1KADMIN(1) General Commands Manual KADMIN(1)
2
3
4
6 kadmin - Kerberos V5 database administration program
7
9 kadmin [-O | -N] [-r realm] [-p principal] [-q query]
10 [[-c cache_name] | [-k [-t keytab]] | -n] [-w password] [-s
11 admin_server[:port]
12
13 kadmin.local [-r realm] [-p principal] [-q query]
14 [-d dbname] [-e "enc:salt ..."] [-m] [-x db_args]
15
17 kadmin and kadmin.local are command-line interfaces to the Kerberos V5
18 KADM5 administration system. Both kadmin and kadmin.local provide
19 identical functionalities; the difference is that kadmin.local runs on
20 the master KDC if the database is db2 and does not use Kerberos to
21 authenticate to the database. Except as explicitly noted otherwise,
22 this man page will use kadmin to refer to both versions. kadmin pro‐
23 vides for the maintenance of Kerberos principals, KADM5 policies, and
24 service key tables (keytabs).
25
26 The remote version uses Kerberos authentication and an encrypted RPC,
27 to operate securely from anywhere on the network. It authenticates to
28 the KADM5 server using the service principal kadmin/admin. If the cre‐
29 dentials cache contains a ticket for the kadmin/admin principal, and
30 the -c credentials_cache option is specified, that ticket is used to
31 authenticate to KADM5. Otherwise, the -p and -k options are used to
32 specify the client Kerberos principal name used to authenticate. Once
33 kadmin has determined the principal name, it requests a kadmin/admin
34 Kerberos service ticket from the KDC, and uses that service ticket to
35 authenticate to KADM5.
36
37 If the database is db2, the local client kadmin.local, is intended to
38 run directly on the master KDC without Kerberos authentication. The
39 local version provides all of the functionality of the now obsolete
40 kdb5_edit(8), except for database dump and load, which is now provided
41 by the kdb5_util(8) utility.
42
43 If the database is LDAP, kadmin.local need not be run on the KDC.
44
45 kadmin.local can be configured to log updates for incremental database
46 propagation. Incremental propagation allows slave KDC servers to
47 receive principal and policy updates incrementally instead of receiving
48 full dumps of the database. This facility can be enabled in the
49 kdc.conf file with the iprop_enable option. See the kdc.conf documen‐
50 tation for other options for tuning incremental propagation parameters.
51
52
54 -r realm
55 Use realm as the default database realm.
56
57 -p principal
58 Use principal to authenticate. Otherwise, kadmin will append
59 "/admin" to the primary principal name of the default ccache,
60 the value of the USER environment variable, or the username as
61 obtained with getpwuid, in order of preference.
62
63 -k Use a keytab to decrypt the KDC response instead of prompting
64 for a password on the TTY. In this case, the default principal
65 will be host/hostname. If there is not a keytab specified with
66 the -t option, then the default keytab will be used.
67
68 -t keytab
69 Use keytab to decrypt the KDC response. This can only be used
70 with the -k option. -n Requests anonymous processing. Two
71 types of anonymous principals are supported. For fully anony‐
72 mous Kerberos, configure pkinit on the KDC and configure
73 pkinit_anchors in the client's krb5.conf. Then use the -n
74 option with a principal of the form @REALM (an empty principal
75 name followed by the at-sign and a realm name). If permitted by
76 the KDC, an anonymous ticket will be returned. A second form of
77 anonymous tickets is supported; these realm-exposed tickets hide
78 the identity of the client but not the client's realm. For this
79 mode, use kinit -n with a normal principal name. If supported
80 by the KDC, the principal (but not realm) will be replaced by
81 the anonymous principal. As of release 1.8, the MIT Kerberos
82 KDC only supports fully anonymous operation.
83
84 -c credentials_cache
85 Use credentials_cache as the credentials cache. The creden‐
86 tials_cache should contain a service ticket for the kadmin/admin
87 service; it can be acquired with the kinit(1) program. If this
88 option is not specified, kadmin requests a new service ticket
89 from the KDC, and stores it in its own temporary ccache.
90
91 -w password
92 Use password instead of prompting for one on the TTY. Note:
93 placing the password for a Kerberos principal with administra‐
94 tion access into a shell script can be dangerous if unauthorized
95 users gain read access to the script.
96
97 -q query
98 pass query directly to kadmin, which will perform query and then
99 exit. This can be useful for writing scripts.
100
101 -d dbname
102 Specifies the name of the Kerberos database. This option does
103 not apply to the LDAP database.
