASL mechanism.  New in release 1.13.
178
179          -x sasl_realm=realm
180                 Specifies the realm used when binding to the LDAP server with
181                 a SASL mechanism, if the mechanism uses one.  New in  release
182                 1.13.
183
184          -x debug=level
185                 sets  the  OpenLDAP  client library debug level.  level is an
186                 integer to be interpreted by the library.  Debugging messages
187                 are printed to standard error.  New in release 1.12.
188

COMMANDS

190       When  using the remote client, available commands may be restricted ac‐
191       cording to the privileges specified in the kadm5.acl(5) file on the ad‐
192       min server.
193
194   add_principal
195          add_principal [options] newprinc
196
197       Creates  the principal newprinc, prompting twice for a password.  If no
198       password policy is specified with the -policy option,  and  the  policy
199       named default is assigned to the principal if it exists.  However, cre‐
200       ating a policy named default will not automatically assign this  policy
201       to  previously existing principals.  This policy assignment can be sup‐
202       pressed with the -clearpolicy option.
203
204       This command requires the add privilege.
205
206       Aliases: addprinc, ank
207
208       Options:
209
210       -expire expdate
211              (getdate string) The expiration date of the principal.
212
213       -pwexpire pwexpdate
214              (getdate string) The password expiration date.
215
216       -maxlife maxlife
217              (duration or getdate string) The maximum  ticket  life  for  the
218              principal.
219
220       -maxrenewlife maxrenewlife
221              (duration or getdate string) The maximum renewable life of tick‐
222              ets for the principal.
223
224       -kvno kvno
225              The initial key version number.
226
227       -policy policy
228              The password policy used by this principal.  If  not  specified,
229              the  policy default is used if it exists (unless -clearpolicy is
230              specified).
231
232       -clearpolicy
233              Prevents any policy from being  assigned  when  -policy  is  not
234              specified.
235
236       {-|+}allow_postdated
237              -allow_postdated  prohibits  this principal from obtaining post‐
238              dated tickets.  +allow_postdated clears this flag.
239
240       {-|+}allow_forwardable
241              -allow_forwardable prohibits this principal from obtaining  for‐
242              wardable tickets.  +allow_forwardable clears this flag.
243
244       {-|+}allow_renewable
245              -allow_renewable  prohibits this principal from obtaining renew‐
246              able tickets.  +allow_renewable clears this flag.
247
248       {-|+}allow_proxiable
249              -allow_proxiable prohibits this principal from obtaining  proxi‐
250              able tickets.  +allow_proxiable clears this flag.
251
252       {-|+}allow_dup_skey
253              -allow_dup_skey  disables  user-to-user  authentication for this
254              principal by prohibiting others from obtaining a service  ticket
255              encrypted  in this principal's TGT session key.  +allow_dup_skey
256              clears this flag.
257
258       {-|+}requires_preauth
259              +requires_preauth requires this principal to preauthenticate be‐
260              fore  being  allowed  to  kinit.   -requires_preauth clears this
261              flag.  When +requires_preauth is set on a service principal, the
262              KDC  will  only issue service tickets for that service principal
263              if the  client's  initial  authentication  was  performed  using
264              preauthentication.
265
266       {-|+}requires_hwauth
267              +requires_hwauth  requires this principal to preauthenticate us‐
268              ing a hardware device  before  being  allowed  to  kinit.   -re‐
269              quires_hwauth clears this flag.  When +requires_hwauth is set on
270              a service principal, the KDC will only issue service tickets for
271              that  service  principal  if the client's initial authentication
272              was performed using a hardware device to preauthenticate.
273
274       {-|+}ok_as_delegate
275              +ok_as_delegate sets the okay as delegate flag on tickets issued
276              with  this  principal as the service.  Clients may use this flag
277              as a hint that credentials should be delegated when authenticat‐
278              ing to the service.  -ok_as_delegate clears this flag.
279
280       {-|+}allow_svr
281              -allow_svr  prohibits  the  issuance of service tickets for this
282              principal.  In release  1.17  and  later,  user-to-user  service
283              tickets  are  still  allowed  unless the -allow_dup_skey flag is
284              also set.  +allow_svr clears this flag.
285
286       {-|+}allow_tgs_req
287              -allow_tgs_req specifies that a  Ticket-Granting  Service  (TGS)
288              request  for  a service ticket for this principal is not permit‐
289              ted.  +allow_tgs_req clears this flag.
