1kadmin(1M) System Administration Commands kadmin(1M)
2
3
4
6 kadmin, kadmin.local - Kerberos database administration program
7
9 /usr/sbin/kadmin [-r realm] [-p principal] [-q query]
10 [-s admin_server [:port]] [ [-c credential_cache]
11 | [-k [-t keytab]] | [-w password]] [-x db_args]...
12
13
14 /usr/sbin/kadmin.local [-r realm] [-p principal]
15 [-q query] [-d dbname] [-e "enc:salt..."] [-m] [-D]
16
17
19 kadmin and kadmin.local are interactive command-line interfaces to the
20 Kerberos V5 administration system. They provide for the maintenance of
21 Kerberos principals, policies, and service key tables (keytabs). kadmin
22 and kadmin.local provide identical functionality; the difference is
23 that kadmin.local can run only on the master KDC and does not use Ker‐
24 beros authentication.
25
26
27 Except as explicitly noted otherwise, this man page uses kadmin to
28 refer to both versions.
29
30
31 By default, both versions of kadmin attempt to determine your user name
32 and perform operations on behalf of your "username/admin" instance.
33 Operations performed are subject to privileges granted or denied to
34 this user instance by the Kerberos ACL file (see kadm5.acl(4)). You may
35 perform administration as another user instance by using the -p option.
36
37
38 The remote version, kadmin, uses Kerberos authentication and an
39 encrypted RPC to operate securely from anywhere on the network. It nor‐
40 mally prompts for a password and authenticates the user to the Kerberos
41 administration server, kadmind, whose service principal is kadmin/fqdn.
42 Some options specific to the remote version permit the password prompt
43 to be bypassed. The -c option searches the named credentials cache for
44 a valid ticket for the kadmin/fqdn service and uses it to authenticate
45 the user to the Kerberos admin server without a password. The -k option
46 searches a keytab for a credential to authenticate to the kadmin/fqdn
47 service, and again no password is collected. If kadmin has collected a
48 password, it requests a kadmin/fqdn Kerberos service ticket from the
49 KDC, and uses that service ticket to interact with kadmind.
50
51
52 The local version, kadmin.local, must be run with an effective UID of
53 root, and normally uses a key from the /var/krb5/.k5.realm stash file
54 (see kdb5_util(1M)) to decrypt information from the database rather
55 than prompting for a password. The -m option will bypass the .k5.realm
56 stash file and prompt for the master password.
57
59 The following options are supported:
60
61 -c credentials_cache
62
63 Search credentials_cache for a service ticket for the kadmin/fqdn
64 service; it can be acquired with the kinit(1) program. If this
65 option is not specified, kadmin requests a new service ticket from
66 the KDC, and stores it in its own temporary credentials cache.
67
68
69 -d dbname
70
71 Specify a non-standard database name. [Local only]
72
73
74 -D
75
76 Turn on debug mode. [Local only]
77
78
79 -e "enc:salt ..."
80
81 Specify a different encryption type and/or key salt. [Local only]
82
83
84 -k [-t keytab]
85
86 Use the default keytab (-k) or a specific keytab (-t keytab) to
87 decrypt the KDC response instead of prompting for a password. In
88 this case, the default principal will be host/hostname. This is
89 primarily used for keytab maintenance.
90
91
92 -m
93
94 Accept the database master password from the keyboard rather than
95 using the /var/krb5/.k5.realm stash file. [Local only]
96
97
98 -p principal
99
100 Authenticate principal to the kadmin/fqdn service. Otherwise, kad‐
101 min will append /admin to the primary principal name of the default
102 credentials cache, the value of the USER environment variable, or
103 the username as obtained with getpwuid, in that order of prefer‐
104 ence.
105
106
107 -q query
108
109 Pass query directly to kadmin, which will perform query and then
110 exit. This can be useful for writing scripts.
111
112
113 -r realm
114
115 Use realm as the default database realm.
116
117
118 -s admin_server[:port]
119
120 Administer the specified admin server at the specified port number
121 (port). This can be useful in administering a realm not known to
122 your client.
