1kdb5_util(1M) System Administration Commands kdb5_util(1M)
2
3
4
6 kdb5_util - Kerberos Database maintenance utility
7
9 /usr/sbin/kdb5_util [-d dbname] [-f stashfile_name]
10 [-k mkeytype] [-m ] [-M mkeyname] [-P password] [-r realm]
11 [-x db_args]... cmd
12
13
15 The kdb5_util utility enables you to create, dump, load, and destroy
16 the Kerberos V5 database. You can also use kdb5_util to create a stash
17 file containing the Kerberos database master key.
18
20 The following options are supported:
21
22 -d dbname
23
24 Specify the database name. .db is appended to whatever name is
25 specified. You can specify an absolute path. If you do not specify
26 the -d option, the default database name is /var/krb5/principal.
27
28
29 -f stashfile_name
30
31 Specify the stash file name. You can specify an absolute path.
32
33
34 -k mkeytype
35
36 Specify the master key type. Valid values are des3-cbc-sha1, des-
37 cbc-crc, des-cbc-md5, des-cbc-raw, arcfour-hmac-md5, arcfour-hmac-
38 md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
39
40
41 -m
42
43 Enter the master key manually.
44
45
46 -M mkeyname
47
48 Specify the master key name.
49
50
51 -P password
52
53 Use the specified password instead of the stash file.
54
55
56 -r realm
57
58 Use realm as the default database realm.
59
60
61 -x db_args
62
63 Pass database-specific arguments to kadmin. Supported arguments are
64 for LDAP and the Berkeley-db2 plug-in. These arguments are:
65
66 binddn=binddn
67
68 LDAP simple bind DN for authorization on the directory server.
69 Overrides the ldap_kadmind_dn parameter setting in
70 krb5.conf(4).
71
72
73 bindpwd=bindpwd
74
75 Bind password.
76
77
78 dbname=name
79
80 For the Berkeley-db2 plug-in, specifies a name for the Kerberos
81 database.
82
83
84 nconns=num
85
86 Maximum number of server connections.
87
88
89 port=num
90
91 Directory server connection port.
92
93
94
96 The following operands are supported:
97
98 cmd
99
100 Specifies whether to create, destroy, dump, or load the database,
101 or to create a stash file.
102
103 You can specify the following commands:
104
105 create -s
106
107 Creates the database specified by the -d option. You will be
108 prompted for the database master password. If you specify -s, a
109 stash file is created as specified by the -f option. If you did
110 not specify -f, the default stash file name is
111 /var/krb5/.k5.realm. If you use the -f, -k, or -M options when
112 you create a database, then you must use the same options when
113 modifying or destroying the database.
114
115
116 destroy
117
118 Destroys the database specified by the -d option.
119
120
121 stash
122
123 Creates a stash file. If -f was not specified, the default
124 stash file name is /var/krb5/.k5.realm. You will be prompted
125 for the master database password. This command is useful when
126 you want to generate the stash file from the password.
127
128
129 dump [-old] [-b6] [-b7] [-ov] [-verbose] [-mkey_convert]
130 [-new_mkey_file mkey_file] [-rev] [-recurse] [filename [princi‐
131 pals...]]
132
133 Dumps the current Kerberos and KADM5 database into an ASCII
134 file. By default, the database is dumped in current format,
135 "kdb5_util load_dumpversion 5". If filename is not specified or
136 is the string "-", the dump is sent to standard output. Options
137 are as follows:
138
139 -old
140
141 Causes the dump to be in the Kerberos 5 Beta 5 and earlier
142 dump format ("kdb5_edit load_dump version 2.0").
143
144
145 -b6
146
147 Causes the dump to be in the Kerberos 5 Beta 6 format
148 ("kdb5_edit load_dump version 3.0").
149
150
151 -b7
152
153 Causes the dump to be in the Kerberos 5 Beta 7 format
154 ("kdb5_util load_dump version 4"). This was the dump format
155 produced on releases prior to 1.2.2.
156
157
158 -ov
159
160 Causes the dump to be in ovsec_adm_export format.
161
162
163 -verbose
164
165 Causes the name of each principal and policy to be dis‐
166 played as it is dumped.
