1kadmin(1M) System Administration Commands kadmin(1M)
2
6 kadmin, kadmin.local - Kerberos database administration program
7
9 /usr/sbin/kadmin [-r realm] [-p principal] [-q query]
10 [-s admin_server [:port]] [ [-c credential_cache]
11 | [-k [-t keytab]] | [-w password]] [-x db_args]...
12 /usr/sbin/kadmin.local [-r realm] [-p principal]
15 [-q query] [-d dbname] [-e "enc:salt..."] [-m] [-D]
16
19 kadmin and kadmin.local are interactive command-line interfaces to the
20 Kerberos V5 administration system. They provide for the maintenance of
21 Kerberos principals, policies, and service key tables (keytabs). kadmin
22 and kadmin.local provide identical functionality; the difference is
23 that kadmin.local can run only on the master KDC and does not use Ker‐
24 beros authentication.
25 Except as explicitly noted otherwise, this man page uses kadmin to
28 refer to both versions.
29 By default, both versions of kadmin attempt to determine your user name
32 and perform operations on behalf of your "username/admin" instance.
33 Operations performed are subject to privileges granted or denied to
34 this user instance by the Kerberos ACL file (see kadm5.acl(4)). You may
35 perform administration as another user instance by using the -p option.
36 The remote version, kadmin, uses Kerberos authentication and an
39 encrypted RPC to operate securely from anywhere on the network. It nor‐
40 mally prompts for a password and authenticates the user to the Kerberos
41 administration server, kadmind, whose service principal is kadmin/fqdn.
42 Some options specific to the remote version permit the password prompt
43 to be bypassed. The -c option searches the named credentials cache for
44 a valid ticket for the kadmin/fqdn service and uses it to authenticate
45 the user to the Kerberos admin server without a password. The -k option
46 searches a keytab for a credential to authenticate to the kadmin/fqdn
47 service, and again no password is collected. If kadmin has collected a
48 password, it requests a kadmin/fqdn Kerberos service ticket from the
49 KDC, and uses that service ticket to interact with kadmind.
50 The local version, kadmin.local, must be run with an effective UID of
53 root, and normally uses a key from the /var/krb5/.k5.realm stash file
54 (see kdb5_util(1M)) to decrypt information from the database rather
55 than prompting for a password. The -m option will bypass the .k5.realm
56 stash file and prompt for the master password.
57
59 The following options are supported:
60 -c credentials_cache
62 Search credentials_cache for a service ticket for the kadmin/fqdn
64 service; it can be acquired with the kinit(1) program. If this
65 option is not specified, kadmin requests a new service ticket from
66 the KDC, and stores it in its own temporary credentials cache.
67 -d dbname
70 Specify a non-standard database name. [Local only]
72 -D
75 Turn on debug mode. [Local only]
77 -e "enc:salt ..."
80 Specify a different encryption type and/or key salt. [Local only]
82 -k [-t keytab]
85 Use the default keytab (-k) or a specific keytab (-t keytab) to
87 decrypt the KDC response instead of prompting for a password. In
88 this case, the default principal will be host/hostname. This is
89 primarily used for keytab maintenance.
90 -m
93 Accept the database master password from the keyboard rather than
95 using the /var/krb5/.k5.realm stash file. [Local only]
96 -p principal
99 Authenticate principal to the kadmin/fqdn service. Otherwise, kad‐
101 min will append /admin to the primary principal name of the default
102 credentials cache, the value of the USER environment variable, or
103 the username as obtained with getpwuid, in that order of prefer‐
104 ence.
105 -q query
108 Pass query directly to kadmin, which will perform query and then
110 exit. This can be useful for writing scripts.
111 -r realm
114 Use realm as the default database realm.
116 -s admin_server[:port]
119 Administer the specified admin server at the specified port number
121 (port). This can be useful in administering a realm not known to
122 your client.
123 -w password
126 Use password instead of prompting for one. Note that placing the
128 password for a Kerberos principal with administration access into a
129 shell script can be dangerous if unauthorized users gain read
130 access to the script or can read arguments of this command through
131 ps(1).
132 -x db_args
135 Pass database-specific arguments to kadmin. Supported arguments are
137 for LDAP and the Berkeley-db2 plug-in. These arguments are:
138 binddn=binddn
140 LDAP simple bind DN for authorization on the directory server.
142 Overrides the ldap_kadmind_dn parameter setting in
143 krb5.conf(4).