123
124
125 -w password
126
127 Use password instead of prompting for one. Note that placing the
128 password for a Kerberos principal with administration access into a
129 shell script can be dangerous if unauthorized users gain read
130 access to the script or can read arguments of this command through
131 ps(1).
132
133
134 -x db_args
135
136 Pass database-specific arguments to kadmin. Supported arguments are
137 for LDAP and the Berkeley-db2 plug-in. These arguments are:
138
139 binddn=binddn
140
141 LDAP simple bind DN for authorization on the directory server.
142 Overrides the ldap_kadmind_dn parameter setting in
143 krb5.conf(4).
144
145
146 bindpwd=bindpwd
147
148 Bind password.
149
150
151 dbname=name
152
153 For the Berkeley-db2 plug-in, specifies a name for the Kerberos
154 database.
155
156
157 nconns=num
158
159 Maximum number of server connections.
160
161
162 port=num
163
164 Directory server connection port.
165
166
167
169 list_requests
170
171 Lists all the commands available for kadmin. Aliased by lr and ?.
172
173
174 get_privs
175
176 Lists the current Kerberos administration privileges (ACLs) for the
177 principal that is currently running kadmin. The privileges are
178 based on the /etc/krb5/kadm5.acl file on the master KDC. Aliased by
179 getprivs.
180
181
182 add_principal [options] newprinc
183
184 Creates a new principal, newprinc, prompting twice for a password.
185 If the -policy option is not specified and a policy named default
186 exists, then the default policy is assigned to the principal; note
187 that the assignment of the default policy occurs automatically only
188 when a principal is first created, so the default policy must
189 already exist for the assignment to occur. The automatic assignment
190 of the default policy can be suppressed with the -clearpolicy
191 option. This command requires the add privilege. Aliased by
192 addprinc and ank. The options are:
193
194 -expire expdate
195
196 Expiration date of the principal. See the Time Formats section
197 for the valid absolute time formats that you can specify for
198 expdate.
199
200
201 -pwexpire pwexpdate
202
203 Password expiration date. See the Time Formats section for the
204 valid absolute time formats that you can specify for pwexpdate.
205
206
207 -maxlife maxlife
208
209 Maximum ticket life for the principal. See the Time Formats
210 section for the valid time duration formats that you can spec‐
211 ify for maxlife.
212
213
214 -maxrenewlife maxrenewlife
215
216 Maximum renewable life of tickets for the principal. See the
217 Time Formats section for the valid time duration formats that
218 you can specify for maxrenewlife.
219
220
221 -kvno kvno
222
223 Explicitly set the key version number.
224
225
226 -policy policy
227
228 Policy used by the principal. If both the -policy and -clear‐
229 policy options are not specified, the default policy is used if
230 it exists; otherwise, the principal will have no policy. Also
231 note that the password and principal name must be different
232 when you add a new principal with a specific policy or the
233 default policy.
234
235
236 -clearpolicy
237
238 -clearpolicy prevents the default policy from being assigned
239 when -policy is not specified. This option has no effect if the
240 default policy does not exist.
241
242
243 {-|+}allow_postdated
244
245 -allow_postdated prohibits the principal from obtaining post‐
246 dated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)
247 +allow_postdated clears this flag.
248
249
250 {-|+}allow_forwardable
251
252 -allow_forwardable prohibits the principal from obtaining for‐
253 wardable tickets. (Sets the KRB5_KDB_DISALLOW_FORWARDABLE
254 flag.) +allow_forwardable clears this flag.
255
256
257 {-|+}allow_renewable
258
259 -allow_renewable prohibits the principal from obtaining renew‐
260 able tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)
261 +allow_renewable clears this flag.
262
263
264 {-|+}allow_proxiable
265
266 -allow_proxiable prohibits the principal from obtaining proxi‐
267 able tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)
268 +allow_proxiable clears this flag.
269
270
271 {-|+}allow_dup_skey
272
273 -allow_dup_skey disables user-to-user authentication for the
274 principal by prohibiting this principal from obtaining a ses‐
275 sion key for another user. (Sets the KRB5_KDB_DISALLOW_DUP_SKEY
276 flag.) +allow_dup_skey clears this flag.