104
105 -s admin_server[:port]
106 Specifies the admin server which kadmin should contact.
107
108 -m Do not authenticate using a keytab. This option will cause kad‐
109 min to prompt for the master database password.
110
111 -e enc:salt_list
112 Sets the list of encryption types and salt types to be used for
113 any new keys created.
114
115 -O Force use of old AUTH_GSSAPI authentication flavor.
116
117 -N Prevent fallback to AUTH_GSSAPI authentication flavor.
118
119 -x db_args
120 Specifies the database specific arguments.
121
122 Options supported for LDAP database are:
123
124 -x host=<hostname>
125 specifies the LDAP server to connect to by a LDAP URI.
126
127 -x binddn=<bind_dn>
128 specifies the DN of the object used by the administration
129 server to bind to the LDAP server. This object should
130 have the read and write rights on the realm container,
131 principal container and the subtree that is referenced by
132 the realm.
133
134 -x bindpwd=<bind_password>
135 specifies the password for the above mentioned binddn. It
136 is recommended not to use this option. Instead, the
137 password can be stashed using the stashsrvpw command of
138 kdb5_ldap_util.
139
141 Various commands in kadmin can take a variety of date formats, specify‐
142 ing durations or absolute times. Examples of valid formats are:
143
144 1 month ago
145 2 hours ago
146 400000 seconds ago
147 last year
148 this Monday
149 next Monday
150 yesterday
151 tomorrow
152 now
153 second Monday
154 a fortnight ago
155 3/31/92 10:00:07 PST
156 January 23, 1987 10:05pm
157 22:00 GMT
158
159 Dates which do not have the "ago" specifier default to being absolute
160 dates, unless they appear in a field where a duration is expected. In
161 that case the time specifier will be interpreted as relative. Specify‐
162 ing "ago" in a duration may result in unexpected behavior.
163
165 add_principal [options] newprinc
166 creates the principal newprinc, prompting twice for a password.
167 If no policy is specified with the -policy option, and the pol‐
168 icy named "default" exists, then that policy is assigned to the
169 principal; note that the assignment of the policy "default" only
170 occurs automatically when a principal is first created, so the
171 policy "default" must already exist for the assignment to occur.
172 This assignment of "default" can be suppressed with the -clear‐
173 policy option. This command requires the add privilege. This
174 command has the aliases addprinc and ank. The options are:
175
176 -x db_princ_args
177 Denotes the database specific options. The options for
178 LDAP database are:
179
180 -x dn=<dn>
181 Specifies the LDAP object that will contain the
182 Kerberos principal being created.
183
184 -x linkdn=<dn>
185 Specifies the LDAP object to which the newly cre‐
186 ated Kerberos principal object will point to.
187
188 -x containerdn=<container_dn>
189 Specifies the container object under which the
190 Kerberos principal is to be created.
191
192 -x tktpolicy=<policy>
193 Associates a ticket policy to the Kerberos princi‐
194 pal.
195
196 -expire expdate
197 expiration date of the principal
198
199 -pwexpire pwexpdate
200 password expiration date
201
202 -maxlife maxlife
203 maximum ticket life for the principal
204
205 -maxrenewlife maxrenewlife
206 maximum renewable life of tickets for the principal
207
208 -kvno kvno
209 explicitly set the key version number.
210
211 -policy policy
212 policy used by this principal. If no policy is supplied,
213 then if the policy "default" exists and the -clearpolicy
214 is not also specified, then the policy "default" is used;
215 otherwise, the principal will have no policy, and a warn‐
216 ing message will be printed.
217
218 -clearpolicy
219 -clearpolicy prevents the policy "default" from being
220 assigned when -policy is not specified. This option has
221 no effect if the policy "default" does not exist.
222
223 {-|+}allow_postdated
224 -allow_postdated prohibits this principal from obtaining
225 postdated tickets. (Sets the KRB5_KDB_DISALLOW_POSTDATED
226 flag.) +allow_postdated clears this flag.
227
228 {-|+}allow_forwardable
229 -allow_forwardable prohibits this principal from obtain‐
230 ing forwardable tickets. (Sets the KRB5_KDB_DISAL‐
231 LOW_FORWARDABLE flag.) +allow_forwardable clears this
232 flag.
233
234 {-|+}allow_renewable
235 -allow_renewable prohibits this principal from obtaining
236 renewable tickets. (Sets the KRB5_KDB_DISALLOW_RENEWABLE
237 flag.) +allow_renewable clears this flag.