144 bindpwd=bindpwd
147 Bind password.
149 dbname=name
152 For the Berkeley-db2 plug-in, specifies a name for the Kerberos
154 database.
155 nconns=num
158 Maximum number of server connections.
160 port=num
163 Directory server connection port.
165
169 list_requests
170 Lists all the commands available for kadmin. Aliased by lr and ?.
172 get_privs
175 Lists the current Kerberos administration privileges (ACLs) for the
177 principal that is currently running kadmin. The privileges are
178 based on the /etc/krb5/kadm5.acl file on the master KDC. Aliased by
179 getprivs.
180 add_principal [options] newprinc
183 Creates a new principal, newprinc, prompting twice for a password.
185 If the -policy option is not specified and a policy named default
186 exists, then the default policy is assigned to the principal; note
187 that the assignment of the default policy occurs automatically only
188 when a principal is first created, so the default policy must
189 already exist for the assignment to occur. The automatic assignment
190 of the default policy can be suppressed with the -clearpolicy
191 option. This command requires the add privilege. Aliased by
192 addprinc and ank. The options are:
193 -expire expdate
195 Expiration date of the principal. See the Time Formats section
197 for the valid absolute time formats that you can specify for
198 expdate.
199 -pwexpire pwexpdate
202 Password expiration date. See the Time Formats section for the
204 valid absolute time formats that you can specify for pwexpdate.
205 -maxlife maxlife
208 Maximum ticket life for the principal. See the Time Formats
210 section for the valid time duration formats that you can spec‐
211 ify for maxlife.
212 -maxrenewlife maxrenewlife
215 Maximum renewable life of tickets for the principal. See the
217 Time Formats section for the valid time duration formats that
218 you can specify for maxrenewlife.
219 -kvno kvno
222 Explicitly set the key version number.
224 -policy policy
227 Policy used by the principal. If both the -policy and -clear‐
229 policy options are not specified, the default policy is used if
230 it exists; otherwise, the principal will have no policy. Also
231 note that the password and principal name must be different
232 when you add a new principal with a specific policy or the
233 default policy.
234 -clearpolicy
237 -clearpolicy prevents the default policy from being assigned
239 when -policy is not specified. This option has no effect if the
240 default policy does not exist.
241 {-|+}allow_postdated
244 -allow_postdated prohibits the principal from obtaining post‐
246 dated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)
247 +allow_postdated clears this flag.
248 {-|+}allow_forwardable
251 -allow_forwardable prohibits the principal from obtaining for‐
253 wardable tickets. (Sets the KRB5_KDB_DISALLOW_FORWARDABLE
254 flag.) +allow_forwardable clears this flag.
255 {-|+}allow_renewable
258 -allow_renewable prohibits the principal from obtaining renew‐
260 able tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)
261 +allow_renewable clears this flag.
262 {-|+}allow_proxiable
265 -allow_proxiable prohibits the principal from obtaining proxi‐
267 able tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)
268 +allow_proxiable clears this flag.
269 {-|+}allow_dup_skey
272 -allow_dup_skey disables user-to-user authentication for the
274 principal by prohibiting this principal from obtaining a ses‐
275 sion key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY
276 flag.) +allow_dup_skey clears this flag.
277 {-|+}requires_preauth
280 +requires_preauth requires the principal to preauthenticate
282 before being allowed to kinit. (Sets the
283 KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth clears this
284 flag.
285 {-|+}requires_hwauth
288 +requires_hwauth requires the principal to preauthenticate
290 using a hardware device before being allowed to kinit. (Sets
291 the KRB5_KDB_REQUIRES_HW_AUTH flag.) -requires_hwauth clears
292 this flag.
293 {-|+}allow_svr
296 -allow_svr prohibits the issuance of service tickets for the
298 principal. (Sets the KRB5_KDB_DISALLOW_SVR flag.) +allow_svr
299 clears this flag.
300 {-|+}allow_tgs_req
303 -allow_tgs_req specifies that a Ticket-Granting Service (TGS)
305 request for a service ticket for the principal is not permit‐
306 ted. This option is useless for most things. +allow_tgs_req
307 clears this flag. The default is +allow_tgs_req. In effect,
308 -allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the
309 principal in the database.
310 {-|+}allow_tix
313 -allow_tix forbids the issuance of any tickets for the princi‐
315 pal. +allow_tix clears this flag. The default is +allow_tix. In
316 effect, -allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on
317 the principal in the database.