277
278
279 {-|+}requires_preauth
280
281 +requires_preauth requires the principal to preauthenticate
282 before being allowed to kinit. (Sets the
283 KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth clears this
284 flag.
285
286
287 {-|+}requires_hwauth
288
289 +requires_hwauth requires the principal to preauthenticate
290 using a hardware device before being allowed to kinit. (Sets
291 the KRB5_KDB_REQUIRES_HW_AUTH flag.) -requires_hwauth clears
292 this flag.
293
294
295 {-|+}allow_svr
296
297 -allow_svr prohibits the issuance of service tickets for the
298 principal. (Sets the KRB5_KDB_DISALLOW_SVR flag.) +allow_svr
299 clears this flag.
300
301
302 {-|+}allow_tgs_req
303
304 -allow_tgs_req specifies that a Ticket-Granting Service (TGS)
305 request for a service ticket for the principal is not permit‐
306 ted. This option is useless for most things. +allow_tgs_req
307 clears this flag. The default is +allow_tgs_req. In effect,
308 -allow_tgs_req sets the KRB5_KDB_DISALLOW_TGT_BASED flag on the
309 principal in the database.
310
311
312 {-|+}allow_tix
313
314 -allow_tix forbids the issuance of any tickets for the princi‐
315 pal. +allow_tix clears this flag. The default is +allow_tix. In
316 effect, -allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX flag on
317 the principal in the database.
318
319
320 {-|+}needchange
321
322 +needchange sets a flag in attributes field to force a password
323 change; -needchange clears it. The default is -needchange. In
324 effect, +needchange sets the KRB5_KDB_REQUIRES_PWCHANGE flag on
325 the principal in the database.
326
327
328 {-|+}password_changing_service
329
330 +password_changing_service sets a flag in the attributes field
331 marking this as a password change service principal (useless
332 for most things). -password_changing_service clears the flag.
333 This flag intentionally has a long name. The default is -pass‐
334 word_changing_service. In effect, +password_changing_service
335 sets the KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the
336 database.
337
338
339 -randkey
340
341 Sets the key of the principal to a random value.
342
343
344 -pw password
345
346 Sets the key of the principal to the specified string and does
347 not prompt for a password. Note that using this option in a
348 shell script can be dangerous if unauthorized users gain read
349 access to the script.
350
351
352 -e "enc:salt ..."
353
354 Override the list of enctype:salttype pairs given in
355 kdc.conf(4) for setting the key of the principal. The quotes
356 are necessary if there are multiple enctype:salttype pairs. One
357 key for each similar enctype and same salttype will be created
358 and the first one listed will be used. For example, in a list
359 of two similar enctypes with the same salt, "des-cbc-crc:normal
360 des-cbc-md5:normal", one key will be created and it will be of
361 type des-cbc-crc:normal.
362
363
364 Example:
365
366
367 kadmin: addprinc tlyu/admin
368 WARNING: no policy specified for "tlyu/admin@ACME.COM";
369 defaulting to no policy.
370 Enter password for principal tlyu/admin@ACME.COM:
371 Re-enter password for principal tlyu/admin@ACME.COM:
372 Principal "tlyu/admin@ACME.COM" created.
373 kadmin:
374
375
376
377
378 Errors:
379
380 KADM5_AUTH_ADD (requires add privilege)
381
382 KADM5_BAD_MASK (should not happen)
383
384 KADM5_DUP (principal exists already)
385
386 KADM5_UNK_POLICY (policy does not exist)
387
388 KADM5_PASS_Q_* (password quality violations)
389
390
391
392 delete_principal [-force] principal
393
394 Deletes the specified principal from the database. This command
395 prompts for deletion, unless the -force option is given. This com‐
396 mand requires the delete privilege. Aliased by delprinc.
397
398 Example:
399
400
401 kadmin: delprinc mwm_user
402 Are you sure you want to delete the principal
403 "mwm_user@ACME.COM"? (yes/no): yes
404 Principal "mwm_user@ACME.COM" deleted.
405 Make sure that you have removed this principal from
406 all kadmind ACLs before reusing.