290
291       {-|+}allow_tix
292              -allow_tix forbids the issuance of any tickets for this  princi‐
293              pal.  +allow_tix clears this flag.
294
295       {-|+}needchange
296              +needchange forces a password change on the next initial authen‐
297              tication to this principal.  -needchange clears this flag.
298
299       {-|+}password_changing_service
300              +password_changing_service marks this principal  as  a  password
301              change service principal.
302
303       {-|+}ok_to_auth_as_delegate
304              +ok_to_auth_as_delegate  allows  this  principal to acquire for‐
305              wardable tickets to itself from arbitrary users,  for  use  with
306              constrained delegation.
307
308       {-|+}no_auth_data_required
309              +no_auth_data_required  prevents  PAC or AD-SIGNEDPATH data from
310              being added to service tickets for the principal.
311
312       {-|+}lockdown_keys
313              +lockdown_keys prevents keys for this principal from leaving the
314              KDC  via  kadmind.  The chpass and extract operations are denied
315              for a principal with this attribute.  The  chrand  operation  is
316              allowed,  but  will not return the new keys.  The delete and re‐
317              name operations are also denied if this attribute is set, in or‐
318              der  to prevent a malicious administrator from replacing princi‐
319              pals like krbtgt/* or kadmin/* with new principals  without  the
320              attribute.   This attribute can be set via the network protocol,
321              but can only be removed using kadmin.local.
322
323       -randkey
324              Sets the key of the principal to a random value.
325
326       -nokey Causes the principal to be created with no key.  New in  release
327              1.12.
328
329       -pw password
330              Sets  the  password of the principal to the specified string and
331              does not prompt for a password.  Note: using this  option  in  a
332              shell  script may expose the password to other users on the sys‐
333              tem via the process list.
334
335       -e enc:salt,...
336              Uses the specified keysalt list for  setting  the  keys  of  the
337              principal.   See Keysalt_lists in kdc.conf(5) for a list of pos‐
338              sible values.
339
340       -x db_princ_args
341              Indicates database-specific options.  The options for  the  LDAP
342              database module are:
343
344              -x dn=dn
345                     Specifies  the LDAP object that will contain the Kerberos
346                     principal being created.
347
348              -x linkdn=dn
349                     Specifies the LDAP object to which the newly created Ker‐
350                     beros principal object will point.
351
352              -x containerdn=container_dn
353                     Specifies  the  container object under which the Kerberos
354                     principal is to be created.
355
356              -x tktpolicy=policy
357                     Associates a ticket policy to the Kerberos principal.
358
359              NOTE:
360
361                 • The containerdn and linkdn options cannot be specified with
362                   the dn option.
363
364                 • If  the  dn  or containerdn options are not specified while
365                   adding the principal, the principals are created under  the
366                   principal  container  configured  in the realm or the realm
367                   container.
368
369dn and containerdn should be within the subtrees or princi‐
370                   pal container configured in the realm.
371
372       Example:
373
374          kadmin: addprinc jennifer
375          No policy specified for "jennifer@ATHENA.MIT.EDU";
376          defaulting to no policy.
377          Enter password for principal jennifer@ATHENA.MIT.EDU:
378          Re-enter password for principal jennifer@ATHENA.MIT.EDU:
379          Principal "jennifer@ATHENA.MIT.EDU" created.
380          kadmin:
381
382   modify_principal
383          modify_principal [options] principal
384
385       Modifies  the  specified  principal,  changing the fields as specified.
386       The options to add_principal also apply to this command, except for the
387       -randkey,  -pw,  and  -e options.  In addition, the option -clearpolicy
388       will clear the current policy of a principal.
389
390       This command requires the modify privilege.
391
392       Alias: modprinc
393
394       Options (in addition to the addprinc options):
395
396       -unlock
397              Unlocks a locked principal (one  which  has  received  too  many
398              failed  authentication attempts without enough time between them
399              according to its password policy) so that  it  can  successfully
400              authenticate.
401
402   rename_principal
403          rename_principal [-force] old_principal new_principal
404
405       Renames  the  specified  old_principal  to new_principal.  This command
406       prompts for confirmation, unless the -force option is given.
407
408       This command requires the add and delete privileges.