318 {-|+}needchange
321 +needchange sets a flag in attributes field to force a password
323 change; -needchange clears it. The default is -needchange. In
324 effect, +needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on
325 the principal in the database.
326 {-|+}password_changing_service
329 +password_changing_service sets a flag in the attributes field
331 marking this as a password change service principal (useless
332 for most things). -password_changing_service clears the flag.
333 This flag intentionally has a long name. The default is -pass‐
334 word_changing_service. In effect, +password_changing_service
335 sets the KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the
336 database.
337 -randkey
340 Sets the key of the principal to a random value.
342 -pw password
345 Sets the key of the principal to the specified string and does
347 not prompt for a password. Note that using this option in a
348 shell script can be dangerous if unauthorized users gain read
349 access to the script.
350 -e "enc:salt ..."
353 Override the list of enctype:salttype pairs given in
355 kdc.conf(4) for setting the key of the principal. The quotes
356 are necessary if there are multiple enctype:salttype pairs. One
357 key for each similar enctype and same salttype will be created
358 and the first one listed will be used. For example, in a list
359 of two similar enctypes with the same salt, "des-cbc-crc:normal
360 des-cbc-md5:normal", one key will be created and it will be of
361 type des-cbc-crc:normal.
362 Example:
365 kadmin: addprinc tlyu/admin
368 WARNING: no policy specified for "tlyu/admin@ACME.COM";
369 defaulting to no policy.
370 Enter password for principal tlyu/admin@ACME.COM:
371 Re-enter password for principal tlyu/admin@ACME.COM:
372 Principal "tlyu/admin@ACME.COM" created.
373 kadmin:
374 Errors:
379 KADM5_AUTH_ADD (requires add privilege)
381 KADM5_BAD_MASK (should not happen)
383 KADM5_DUP (principal exists already)
385 KADM5_UNK_POLICY (policy does not exist)
387 KADM5_PASS_Q_* (password quality violations)
389 delete_principal [-force] principal
393 Deletes the specified principal from the database. This command
395 prompts for deletion, unless the -force option is given. This com‐
396 mand requires the delete privilege. Aliased by delprinc.
397 Example:
399 kadmin: delprinc mwm_user
402 Are you sure you want to delete the principal
403 "mwm_user@ACME.COM"? (yes/no): yes
404 Principal "mwm_user@ACME.COM" deleted.
405 Make sure that you have removed this principal from
406 all kadmind ACLs before reusing.
407 kadmin:
408 Errors:
413 KADM5_AUTH_DELETE (requires delete privilege)
415 KADM5_UNK_PRINC (principal does not exist)
417 modify_principal [options] principal
421 Modifies the specified principal, changing the fields as specified.
423 The options are as above for add_principal, except that password
424 changing is forbidden by this command. In addition, the option
425 -clearpolicy will clear the current policy of a principal. This
426 command requires the modify privilege. Aliased by modprinc.
427 Errors:
429 KADM5_AUTH_MODIFY (requires modify privilege)
431 KADM5_UNK_PRINC (principal does not exist)
433 KADM5_UNK_POLICY (policy does not exist)
435 KADM5_BAD_MASK (should not happen)
437 change_password [options] principal
441 Changes the password of principal. Prompts for a new password if
443 neither -randkey or -pw is specified. Requires the changepw privi‐
444 lege, or that the principal that is running the program to be the
445 same as the one changed. Aliased by cpw. The following options are
446 available:
447 -randkey
449 Sets the key of the principal to a random value.
451 -pw password
454 Sets the password to the specified string. Not recommended.
456 -e "enc:salt ..."
459 Override the list of enctype:salttype pairs given in
461 kdc.conf(4) for setting the key of the principal. The quotes
462 are necessary if there are multiple enctype:salttype pairs. For
463 each key, the first matching similar enctype and same salttype
464 in the list will be used to set the new key(s).
465 -keepold
468 Keeps the previous kvno's keys around. There is no easy way to
470 delete the old keys, and this flag is usually not necessary
471 except perhaps for TGS keys as it will allow existing valid
472 TGTs to continue to work.
473 Example:
476 kadmin: cpw systest
479 Enter password for principal systest@ACME.COM:
480 Re-enter password for principal systest@ACME.COM:
481 Password for systest@ACME.COM changed.
482 kadmin:
483 Errors:
488 KADM5_AUTH_MODIFY (requires the modify privilege)
490 KADM5_UNK_PRINC (principal does not exist)
492 KADM5_PASS_Q_* (password policy violation errors)
494 KADM5_PASS_REUSE (password is in principal's password history)
496 KADM5_PASS_TOOSOON (current password minimum life not expired)
498 get_principal [-terse] principal
502 Gets the attributes of principal. Requires the inquire privilege,
504 or that the principal that is running the program to be the same as
505 the one being listed. With the -terse option, outputs fields as
506 quoted tab-separated strings. Aliased by getprinc.