407 kadmin:
408
409
410
411
412 Errors:
413
414 KADM5_AUTH_DELETE (requires delete privilege)
415
416 KADM5_UNK_PRINC (principal does not exist)
417
418
419
420 modify_principal [options] principal
421
422 Modifies the specified principal, changing the fields as specified.
423 The options are as above for add_principal, except that password
424 changing is forbidden by this command. In addition, the option
425 -clearpolicy will clear the current policy of a principal. This
426 command requires the modify privilege. Aliased by modprinc.
427
428 Errors:
429
430 KADM5_AUTH_MODIFY (requires modify privilege)
431
432 KADM5_UNK_PRINC (principal does not exist)
433
434 KADM5_UNK_POLICY (policy does not exist)
435
436 KADM5_BAD_MASK (should not happen)
437
438
439
440 change_password [options] principal
441
442 Changes the password of principal. Prompts for a new password if
443 neither -randkey or -pw is specified. Requires the changepw privi‐
444 lege, or that the principal that is running the program to be the
445 same as the one changed. Aliased by cpw. The following options are
446 available:
447
448 -randkey
449
450 Sets the key of the principal to a random value.
451
452
453 -pw password
454
455 Sets the password to the specified string. Not recommended.
456
457
458 -e "enc:salt ..."
459
460 Override the list of enctype:salttype pairs given in
461 kdc.conf(4) for setting the key of the principal. The quotes
462 are necessary if there are multiple enctype:salttype pairs. For
463 each key, the first matching similar enctype and same salttype
464 in the list will be used to set the new key(s).
465
466
467 -keepold
468
469 Keeps the previous kvno's keys around. There is no easy way to
470 delete the old keys, and this flag is usually not necessary
471 except perhaps for TGS keys as it will allow existing valid
472 TGTs to continue to work.
473
474
475 Example:
476
477
478 kadmin: cpw systest
479 Enter password for principal systest@ACME.COM:
480 Re-enter password for principal systest@ACME.COM:
481 Password for systest@ACME.COM changed.
482 kadmin:
483
484
485
486
487 Errors:
488
489 KADM5_AUTH_MODIFY (requires the modify privilege)
490
491 KADM5_UNK_PRINC (principal does not exist)
492
493 KADM5_PASS_Q_* (password policy violation errors)
494
495 KADM5_PASS_REUSE (password is in principal's password history)
496
497 KADM5_PASS_TOOSOON (current password minimum life not expired)
498
499
500
501 get_principal [-terse] principal
502
503 Gets the attributes of principal. Requires the inquire privilege,
504 or that the principal that is running the program to be the same as
505 the one being listed. With the -terse option, outputs fields as
506 quoted tab-separated strings. Aliased by getprinc.
507
508 Examples:
509
510
511 kadmin: getprinc tlyu/admin
512 Principal: tlyu/admin@ACME.COM
513 Expiration date: [never]
514 Last password change: Thu Jan 03 12:17:46 CET 2008
515 Password expiration date: [none]
516 Maximum ticket life: 24855 days 03:14:07
517 Maximum renewable life: 24855 days 03:14:07
518 Last modified: Thu Jan 03 12:17:46 CET 2008 (root/admin@ACME.COM)
519 Last successful authentication: [never]
520 Last failed authentication: [never]
521 Failed password attempts: 0
522 Number of keys: 5
523 Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt
524 Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt
525 Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt
526 Key: vno 2, ArcFour with HMAC/md5, no salt
527 Key: vno 2, DES cbc mode with RSA-MD5, no salt
528 Attributes: REQUIRES_PRE_AUTH
529 Policy: [none]
530 kadmin: getprinc -terse tlyu/admin
531 "tlyu/admin@ACME.COM" 0 1199359066 0 2147483647
532 "root/admin@ACME.COM" 1199359066 128 2 0 "[none]" 21474836
533 47 0 0 0 5 1 2 18 0 1 2
534 17 0 1 2 16 0 1 2 23 0 12
535 3 0
536 kadmin:
537
538
539
540
541 Errors:
542
543 KADM5_AUTH_GET (requires the get [inquire] privilege)
544
545 KADM5_UNK_PRINC (principal does not exist)
546
547
548
549 list_principals [expression]
550
551 Retrieves all or some principal names. expression is a shell-style
552 glob expression that can contain the wild-card characters ?, *, and
553 []'s. All principal names matching the expression are printed. If
554 no expression is provided, all principal names are printed. If the
555 expression does not contain an "@" character, an "@" character fol‐
556 lowed by the local realm is appended to the expression. Requires
557 the list privilege. Aliased by listprincs, get_principals, and get‐
558 princs.