409
410       Alias: renprinc
411
412   delete_principal
413          delete_principal [-force] principal
414
415       Deletes the  specified  principal  from  the  database.   This  command
416       prompts for deletion, unless the -force option is given.
417
418       This command requires the delete privilege.
419
420       Alias: delprinc
421
422   change_password
423          change_password [options] principal
424
425       Changes  the password of principal.  Prompts for a new password if nei‐
426       ther -randkey or -pw is specified.
427
428       This command requires the changepw privilege,  or  that  the  principal
429       running the program is the same as the principal being changed.
430
431       Alias: cpw
432
433       The following options are available:
434
435       -randkey
436              Sets the key of the principal to a random value.
437
438       -pw password
439              Set  the password to the specified string.  Using this option in
440              a script may expose the password to other users  on  the  system
441              via the process list.
442
443       -e enc:salt,...
444              Uses  the  specified  keysalt  list  for setting the keys of the
445              principal.  See Keysalt_lists in kdc.conf(5) for a list of  pos‐
446              sible values.
447
448       -keepold
449              Keeps  the  existing keys in the database.  This flag is usually
450              not necessary except perhaps for krbtgt principals.
451
452       Example:
453
454          kadmin: cpw systest
455          Enter password for principal systest@BLEEP.COM:
456          Re-enter password for principal systest@BLEEP.COM:
457          Password for systest@BLEEP.COM changed.
458          kadmin:
459
460   purgekeys
461          purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal
462
463       Purges previously retained old keys (e.g., from change_password  -keep‐
464       old)  from principal.  If -keepkvno is specified, then only purges keys
465       with kvnos lower than oldest_kvno_to_keep.  If -all is specified,  then
466       all keys are purged.  The -all option is new in release 1.12.
467
468       This command requires the modify privilege.
469
470   get_principal
471          get_principal [-terse] principal
472
473       Gets  the  attributes  of  principal.   With the -terse option, outputs
474       fields as quoted tab-separated strings.
475
476       This command requires the inquire privilege, or that the principal run‐
477       ning the the program to be the same as the one being listed.
478
479       Alias: getprinc
480
481       Examples:
482
483          kadmin: getprinc tlyu/admin
484          Principal: tlyu/admin@BLEEP.COM
485          Expiration date: [never]
486          Last password change: Mon Aug 12 14:16:47 EDT 1996
487          Password expiration date: [never]
488          Maximum ticket life: 0 days 10:00:00
489          Maximum renewable life: 7 days 00:00:00
490          Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
491          Last successful authentication: [never]
492          Last failed authentication: [never]
493          Failed password attempts: 0
494          Number of keys: 1
495          Key: vno 1, aes256-cts-hmac-sha384-192
496          MKey: vno 1
497          Attributes:
498          Policy: [none]
499
500          kadmin: getprinc -terse systest
501          systest@BLEEP.COM   3    86400     604800    1
502          785926535 753241234 785900000
503          tlyu/admin@BLEEP.COM     786100034 0    0
504          kadmin:
505
506   list_principals
507          list_principals [expression]
508
509       Retrieves  all  or  some  principal names.  expression is a shell-style
510       glob expression that can contain the wild-card characters ?, *, and [].
511       All principal names matching the expression are printed.  If no expres‐
512       sion is provided, all principal names are printed.  If  the  expression
513       does  not  contain an @ character, an @ character followed by the local
514       realm is appended to the expression.
515
516       This command requires the list privilege.
517
518       Alias: listprincs, get_principals, getprincs
519
520       Example:
521
522          kadmin:  listprincs test*
523          test3@SECURE-TEST.OV.COM
524          test2@SECURE-TEST.OV.COM
525          test1@SECURE-TEST.OV.COM
526          testuser@SECURE-TEST.OV.COM
527          kadmin:
528
529   get_strings
530          get_strings principal
531
532       Displays string attributes on principal.
533
534       This command requires the inquire privilege.
535
536       Alias: getstrs
537
538   set_string
539          set_string principal name value
540
541       Sets a string attribute on principal.  String attributes  are  used  to
542       supply  per-principal configuration to the KDC and some KDC plugin mod‐
543       ules.  The following string attribute names are recognized by the KDC:
544
545       require_auth
546              Specifies an authentication indicator which is required  to  au‐
547              thenticate  to  the principal as a service.  Multiple indicators
548              can be specified, separated by spaces; in this case any  of  the