507 Examples:
509 kadmin: getprinc tlyu/admin
512 Principal: tlyu/admin@ACME.COM
513 Expiration date: [never]
514 Last password change: Thu Jan 03 12:17:46 CET 2008
515 Password expiration date: [none]
516 Maximum ticket life: 24855 days 03:14:07
517 Maximum renewable life: 24855 days 03:14:07
518 Last modified: Thu Jan 03 12:17:46 CET 2008 (root/admin@ACME.COM)
519 Last successful authentication: [never]
520 Last failed authentication: [never]
521 Failed password attempts: 0
522 Number of keys: 5
523 Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
524 Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
525 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
526 Key: vno 2, ArcFour with HMAC/md5, no salt
527 Key: vno 2, DES cbc mode with RSA-MD5, no salt
528 Attributes: REQUIRES_PRE_AUTH
529 Policy: [none]
530 kadmin: getprinc -terse tlyu/admin
531 "tlyu/admin@ACME.COM" 0 1199359066 0 2147483647
532 "root/admin@ACME.COM" 1199359066 128 2 0 "[none]" 21474836
533 47 0 0 0 5 1 2 18 0 1 2
534 17 0 1 2 16 0 1 2 23 0 12
535 3 0
536 kadmin:
537 Errors:
542 KADM5_AUTH_GET (requires the get [inquire] privilege)
544 KADM5_UNK_PRINC (principal does not exist)
546 list_principals [expression]
550 Retrieves all or some principal names. expression is a shell-style
552 glob expression that can contain the wild-card characters ?, *, and
553 []'s. All principal names matching the expression are printed. If
554 no expression is provided, all principal names are printed. If the
555 expression does not contain an "@" character, an "@" character fol‐
556 lowed by the local realm is appended to the expression. Requires
557 the list privilege. Aliased by listprincs, get_principals, and get‐
558 princs.
559 Examples:
561 kadmin: listprincs test*
564 test3@ACME.COM
565 test2@ACME.COM
566 test1@ACME.COM
567 testuser@ACME.COM
568 kadmin:
569 add_policy [options] policy
575 Adds the named policy to the policy database. Requires the add
577 privilege. Aliased by addpol. The following options are available:
578 -maxlife maxlife
580 sets the maximum lifetime of a password. See the Time Formats
582 section for the valid time duration formats that you can spec‐
583 ify for maxlife.
584 -minlife minlife
587 sets the minimum lifetime of a password. See the Time Formats
589 section for the valid time duration formats that you can spec‐
590 ify for minlife.
591 -minlength length
594 sets the minimum length of a password.
596 -minclasses number
599 sets the minimum number of character classes allowed in a pass‐
601 word. The valid values are:
602 1
605 only letters (himom)
607 2
610 both letters and numbers (hi2mom)
612 3
615 letters, numbers, and punctuation (hi2mom!)
617 -history number
620 sets the number of past keys kept for a principal.
622 Errors:
625 KADM5_AUTH_ADD (requires the add privilege)
627 KADM5_DUP (policy already exists)
629 delete_policy [-force] policy
633 Deletes the named policy. Unless the -force option is specified,
635 prompts for confirmation before deletion. The command will fail if
636 the policy is in use by any principals. Requires the delete privi‐
637 lege. Aliased by delpol.
638 Example:
640 kadmin: del_policy guests
643 Are you sure you want to delete the
644 policy "guests"? (yes/no): yes
645 Policy "guests" deleted.
646 kadmin:
647 Errors:
652 KADM5_AUTH_DELETE (requires the delete privilege)
654 KADM5_UNK_POLICY (policy does not exist)
656 KADM5_POLICY_REF (reference count on policy is not zero)
658 modify_policy [options] policy
662 Modifies the named policy. Options are as above for add_policy.
664 Requires the modify privilege. Aliased by modpol.
665 Errors:
667 KADM5_AUTH_MODIFY (requires the modify privilege)
669 KADM5_UNK_POLICY (policy does not exist)
671 get_policy [-terse] policy
675 Displays the values of the named policy. Requires the inquire priv‐
677 ilege. With the -terse flag, outputs the fields as quoted strings
678 separated by tabs. Aliased by getpol.