559
560 Examples:
561
562
563 kadmin: listprincs test*
564 test3@ACME.COM
565 test2@ACME.COM
566 test1@ACME.COM
567 testuser@ACME.COM
568 kadmin:
569
570
571
572
573
574 add_policy [options] policy
575
576 Adds the named policy to the policy database. Requires the add
577 privilege. Aliased by addpol. The following options are available:
578
579 -maxlife maxlife
580
581 sets the maximum lifetime of a password. See the Time Formats
582 section for the valid time duration formats that you can spec‐
583 ify for maxlife.
584
585
586 -minlife minlife
587
588 sets the minimum lifetime of a password. See the Time Formats
589 section for the valid time duration formats that you can spec‐
590 ify for minlife.
591
592
593 -minlength length
594
595 sets the minimum length of a password.
596
597
598 -minclasses number
599
600 sets the minimum number of character classes allowed in a pass‐
601 word. The valid values are:
602
603
604 1
605
606 only letters (himom)
607
608
609 2
610
611 both letters and numbers (hi2mom)
612
613
614 3
615
616 letters, numbers, and punctuation (hi2mom!)
617
618
619 -history number
620
621 sets the number of past keys kept for a principal.
622
623
624 Errors:
625
626 KADM5_AUTH_ADD (requires the add privilege)
627
628 KADM5_DUP (policy already exists)
629
630
631
632 delete_policy [-force] policy
633
634 Deletes the named policy. Unless the -force option is specified,
635 prompts for confirmation before deletion. The command will fail if
636 the policy is in use by any principals. Requires the delete privi‐
637 lege. Aliased by delpol.
638
639 Example:
640
641
642 kadmin: del_policy guests
643 Are you sure you want to delete the
644 policy "guests"? (yes/no): yes
645 Policy "guests" deleted.
646 kadmin:
647
648
649
650
651 Errors:
652
653 KADM5_AUTH_DELETE (requires the delete privilege)
654
655 KADM5_UNK_POLICY (policy does not exist)
656
657 KADM5_POLICY_REF (reference count on policy is not zero)
658
659
660
661 modify_policy [options] policy
662
663 Modifies the named policy. Options are as above for add_policy.
664 Requires the modify privilege. Aliased by modpol.
665
666 Errors:
667
668 KADM5_AUTH_MODIFY (requires the modify privilege)
669
670 KADM5_UNK_POLICY (policy does not exist)
671
672
673
674 get_policy [-terse] policy
675
676 Displays the values of the named policy. Requires the inquire priv‐
677 ilege. With the -terse flag, outputs the fields as quoted strings
678 separated by tabs. Aliased by getpol.
679
680 Examples:
681
682
683 kadmin: get_policy admin
684 Policy: admin
685 Maximum password life: 180 days 00:00:00
686 Minimum password life: 00:00:00
687 Minimum password length: 6
688 Minimum number of password character classes: 2
689 Number of old keys kept: 5
690 Reference count: 17
691 kadmin: get_policy -terse
692 admin admin 15552000 0 6 2 5 17
693 kadmin:
694
695
696
697
698 Errors:
699
700 KADM5_AUTH_GET (requires the get privilege)
701
702 KADM5_UNK_POLICY (policy does not exist)
703
704
705
706 list_policies [expression]
707
708 Retrieves all or some policy names. expression is a shell-style
709 glob expression that can contain the wild-card characters ?, *, and
710 []'s. All policy names matching the expression are printed. If no
711 expression is provided, all existing policy names are printed.
712 Requires the list privilege. Aliased by listpols, get_policies, and
713 getpols.