549              specified indicators will be accepted.  (New in release 1.14.)
550
551       session_enctypes
552              Specifies  the  encryption types supported for session keys when
553              the principal is authenticated to  as  a  server.   See  Encryp‐
554              tion_types in kdc.conf(5) for a list of the accepted values.
555
556       otp    Enables  One Time Passwords (OTP) preauthentication for a client
557              principal.  The value is a JSON string representing an array  of
558              objects, each having optional type and username fields.
559
560       pkinit_cert_match
561              Specifies a matching expression that defines the certificate at‐
562              tributes required for the client certificate used by the princi‐
563              pal during PKINIT authentication.  The matching expression is in
564              the same format as those used by the pkinit_cert_match option in
565              krb5.conf(5).  (New in release 1.16.)
566
567       This command requires the modify privilege.
568
569       Alias: setstr
570
571       Example:
572
573          set_string host/foo.mit.edu session_enctypes aes128-cts
574          set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
575
576   del_string
577          del_string principal key
578
579       Deletes a string attribute from principal.
580
581       This command requires the delete privilege.
582
583       Alias: delstr
584
585   add_policy
586          add_policy [options] policy
587
588       Adds a password policy named policy to the database.
589
590       This command requires the add privilege.
591
592       Alias: addpol
593
594       The following options are available:
595
596       -maxlife time
597              (duration  or  getdate  string)  Sets  the maximum lifetime of a
598              password.
599
600       -minlife time
601              (duration or getdate string) Sets  the  minimum  lifetime  of  a
602              password.
603
604       -minlength length
605              Sets the minimum length of a password.
606
607       -minclasses number
608              Sets the minimum number of character classes required in a pass‐
609              word.  The five character classes are lower  case,  upper  case,
610              numbers, punctuation, and whitespace/unprintable characters.
611
612       -history number
613              Sets  the number of past keys kept for a principal.  This option
614              is not supported with the LDAP KDC database module.
615
616       -maxfailure maxnumber
617              Sets the number of authentication failures before the  principal
618              is locked.  Authentication failures are only tracked for princi‐
619              pals which require preauthentication.  The counter of failed at‐
620              tempts  resets  to 0 after a successful attempt to authenticate.
621              A maxnumber value of 0 (the default) disables lockout.
622
623       -failurecountinterval failuretime
624              (duration or getdate string) Sets the allowable time between au‐
625              thentication failures.  If an authentication failure happens af‐
626              ter failuretime has elapsed since the previous failure, the num‐
627              ber  of  authentication  failures  is reset to 1.  A failuretime
628              value of 0 (the default) means forever.
629
630       -lockoutduration lockouttime
631              (duration or getdate string) Sets the  duration  for  which  the
632              principal  is locked from authenticating if too many authentica‐
633              tion failures occur without the specified failure count interval
634              elapsing.  A duration of 0 (the default) means the principal re‐
635              mains locked out until it is administratively unlocked with mod‐
636              princ -unlock.
637
638       -allowedkeysalts
639              Specifies  the key/salt tuples supported for long-term keys when
640              setting  or   changing   a   principal's   password/keys.    See
641              Keysalt_lists  in kdc.conf(5) for a list of the accepted values,
642              but note that key/salt tuples  must  be  separated  with  commas
643              (',') only.  To clear the allowed key/salt policy use a value of
644              '-'.
645
646       Example:
647
648          kadmin: add_policy -maxlife "2 days" -minlength 5 guests
649          kadmin:
650
651   modify_policy
652          modify_policy [options] policy
653
654       Modifies the password policy named policy.  Options  are  as  described
655       for add_policy.
656
657       This command requires the modify privilege.
658
659       Alias: modpol
660
661   delete_policy
662          delete_policy [-force] policy
663
664       Deletes the password policy named policy.  Prompts for confirmation be‐
665       fore deletion.  The command will fail if the policy is in  use  by  any
666       principals.
667
668       This command requires the delete privilege.
669
670       Alias: delpol
671
672       Example:
673
674          kadmin: del_policy guests
675          Are you sure you want to delete the policy "guests"?
676          (yes/no): yes
677          kadmin:
678
679   get_policy
680          get_policy [ -terse ] policy
681