238
239 {-|+}allow_proxiable
240 -allow_proxiable prohibits this principal from obtaining
241 proxiable tickets. (Sets the KRB5_KDB_DISALLOW_PROXIABLE
242 flag.) +allow_proxiable clears this flag.
243
244 {-|+}allow_dup_skey
245 -allow_dup_skey Disables user-to-user authentication for
246 this principal by prohibiting this principal from obtain‐
247 ing a session key for another user. (Sets the
248 KRB5_KDB_DISALLOW_DUP_SKEY flag.) +allow_dup_skey clears
249 this flag.
250
251 {-|+}requires_preauth
252 +requires_preauth requires this principal to preauthenti‐
253 cate before being allowed to kinit. (Sets the
254 KRB5_KDB_REQUIRES_PRE_AUTH flag.) -requires_preauth
255 clears this flag.
256
257 {-|+}requires_hwauth
258 +requires_hwauth requires this principal to preauthenti‐
259 cate using a hardware device before being allowed to
260 kinit. (Sets the KRB5_KDB_REQUIRES_HW_AUTH flag.)
261 -requires_hwauth clears this flag.
262
263 {-|+}ok_as_delegate
264 +ok_as_delegate sets the OK-AS-DELEGATE flag on tickets
265 issued for use with this principal as the service, which
266 clients may use as a hint that credentials can and should
267 be delegated when authenticating to the service. (Sets
268 the KRB5_KDB_OK_AS_DELEGATE flag.) -ok_as_delegate
269 clears this flag.
270
271 {-|+}allow_svr
272 -allow_svr prohibits the issuance of service tickets for
273 this principal. (Sets the KRB5_KDB_DISALLOW_SVR flag.)
274 +allow_svr clears this flag.
275
276 {-|+}allow_tgs_req
277 -allow_tgs_req specifies that a Ticket-Granting Service
278 (TGS) request for a service ticket for this principal is
279 not permitted. This option is useless for most things.
280 +allow_tgs_req clears this flag. The default is
281 +allow_tgs_req. In effect, -allow_tgs_req sets the
282 KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the
283 database.
284
285 {-|+}allow_tix
286 -allow_tix forbids the issuance of any tickets for this
287 principal. +allow_tix clears this flag. The default is
288 +allow_tix. In effect, -allow_tix sets the KRB5_KDB_DIS‐
289 ALLOW_ALL_TIX flag on the principal in the database.
290
291 {-|+}needchange
292 +needchange sets a flag in attributes field to force a
293 password change; -needchange clears it. The default is
294 -needchange. In effect, +needchange sets the
295 KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the
296 database.
297
298 {-|+}password_changing_service
299 +password_changing_service sets a flag in the attributes
300 field marking this as a password change service principal
301 (useless for most things). -password_changing_service
302 clears the flag. This flag intentionally has a long
303 name. The default is -password_changing_service. In
304 effect, +password_changing_service sets the
305 KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the
306 database.
307
308 -randkey
309 sets the key of the principal to a random value
310
311 -pw password
312 sets the key of the principal to the specified string and
313 does not prompt for a password. Note: using this option
314 in a shell script can be dangerous if unauthorized users
315 gain read access to the script.
316
317 -e "enc:salt ..."
318 uses the specified list of enctype-salttype pairs for
319 setting the key of the principal. The quotes are neces‐
320 sary if there are multiple enctype-salttype pairs. This
321 will not function against kadmin daemons earlier than
322 krb5-1.2.
323
324 EXAMPLE:
325 kadmin: addprinc tlyu/admin
326 WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
327 defaulting to no policy.
328 Enter password for principal tlyu/admin@BLEEP.COM:
329 Re-enter password for principal tlyu/admin@BLEEP.COM:
330 Principal "tlyu/admin@BLEEP.COM" created.
331 kadmin:
332
333 kadmin: addprinc -x dn=cn=mwm_user,o=org mwm_user
334 WARNING: no policy specified for "mwm_user@BLEEP.COM";
335 defaulting to no policy.