714
715 Examples:
716
717
718 kadmin: listpols
719 test-pol dict-only once-a-min test-pol-nopw
720 kadmin: listpols t*
721 test-pol test-pol-nopw kadmin:
722
723
724
725
726
727 ktadd [-k keytab] [-q] [-e enctype:salt]
728
729 Adds a principal or all principals matching princ-exp to a keytab,
730 randomizing each principal's key in the process.
731
732 ktadd requires the inquire and changepw privileges. An entry for
733 each of the principal's unique encryption types is added, ignoring
734 multiple keys with the same encryption type but different salt
735 types. If the -k argument is not specified, the default keytab
736 file, /etc/krb5/krb5.keytab, is used.
737
738 The "-e enctype:salt" option overrides the list of enctypes given
739 in krb5.conf(4), in the permitted_enctypes parameter. If "-e enc‐
740 type:salt" is not used and permitted_enctypes is not defined in
741 krb5.conf(4), a key for each enctype supported by the system on
742 which kadmin is run will be created and added to the keytab.
743 Restricting the enctypes of keys in the keytab is useful when the
744 system for which keys are being created does not support the same
745 set of enctypes as the KDC. Note that ktadd modifies the enctype of
746 the keys in the principal database as well.
747
748 If the -q option is specified, less status information is dis‐
749 played. Aliased by xst. The -glob option requires the list privi‐
750 lege. Also, note that if you use -glob to create a keytab, you need
751 to remove /etc/krb5/kadm5.keytab and create it again if you want to
752 use -p */admin with kadmin.
753
754
755 princ-exp
756
757 princ-exp follows the same rules described for the list_principals
758 command.
759
760 Example:
761
762
763 kadmin: ktadd -k /tmp/new-keytab nfs/chicago
764 Entry for principal nfs/chicago with kvno 2,
765 encryption type DES-CBC-CRC added to keytab
766 WRFILE:/tmp/new-keytab.
767 kadmin:
768
769
770
771
772
773 ktremove [-k keytab] [-q] principal [kvno | all | old]
774
775 Removes entries for the specified principal from a keytab. Requires
776 no privileges, since this does not require database access. If all
777 is specified, all entries for that principal are removed; if old is
778 specified, all entries for that principal except those with the
779 highest kvno are removed. Otherwise, the value specified is parsed
780 as an integer, and all entries whose kvno match that integer are
781 removed. If the -k argument is not specified, the default keytab
782 file, /etc/krb5/krb5.keytab, is used. If the -q option is speci‐
783 fied, less status information is displayed. Aliased by ktrem.
784
785 Example:
786
787
788 kadmin: ktremove -k /tmp/new-keytab nfs/chicago
789 Entry for principal nfs/chicago with kvno 2
790 removed from keytab
791 WRFILE:/tmp/new-keytab.
792 kadmin:
793
794
795
796
797
798 quit
799
800 Quits kadmin. Aliased by exit and q.
801
802
803 Time Formats
804 Various commands in kadmin can take a variety of time formats, specify‐
805 ing time durations or absolute times. The kadmin option variables
806 maxrenewlife, maxlife, and minlife are time durations, whereas expdate
807 and pwexpdate are absolute times.
808
809 Examples:
810
811
812 kadmin: modprinc -expire "12/31 7pm" jdb
813 kadmin: modprinc -maxrenewlife "2 fortnight" jdb
814 kadmin: modprinc -pwexpire "this sunday" jdb
815 kadmin: modprinc -expire never jdb
816 kadmin: modprinc -maxlife "7:00:00pm tomorrow" jdb
817
818
819
820
821
822 Note that times which do not have the "ago" specifier default to being
823 absolute times, unless they appear in a field where a duration is
824 expected. In that case, the time specifier will be interpreted as rela‐
825 tive. Specifying "ago" in a duration can result in unexpected behavior.