679 Examples:
681 kadmin: get_policy admin
684 Policy: admin
685 Maximum password life: 180 days 00:00:00
686 Minimum password life: 00:00:00
687 Minimum password length: 6
688 Minimum number of password character classes: 2
689 Number of old keys kept: 5
690 Reference count: 17
691 kadmin: get_policy -terse
692 admin admin 15552000 0 6 2 5 17
693 kadmin:
694 Errors:
699 KADM5_AUTH_GET (requires the get privilege)
701 KADM5_UNK_POLICY (policy does not exist)
703 list_policies [expression]
707 Retrieves all or some policy names. expression is a shell-style
709 glob expression that can contain the wild-card characters ?, *, and
710 []'s. All policy names matching the expression are printed. If no
711 expression is provided, all existing policy names are printed.
712 Requires the list privilege. Aliased by listpols, get_policies, and
713 getpols.
714 Examples:
716 kadmin: listpols
719 test-pol dict-only once-a-min test-pol-nopw
720 kadmin: listpols t*
721 test-pol test-pol-nopw kadmin:
722 ktadd [-k keytab] [-q] [-e enctype:salt]
728 Adds a principal or all principals matching princ-exp to a keytab,
730 randomizing each principal's key in the process.
731 ktadd requires the inquire and changepw privileges. An entry for
733 each of the principal's unique encryption types is added, ignoring
734 multiple keys with the same encryption type but different salt
735 types. If the -k argument is not specified, the default keytab
736 file, /etc/krb5/krb5.keytab, is used.
737 The "-e enctype:salt" option overrides the list of enctypes given
739 in krb5.conf(4), in the permitted_enctypes parameter. If "-e enc‐
740 type:salt" is not used and permitted_enctypes is not defined in
741 krb5.conf(4), a key for each enctype supported by the system on
742 which kadmin is run will be created and added to the keytab.
743 Restricting the enctypes of keys in the keytab is useful when the
744 system for which keys are being created does not support the same
745 set of enctypes as the KDC. Note that ktadd modifies the enctype of
746 the keys in the principal database as well.
747 If the -q option is specified, less status information is dis‐
749 played. Aliased by xst. The -glob option requires the list privi‐
750 lege. Also, note that if you use -glob to create a keytab, you need
751 to remove /etc/krb5/kadm5.keytab and create it again if you want to
752 use -p */admin with kadmin.
753 princ-exp
756 princ-exp follows the same rules described for the list_principals
758 command.
759 Example:
761 kadmin: ktadd -k /tmp/new-keytab nfs/chicago
764 Entry for principal nfs/chicago with kvno 2,
765 encryption type DES-CBC-CRC added to keytab
766 WRFILE:/tmp/new-keytab.
767 kadmin:
768 ktremove [-k keytab] [-q] principal [kvno | all | old]
774 Removes entries for the specified principal from a keytab. Requires
776 no privileges, since this does not require database access. If all
777 is specified, all entries for that principal are removed; if old is
778 specified, all entries for that principal except those with the
779 highest kvno are removed. Otherwise, the value specified is parsed
780 as an integer, and all entries whose kvno match that integer are
781 removed. If the -k argument is not specified, the default keytab
782 file, /etc/krb5/krb5.keytab, is used. If the -q option is speci‐
783 fied, less status information is displayed. Aliased by ktrem.
784 Example:
786 kadmin: ktremove -k /tmp/new-keytab nfs/chicago
789 Entry for principal nfs/chicago with kvno 2
790 removed from keytab
791 WRFILE:/tmp/new-keytab.
792 kadmin:
793 quit
799 Quits kadmin. Aliased by exit and q.
801 Time Formats
804 Various commands in kadmin can take a variety of time formats, specify‐
805 ing time durations or absolute times. The kadmin option variables
806 maxrenewlife, maxlife, and minlife are time durations, whereas expdate
807 and pwexpdate are absolute times.
808 Examples:
810 kadmin: modprinc -expire "12/31 7pm" jdb
813 kadmin: modprinc -maxrenewlife "2 fortnight" jdb
814 kadmin: modprinc -pwexpire "this sunday" jdb
815 kadmin: modprinc -expire never jdb
816 kadmin: modprinc -maxlife "7:00:00pm tomorrow" jdb
817 Note that times which do not have the "ago" specifier default to being
823 absolute times, unless they appear in a field where a duration is
824 expected. In that case, the time specifier will be interpreted as rela‐
825 tive. Specifying "ago" in a duration can result in unexpected behavior.