336 Enter password for principal mwm_user@BLEEP.COM:
337 Re-enter password for principal mwm_user@BLEEP.COM:
338 Principal "mwm_user@BLEEP.COM" created.
339 kadmin:
340
341
342 ERRORS:
343 KADM5_AUTH_ADD (requires "add" privilege)
344 KADM5_BAD_MASK (shouldn't happen)
345 KADM5_DUP (principal exists already)
346 KADM5_UNK_POLICY (policy does not exist)
347 KADM5_PASS_Q_* (password quality violations)
348
349 delete_principal [-force] principal
350 deletes the specified principal from the database. This command
351 prompts for deletion, unless the -force option is given. This
352 command requires the delete privilege. Aliased to delprinc.
353
354
355 EXAMPLE:
356 kadmin: delprinc mwm_user
357 Are you sure you want to delete the principal
358 "mwm_user@BLEEP.COM"? (yes/no): yes
359 Principal "mwm_user@BLEEP.COM" deleted.
360 Make sure that you have removed this principal from
361 all ACLs before reusing.
362 kadmin:
363
364 ERRORS:
365 KADM5_AUTH_DELETE (requires "delete" privilege)
366 KADM5_UNK_PRINC (principal does not exist)
367
368 modify_principal [options] principal
369 modifies the specified principal, changing the fields as speci‐
370 fied. The options are as above for add_principal, except that
371 password changing and flags related to password changing are
372 forbidden by this command. In addition, the option -clearpolicy
373 will clear the current policy of a principal. This command
374 requires the modify privilege. Aliased to modprinc.
375
376 -x db_princ_args
377 Denotes the database specific options. The options for
378 LDAP database are:
379
380 -x tktpolicy=<policy>
381 Associates a ticket policy to the Kerberos princi‐
382 pal.
383
384 -x linkdn=<dn>
385 Associates a Kerberos principal with a LDAP
386 object. This option is honored only if the Ker‐
387 beros principal is not already associated with a
388 LDAP object.
389
390 -unlock
391 Unlocks a locked principal (one which has received too
392 many failed authentication attempts without enough time
393 between them according to its password policy) so that it
394 can successfully authenticate.
395
396 ERRORS:
397 KADM5_AUTH_MODIFY (requires "modify" privilege)
398 KADM5_UNK_PRINC (principal does not exist) KADM5_UNK_POL‐
399 ICY (policy does not exist) KADM5_BAD_MASK (shouldn't
400 happen)
401
402 change_password [options] principal
403 changes the password of principal. Prompts for a new password
404 if neither -randkey or -pw is specified. Requires the changepw
405 privilege, or that the principal that is running the program to
406 be the same as the one changed. Aliased to cpw. The following
407 options are available:
408
409 -randkey
410 sets the key of the principal to a random value
411
412 -pw password
413 set the password to the specified string. Not recom‐
414 mended.
415
416 -e "enc:salt ..."
417 uses the specified list of enctype-salttype pairs for
418 setting the key of the principal. The quotes are neces‐
419 sary if there are multiple enctype-salttype pairs. This
420 will not function against kadmin daemons earlier than
421 krb5-1.2.
422
423 -keepold
424 Keeps the previous kvno's keys around. This flag is usu‐
425 ally not necessary except perhaps for TGS keys. Don't
426 use this flag unless you know what you're doing. This
427 option is not supported for the LDAP database.
428
429 EXAMPLE:
430 kadmin: cpw systest
431 Enter password for principal systest@BLEEP.COM:
432 Re-enter password for principal systest@BLEEP.COM:
433 Password for systest@BLEEP.COM changed.
434 kadmin:
435
436 ERRORS:
437 KADM5_AUTH_MODIFY (requires the modify privilege)
438 KADM5_UNK_PRINC (principal does not exist)
439 KADM5_PASS_Q_* (password policy violation errors)
440 KADM5_PADD_REUSE (password is in principal's password
441 history)
442 KADM5_PASS_TOOSOON (current password minimum life not
443 expired)
444
445 purgekeys [-keepkvno oldest_kvno_to_keep] principal
446 purges previously retained old keys (e.g., from change_password
447 -keepold) from principal. If -keepkvno is specified, then only
448 purges keys with kvnos lower than oldest_kvno_to_keep.
449
450 get_principal [-terse] principal
451 gets the attributes of principal. Requires the inquire privi‐
452 lege, or that the principal that is running the the program to
453 be the same as the one being listed. With the -terse option,
454 outputs fields as quoted tab-separated strings. Alias getprinc.