682       Displays  the  values  of  the  password policy named policy.  With the
683       -terse flag, outputs the fields as quoted strings separated by tabs.
684
685       This command requires the inquire privilege.
686
687       Alias: getpol
688
689       Examples:
690
691          kadmin: get_policy admin
692          Policy: admin
693          Maximum password life: 180 days 00:00:00
694          Minimum password life: 00:00:00
695          Minimum password length: 6
696          Minimum number of password character classes: 2
697          Number of old keys kept: 5
698          Reference count: 17
699
700          kadmin: get_policy -terse admin
701          admin     15552000  0    6    2    5    17
702          kadmin:
703
704       The "Reference count" is the number of principals  using  that  policy.
705       With  the  LDAP  KDC  database module, the reference count field is not
706       meaningful.
707
708   list_policies
709          list_policies [expression]
710
711       Retrieves all or some policy names.  expression is a  shell-style  glob
712       expression that can contain the wild-card characters ?, *, and [].  All
713       policy names matching the expression are printed.  If no expression  is
714       provided, all existing policy names are printed.
715
716       This command requires the list privilege.
717
718       Aliases: listpols, get_policies, getpols.
719
720       Examples:
721
722          kadmin:  listpols
723          test-pol
724          dict-only
725          once-a-min
726          test-pol-nopw
727
728          kadmin:  listpols t*
729          test-pol
730          test-pol-nopw
731          kadmin:
732
733   ktadd
734          ktadd [options] principal
735          ktadd [options] -glob princ-exp
736
737
738       Adds  a  principal,  or  all principals matching princ-exp, to a keytab
739       file.  Each principal's keys are randomized in the process.  The  rules
740       for princ-exp are described in the list_principals command.
741
742       This  command  requires  the inquire and changepw privileges.  With the
743       -glob form, it also requires the list privilege.
744
745       The options are:
746
747       -k[eytab] keytab
748              Use keytab as the keytab file.  Otherwise, the default keytab is
749              used.
750
751       -e enc:salt,...
752              Uses  the specified keysalt list for setting the new keys of the
753              principal.  See Keysalt_lists in kdc.conf(5) for a list of  pos‐
754              sible values.
755
756       -q     Display less verbose information.
757
758       -norandkey
759              Do  not  randomize  the keys. The keys and their version numbers
760              stay unchanged.  This option cannot be specified in  combination
761              with the -e option.
762
763       An  entry for each of the principal's unique encryption types is added,
764       ignoring multiple keys with the same encryption type but different salt
765       types.
766
767       Alias: xst
768
769       Example:
770
771          kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
772          Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
773               encryption type aes256-cts-hmac-sha1-96 added to keytab
774               FILE:/tmp/foo-new-keytab
775          kadmin:
776
777   ktremove
778          ktremove [options] principal [kvno | all | old]
779
780       Removes entries for the specified principal from a keytab.  Requires no
781       permissions, since this does not require database access.
782
783       If the string "all" is specified, all entries for  that  principal  are
784       removed; if the string "old" is specified, all entries for that princi‐
785       pal except those with the highest kvno  are  removed.   Otherwise,  the
786       value  specified  is  parsed  as an integer, and all entries whose kvno
787       match that integer are removed.
788
789       The options are:
790
791       -k[eytab] keytab
792              Use keytab as the keytab file.  Otherwise, the default keytab is
793              used.
794
795       -q     Display less verbose information.
796
797       Alias: ktrem
798
799       Example:
800
801          kadmin: ktremove kadmin/admin all
802          Entry for principal kadmin/admin with kvno 3 removed from keytab
803               FILE:/etc/krb5.keytab
804          kadmin:
805
806   lock
807       Lock  database  exclusively.   Use  with extreme caution!  This command
808       only works with the DB2 KDC database module.
809
810   unlock
811       Release the exclusive database lock.
812
813   list_requests
814       Lists available for kadmin requests.
815
816       Aliases: lr, ?
817
818   quit
819       Exit program.  If the database was locked, the lock is released.
820
821       Aliases: exit, q
822

HISTORY

824       The kadmin program was originally written by Tom Yu at MIT, as  an  in‐
825       terface to the OpenVision Kerberos administration program.
826

ENVIRONMENT

828       See kerberos(7) for a description of Kerberos environment variables.
829

SEE ALSO

831       kpasswd(1), kadmind(8), kerberos(7)
832

AUTHOR

834       MIT
835
837       1985-2022, MIT
838
839
840
841
8421.19.2                                                               KADMIN(1)
Impressum