167
168
169 -mkey_convert
170
171 Prompts for a new master key. This new master key will be
172 used to re-encrypt the key data in the dumpfile. The key
173 data in the database will not be changed.
174
175
176 -new_mkey_file mkey_file
177
178 The filename of a stash file. The master key in this stash
179 file will be used to re-encrypt the key data in the dump‐
180 file. The key data in the database will not be changed.
181
182
183 -rev
184
185 Dumps in reverse order. This might recover principals that
186 do not dump normally, in cases where database corruption
187 has occured.
188
189
190 -recurse
191
192 Causes the dump to walk the database recursively (btree
193 only). This might recover principals that do not dump nor‐
194 mally, in cases where database corruption has occurred. In
195 cases of such corruption, this option will probably
196 retrieve more principals than will the -rev option.
197
198
199
200 load [-old] [-b6] [-b7] [-ov] [-hash] [-verbose] [-update] filename
201 dbname [admin_dbname]
202
203 Loads a database dump from filename into dbname. Unless the
204 -old or -b6 option is specified, the format of the dump file is
205 detected automatically and handled appropriately. Unless the
206 -update option is specified, load creates a new database con‐
207 taining only the principals in the dump file, overwriting the
208 contents of any existing database. The -old option requires the
209 database to be in the Kerberos 5 Beta 5 or earlier format
210 ("kdb5_edit load_dump version 2.0").
211
212 -b6
213
214 Requires the database to be in the Kerberos 5 Beta 6 format
215 ("kdb5_edit load_dump version 3.0").
216
217
218 -b7
219
220 Requires the database to be in the Kerberos 5 Beta 7 format
221 ("kdb5_util load_dump version 4").
222
223
224 -ov
225
226 Requires the database to be in ovsec_adm_import format.
227 Must be used with the -update option.
228
229
230 -hash
231
232 Requires the database to be stored as a hash. If this
233 option is not specified, the database will be stored as a
234 btree. This option is not recommended, as databases stored
235 in hash format are known to corrupt data and lose princi‐
236 pals.
237
238
239 -verbose
240
241 Causes the name of each principal and policy to be dis‐
242 played as it is dumped.
243
244
245 -update
246
247 Records from the dump file are added to or updated in the
248 existing database. Otherwise, a new database is created
249 containing only what is in the dump file and the old one is
250 destroyed upon successful completion.
251
252
253 filename
254
255 Required argument that specifies a path to a file contain‐
256 ing database dump.
257
258
259 dbname
260
261 Required argument that overrides the value specified on the
262 command line or overrides the default.
263
264
265 admin_dbname
266
267 Optional argument that is derived from dbname if not speci‐
268 fied.
269
270
271
272
274 Example 1 Creating File that Contains Information about Two Principals
275
276
277 The following example creates a file named slavedata that contains the
278 information about two principals, jdb@ACME.COM and pak@ACME.COM.
279
280
281 # /usr/krb5/bin/kdb5_util dump -verbose slavedata
282 jdb@ACME.COM pak@ACME.COM
283
284
285
287 /var/krb5/principal
288
289 Kerberos principal database.
290
291
292 /var/krb5/principal.kadm5
293
294 Kerberos administrative database. Contains policy information.
295
296
297 /var/krb5/principal.kadm5.lock
298
299 Lock file for the Kerberos administrative database. This file works
300 backwards from most other lock files (that is, kadmin exits with an
301 error if this file does not exist).
302
303
304 /var/krb5/principal.ulog
305
306 The update log file for incremental propagation.
307
308
310 See attributes(5) for descriptions of the following attributes:
311
312
313
314
315 ┌─────────────────────────────┬─────────────────────────────┐
316 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
317 ├─────────────────────────────┼─────────────────────────────┤
318 │Availability │SUNWkdcu │
319 ├─────────────────────────────┼─────────────────────────────┤
320 │Interface Stability │Evolving │
321 └─────────────────────────────┴─────────────────────────────┘
322
324 kpasswd(1), gkadmin(1M), kadmin(1M), kadmind(1M), kadmin.local(1M),
325 kdb5_ldap_util(1M), kproplog(1M), kadm5.acl(4), kdc.conf(4),
326 attributes(5), kerberos(5)
327
328
329
330SunOS 5.11 29 Feb 2008 kdb5_util(1M)