455
456
457 EXAMPLES:
458 kadmin: getprinc tlyu/admin
459 Principal: tlyu/admin@BLEEP.COM
460 Expiration date: [never]
461 Last password change: Mon Aug 12 14:16:47 EDT 1996
462 Password expiration date: [none]
463 Maximum ticket life: 0 days 10:00:00
464 Maximum renewable life: 7 days 00:00:00
465 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
466 Last successful authentication: [never]
467 Last failed authentication: [never]
468 Failed password attempts: 0
469 Number of keys: 2
470 Key: vno 1, DES cbc mode with CRC-32, no salt
471 Key: vno 1, DES cbc mode with CRC-32, Version 4
472 Attributes:
473 Policy: [none]
474 kadmin: getprinc -terse systest
475 systest@BLEEP.COM 3 86400 604800 1
476 785926535 753241234 785900000
477 tlyu/admin@BLEEP.COM 786100034 0 0
478 kadmin:
479
480 ERRORS:
481 KADM5_AUTH_GET (requires the get (inquire) privilege)
482 KADM5_UNK_PRINC (principal does not exist)
483
484 list_principals [expression]
485 Retrieves all or some principal names. Expression is a shell-
486 style glob expression that can contain the wild-card characters
487 ?, *, and []'s. All principal names matching the expression are
488 printed. If no expression is provided, all principal names are
489 printed. If the expression does not contain an "@" character,
490 an "@" character followed by the local realm is appended to the
491 expression. Requires the list privilege. Alias listprincs,
492 get_principals, get_princs.
493
494 EXAMPLES:
495 kadmin: listprincs test*
496 test3@SECURE-TEST.OV.COM
497 test2@SECURE-TEST.OV.COM
498 test1@SECURE-TEST.OV.COM
499 testuser@SECURE-TEST.OV.COM
500 kadmin:
501
502 get_strings principal
503 displays string attributes on principal. String attributes are
504 used to supply per-principal configuration to some KDC plugin
505 modules. Alias getstrs.
506
507 set_string principal key value
508 sets a string attribute on principal. Alias setstr.
509
510 del_string principal key
511 deletes a string attribute from principal. Alias delstr.
512
513 add_policy [options] policy
514 adds the named policy to the policy database. Requires the add
515 privilege. Aliased to addpol. The following options are avail‐
516 able:
517
518 -maxlife time
519 sets the maximum lifetime of a password
520
521 -minlife time
522 sets the minimum lifetime of a password
523
524 -minlength length
525 sets the minimum length of a password
526
527 -minclasses number
528 sets the minimum number of character classes allowed in a
529 password
530
531 -history number
532 sets the number of past keys kept for a principal. This
533 option is not supported for LDAP database
534
535 -maxfailure maxnumber
536 sets the maximum number of authentication failures before
537 the principal is locked. Authentication failures are
538 only tracked for principals which require preauthentica‐
539 tion.
540
541 -failurecountinterval failuretime
542 sets the allowable time between authentication failures.
543 If an authentication failure happens after failuretime
544 has elapsed since the previous failure, the number of
545 authentication failures is reset to 1. A failure count
546 interval of 0 means forever.
547
548 -lockoutduration lockouttime
549 sets the duration for which the principal is locked from
550 authenticating if too many authentication failures occur
551 without the specified failure count interval elapsing. A
552 duration of 0 means forever.
553
554
555 EXAMPLES:
556 kadmin: add_policy -maxlife "2 days" -minlength 5 guests
557 kadmin:
558
559 ERRORS:
560 KADM5_AUTH_ADD (requires the add privilege)
561 KADM5_DUP (policy already exists)
562
563 delete_policy [-force] policy
564 deletes the named policy. Prompts for confirmation before dele‐
565 tion. The command will fail if the policy is in use by any
566 principals. Requires the delete privilege. Alias delpol.
567
568
569 EXAMPLE:
570 kadmin: del_policy guests
571 Are you sure you want to delete the policy "guests"?
572 (yes/no): yes
573 kadmin:
574
575 ERRORS:
576 KADM5_AUTH_DELETE (requires the delete privilege)
577 KADM5_UNK_POLICY (policy does not exist)
578 KADM5_POLICY_REF (reference count on policy is not zero)
579
580 modify_policy [options] policy
581 modifies the named policy. Options are as above for add_policy.
582 Requires the modify privilege. Alias modpol.
583
584
585 ERRORS:
586 KADM5_AUTH_MODIFY (requires the modify privilege)
587 KADM5_UNK_POLICY (policy does not exist)
588
589 get_policy [-terse] policy
590 displays the values of the named policy. Requires the inquire
591 privilege. With the -terse flag, outputs the fields as quoted
592 strings separated by tabs. Alias getpol.