826 The following time formats and units can be combined to specify a time.
829 The time and date format examples are based on the date and time of
830 July 2, 1999, 1:35:30 p.m.
831 ┌────────────────────────────────────────────────────────────┐
836 │Time Format Examples │
837 │hh[:mm][:ss][am/pm/a.m./p.m.] 1p.m., 1:35, 1:35:30pm │
838 └────────────────────────────────────────────────────────────┘
839 Variable Description
844 hh hour (12-hour clock, lead‐
845 ing zero permitted but not
846 required)
847 mm minutes
848 ss seconds
849 ┌───────────────────────────────────────────────────────────┐
855 │Date Format Examples │
856 │mm/dd[/yy] 07/02, 07/02/99 │
857 │yyyy-mm-dd 1999-07-02 │
858 │dd-month-yyyy 02-July-1999 │
859 │month [,yyyy] Jul 02, July 02,1999 │
860 │dd month[ yyyy] 02 JULY, 02 july 1999 │
861 └───────────────────────────────────────────────────────────┘
862 Variable Description
867 dd day
868 mm month
869 yy year within century (00-38 is 2000 to
870 2038; 70-99 is 1970 to 1999)
871 yyyy year including century
872 month locale's full or abbreviated month name
873 ┌───────────────────────────────────────────────────────────┐
879 │Time Units Examples │
880 │[+|- #] year "-2 year" │
881 │[+|- #] month "2 months" │
882 │[+|- #] fortnight │
883 │[+|- #] week │
884 │[+|- #] day │
885 │[+|- #] hour │
886 │[+|- #] minute │
887 │[+|- #] min │
888 │[+|- #] second │
889 │[+|- #] sec │
890 │tomorrow │
891 │yesterday │
892 │today │
893 │now │
894 │this "this year" │
895 │last "last saturday" │
896 │next "next month" │
897 │sunday │
898 │monday │
899 │tuesday │
900 │wednesday │
901 │thursday │
902 │friday │
903 │saturday │
904 │never │
905 └───────────────────────────────────────────────────────────┘
906 You can also use the following time modifiers: first, second, third,
909 fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth,
910 and ago.
911
913 See environ(5) for descriptions of the following environment variables
914 that affect the execution of kadmin:
915 PAGER
917 The command to use as a filter for paging output. This can also be
919 used to specify options. The default is more(1).
920
923 /var/krb5/principal
924 Kerberos principal database.
926 /var/krb5/principal.ulog
929 The update log file for incremental propagation.
931 /var/krb5/principal.kadm5
934 Kerberos administrative database. Contains policy information.
936 /var/krb5/principal.kadm5.lock
939 Lock file for the Kerberos administrative database. This file works
941 backwards from most other lock files (that is, kadmin will exit
942 with an error if this file does not exist).
943 /var/krb5/kadm5.dict
946 Dictionary of strings explicitly disallowed as passwords.
948 /etc/krb5/kadm5.acl
951 List of principals and their kadmin administrative privileges.
953 /etc/krb5/kadm5.keytab
956 Keytab for kadmind principals: kadmin/fqdn, changepw/fqdn, and kad‐
958 min/changepw.
959
962 See attributes(5) for descriptions of the following attributes:
963 ┌─────────────────────────────┬─────────────────────────────┐
968 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
969 ├─────────────────────────────┼─────────────────────────────┤
970 │Availability │SUNWkdcu │
971 ├─────────────────────────────┼─────────────────────────────┤
972 │Interface Stability │Committed │
973 └─────────────────────────────┴─────────────────────────────┘
974
976 kpasswd(1), more(1), gkadmin(1M), kadmind(1M), kdb5_util(1M),
977 kdb5_ldap_util(1M), kproplog(1M), kadm5.acl(4), kdc.conf(4),
978 krb5.conf(4), attributes(5), environ(5), kerberos(5), krb5envvar(5)
979
981 The kadmin program was originally written by Tom Yu at MIT, as an
982 interface to the OpenVision Kerberos administration program.
983
985 The kadmin command is currently incompatible with the MIT kadmind dae‐
986 mon interface, so you cannot use this command to administer an MIT-
987 based Kerberos database. However, clients running the Solaris implemen‐
988 tation of Kerberos can still use an MIT-based KDC.
989SunOS 5.11 29 Feb 2008 kadmin(1M)