826
827
828 The following time formats and units can be combined to specify a time.
829 The time and date format examples are based on the date and time of
830 July 2, 1999, 1:35:30 p.m.
831
832
833
834
835 ┌────────────────────────────────────────────────────────────┐
836 │Time Format Examples │
837 │hh[:mm][:ss][am/pm/a.m./p.m.] 1p.m., 1:35, 1:35:30pm │
838 └────────────────────────────────────────────────────────────┘
839
840
841
842
843 Variable Description
844 hh hour (12-hour clock, lead‐
845 ing zero permitted but not
846 required)
847 mm minutes
848 ss seconds
849
850
851
852
853
854 ┌───────────────────────────────────────────────────────────┐
855 │Date Format Examples │
856 │mm/dd[/yy] 07/02, 07/02/99 │
857 │yyyy-mm-dd 1999-07-02 │
858 │dd-month-yyyy 02-July-1999 │
859 │month [,yyyy] Jul 02, July 02,1999 │
860 │dd month[ yyyy] 02 JULY, 02 july 1999 │
861 └───────────────────────────────────────────────────────────┘
862
863
864
865
866 Variable Description
867 dd day
868 mm month
869 yy year within century (00-38 is 2000 to
870 2038; 70-99 is 1970 to 1999)
871 yyyy year including century
872 month locale's full or abbreviated month name
873
874
875
876
877
878 ┌───────────────────────────────────────────────────────────┐
879 │Time Units Examples │
880 │[+|- #] year "-2 year" │
881 │[+|- #] month "2 months" │
882 │[+|- #] fortnight │
883 │[+|- #] week │
884 │[+|- #] day │
885 │[+|- #] hour │
886 │[+|- #] minute │
887 │[+|- #] min │
888 │[+|- #] second │
889 │[+|- #] sec │
890 │tomorrow │
891 │yesterday │
892 │today │
893 │now │
894 │this "this year" │
895 │last "last saturday" │
896 │next "next month" │
897 │sunday │
898 │monday │
899 │tuesday │
900 │wednesday │
901 │thursday │
902 │friday │
903 │saturday │
904 │never │
905 └───────────────────────────────────────────────────────────┘
906
907
908 You can also use the following time modifiers: first, second, third,
909 fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth,
910 and ago.
911
913 See environ(5) for descriptions of the following environment variables
914 that affect the execution of kadmin:
915
916 PAGER
917
918 The command to use as a filter for paging output. This can also be
919 used to specify options. The default is more(1).
920
921
923 /var/krb5/principal
924
925 Kerberos principal database.
926
927
928 /var/krb5/principal.ulog
929
930 The update log file for incremental propagation.
931
932
933 /var/krb5/principal.kadm5
934
935 Kerberos administrative database. Contains policy information.
936
937
938 /var/krb5/principal.kadm5.lock
939
940 Lock file for the Kerberos administrative database. This file works
941 backwards from most other lock files (that is, kadmin will exit
942 with an error if this file does not exist).
943
944
945 /var/krb5/kadm5.dict
946
947 Dictionary of strings explicitly disallowed as passwords.
948
949
950 /etc/krb5/kadm5.acl
951
952 List of principals and their kadmin administrative privileges.
953
954
955 /etc/krb5/kadm5.keytab
956
957 Keytab for kadmind principals: kadmin/fqdn, changepw/fqdn, and kad‐
958 min/changepw.
959
960
962 See attributes(5) for descriptions of the following attributes:
963
964
965
966
967 ┌─────────────────────────────┬─────────────────────────────┐
968 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
969 ├─────────────────────────────┼─────────────────────────────┤
970 │Availability │SUNWkdcu │
971 ├─────────────────────────────┼─────────────────────────────┤
972 │Interface Stability │Committed │
973 └─────────────────────────────┴─────────────────────────────┘
974
976 kpasswd(1), more(1), gkadmin(1M), kadmind(1M), kdb5_util(1M),
977 kdb5_ldap_util(1M), kproplog(1M), kadm5.acl(4), kdc.conf(4),
978 krb5.conf(4), attributes(5), environ(5), kerberos(5), krb5envvar(5)
979
981 The kadmin program was originally written by Tom Yu at MIT, as an
982 interface to the OpenVision Kerberos administration program.
983
985 The kadmin command is currently incompatible with the MIT kadmind dae‐
986 mon interface, so you cannot use this command to administer an MIT-
987 based Kerberos database. However, clients running the Solaris implemen‐
988 tation of Kerberos can still use an MIT-based KDC.
989
990
991
992SunOS 5.11 29 Feb 2008 kadmin(1M)