593
594 EXAMPLES:
595 kadmin: get_policy admin
596 Policy: admin
597 Maximum password life: 180 days 00:00:00
598 Minimum password life: 00:00:00
599 Minimum password length: 6
600 Minimum number of password character classes: 2
601 Number of old keys kept: 5
602 Reference count: 17
603 kadmin: get_policy -terse admin
604 admin 15552000 0 6 2 5 17
605 kadmin:
606
607 ERRORS:
608 KADM5_AUTH_GET (requires the get privilege)
609 KADM5_UNK_POLICY (policy does not exist)
610
611 list_policies [expression]
612 Retrieves all or some policy names. Expression is a shell-style
613 glob expression that can contain the wild-card characters ?, *,
614 and []'s. All policy names matching the expression are printed.
615 If no expression is provided, all existing policy names are
616 printed. Requires the list privilege. Alias listpols,
617 get_policies, getpols.
618
619
620 EXAMPLES:
621 kadmin: listpols
622 test-pol
623 dict-only
624 once-a-min
625 test-pol-nopw
626 kadmin: listpols t*
627 test-pol
628 test-pol-nopw
629 kadmin:
630
631 ktadd [-k keytab] [-q] [-e keysaltlist]
632 [-norandkey] [[principal | -glob princ-exp] [...]
633 Adds a principal or all principals matching princ-exp to a
634 keytab. It randomizes each principal's key in the process, to
635 prevent a compromised admin account from reading out all of the
636 keys from the database. However, kadmin.local has the -norand‐
637 key option, which leaves the keys and their version numbers
638 unchanged, similar to the Kerberos V4 ext_srvtab command. That
639 allows users to continue to use the passwords they know to login
640 normally, while simultaneously allowing scripts to login to the
641 same account using a keytab. There is no significant security
642 risk added since kadmin.local must be run by root on the KDC
643 anyway.
644
645 Requires the inquire and changepw privileges. An entry for each
646 of the principal's unique encryption types is added, ignoring
647 multiple keys with the same encryption type but different salt
648 types. If the -k argument is not specified, the default keytab
649 /etc/krb5.keytab is used. If the -q option is specified, less
650 verbose status information is displayed.
651
652 The -glob option requires the list privilege. princ-exp follows
653 the same rules described for the list_principals command.
654
655
656 EXAMPLE:
657 kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
658 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
659 kvno 3, encryption type DES-CBC-CRC added to keytab
660 WRFILE:/tmp/foo-new-keytab
661 kadmin:
662
663 ktremove [-k keytab] [-q] principal [kvno | all | old]
664 Removes entries for the specified principal from a keytab.
665 Requires no permissions, since this does not require database
666 access. If the string "all" is specified, all entries for that
667 principal are removed; if the string "old" is specified, all
668 entries for that principal except those with the highest kvno
669 are removed. Otherwise, the value specified is parsed as an
670 integer, and all entries whose kvno match that integer are
671 removed. If the -k argument is not specified, the default
672 keytab /etc/krb5.keytab is used. If the -q option is specified,
673 less verbose status information is displayed.
674
675
676 EXAMPLE:
677 kadmin: ktremove -k /var/kerberos/krb5kdc/kadmind.keytab kadmin/admin
678 Entry for principal kadmin/admin with kvno 3 removed
679 from keytab WRFILE:/var/kerberos/krb5kdc/kadmind.keytab.
680 kadmin:
681
683 principal.db default name for Kerberos principal database
684
685 <dbname>.kadm5 KADM5 administrative database. (This would be
686 "principal.kadm5", if you use the default database
687 name.) Contains policy information.
688
689 <dbname>.kadm5.lock lock file for the KADM5 administrative database.
690 This file works backwards from most other lock
691 files. I.e., kadmin will exit with an error if
692 this file does not exist.
693
694 Note: The above three files are specific to db2 data‐
695 base.
696
697 kadm5.acl file containing list of principals and their kad‐
698 min administrative privileges. See kadmind(8) for
699 a description.
700
701 kadm5.keytab keytab file for kadmin/admin principal.
702
703 kadm5.dict file containing dictionary of strings explicitly
704 disallowed as passwords.
705
707 The kadmin program was originally written by Tom Yu at MIT, as an
708 interface to the OpenVision Kerberos administration program.
709
711 kerberos(1), kpasswd(1), kadmind(8)
712
714 Command output needs to be cleaned up.
715
716
717
718 KADMIN(1)