1KDB5_UTIL(8)                     MIT Kerberos                     KDB5_UTIL(8)
2
3
4

NAME

6       kdb5_util - Kerberos database maintenance utility
7

SYNOPSIS

9       kdb5_util  [-r  realm]  [-d  dbname]  [-k  mkeytype] [-M mkeyname] [-kv
10       mkeyVNO] [-sf stashfilename] [-m] command [command_options]
11

DESCRIPTION

13       kdb5_util allows an administrator to perform maintenance procedures  on
14       the  KDC  database.  Databases can be created, destroyed, and dumped to
15       or loaded from ASCII files.  kdb5_util can create a Kerberos master key
16       stash file or perform live rollover of the master key.
17
18       When  kdb5_util  is run, it attempts to acquire the master key and open
19       the database.  However, execution continues regardless  of  whether  or
20       not kdb5_util successfully opens the database, because the database may
21       not exist yet or the stash file may be corrupt.
22
23       Note that some KDC database modules may not support all kdb5_util  com‐
24       mands.
25

COMMAND-LINE OPTIONS

27       -r realm
28              specifies the Kerberos realm of the database.
29
30       -d dbname
31              specifies the name under which the principal database is stored;
32              by default the database is  that  listed  in  kdc.conf(5).   The
33              password  policy  database  and lock files are also derived from
34              this value.
35
36       -k mkeytype
37              specifies the key type of the master key in the  database.   The
38              default is given by the master_key_type variable in kdc.conf(5).
39
40       -kv mkeyVNO
41              Specifies  the version number of the master key in the database;
42              the default is 1.  Note that 0 is not allowed.
43
44       -M mkeyname
45              principal name for the master key in the database.  If not spec‐
46              ified, the name is determined by the master_key_name variable in
47              kdc.conf(5).
48
49       -m     specifies that the master database password should be read  from
50              the keyboard rather than fetched from a file on disk.
51
52       -sf stash_file
53              specifies  the  stash  filename of the master database password.
54              If  not  specified,  the   filename   is   determined   by   the
55              key_stash_file variable in kdc.conf(5).
56
57       -P password
58              specifies  the  master database password.  Using this option may
59              expose the password to other users on the system via the process
60              list.
61

COMMANDS

63   create
64          create [-s]
65
66       Creates  a new database.  If the -s option is specified, the stash file
67       is also created.  This command fails if the  database  already  exists.
68       If  the command is successful, the database is opened just as if it had
69       already existed when the program was first run.
70
71   destroy
72          destroy [-f]
73
74       Destroys the database, first overwriting  the  disk  sectors  and  then
75       unlinking  the  files, after prompting the user for confirmation.  With
76       the -f argument, does not prompt the user.
77
78   stash
79          stash [-f keyfile]
80
81       Stores the master principal's keys in a stash file.   The  -f  argument
82       can be used to override the keyfile specified in kdc.conf(5).
83
84   dump
85          dump   [-b7|-ov|-r13]   [-verbose]  [-mkey_convert]  [-new_mkey_file
86          mkey_file] [-rev] [-recurse] [filename [principals...]]
87
88       Dumps the current Kerberos and KADM5 database into an ASCII  file.   By
89       default, the database is dumped in current format, "kdb5_util load_dump
90       version 7".  If filename is not specified, or is the  string  "-",  the
91       dump is sent to standard output.  Options:
92
93       -b7    causes  the  dump  to  be  in  the  Kerberos  5  Beta  7  format
94              ("kdb5_util load_dump version 4").  This  was  the  dump  format
95              produced on releases prior to 1.2.2.
96
97       -ov    causes the dump to be in "ovsec_adm_export" format.
98
99       -r13   causes  the  dump to be in the Kerberos 5 1.3 format ("kdb5_util
100              load_dump version 5").  This was the  dump  format  produced  on
101              releases prior to 1.8.
102
103       -r18   causes  the  dump to be in the Kerberos 5 1.8 format ("kdb5_util
104              load_dump version 6").  This was the  dump  format  produced  on
105              releases prior to 1.11.
106
107       -verbose
108              causes the name of each principal and policy to be printed as it
109              is dumped.
110
111       -mkey_convert
112              prompts for a new master key.  This new master key will be  used
113              to re-encrypt principal key data in the dumpfile.  The principal
114              keys themselves will not be changed.
115
116       -new_mkey_file mkey_file
117              the filename of a stash file.  The master key in this stash file
118              will  be  used  to re-encrypt the key data in the dumpfile.  The
119              key data in the database will not be changed.
120
121       -rev   dumps in reverse order.  This may recover principals that do not
122              dump normally, in cases where database corruption has occurred.
123
124       -recurse
125              causes  the  dump to walk the database recursively (btree only).
126              This may recover principals that do not dump normally, in  cases
127              where  database  corruption has occurred.  In cases of such cor‐
128              ruption, this option will probably retrieve more principals than
129              the -rev option will.
130
131              Changed in version 1.15: Release 1.15 restored the functionality
132              of the -recurse option.
133
134              Changed in version 1.5: The -recurse option ceased working until
135              release 1.15, doing a normal dump instead of a recursive traver‐
136              sal.
137
138   load
139          load [-b7|-ov|-r13] [-hash] [-verbose] [-update] filename [dbname]
140
141       Loads a database dump from the named file into the named database.   If
142       no option is given to determine the format of the dump file, the format
143       is detected automatically  and  handled  as  appropriate.   Unless  the
144       -update  option  is  given, load creates a new database containing only
145       the data in the dump file, overwriting the contents of  any  previously
146       existing  database.  Note that when using the LDAP KDC database module,
147       the -update flag is required.
148
149       Options:
150
151       -b7    requires the database to be in the  Kerberos  5  Beta  7  format
152              ("kdb5_util  load_dump  version  4").   This was the dump format
153              produced on releases prior to 1.2.2.
154
155       -ov    requires the database to be in "ovsec_adm_import" format.   Must
156              be used with the -update option.
157
158       -r13   requires the database to be in Kerberos 5 1.3 format ("kdb5_util
159              load_dump version 5").  This was the  dump  format  produced  on
160              releases prior to 1.8.
161
162       -r18   requires the database to be in Kerberos 5 1.8 format ("kdb5_util
163              load_dump version 6").  This was the  dump  format  produced  on
164              releases prior to 1.11.
165
166       -hash  requires the database to be stored as a hash.  If this option is
167              not specified, the database will be stored  as  a  btree.   This
168              option  is  not  recommended, as databases stored in hash format
169              are known to corrupt data and lose principals.
170
171       -verbose
172              causes the name of each principal and policy to be printed as it
173              is dumped.
174
175       -update
176              records from the dump file are added to or updated in the exist‐
177              ing database.  Otherwise, a new database is  created  containing
178              only  what  is  in  the dump file and the old one destroyed upon
179              successful completion.
180
181       If specified, dbname overrides the value specified on the command  line
182       or the default.
183
184   ark
185          ark [-e enc:salt,...] principal
186
187       Adds  new  random  keys  to principal at the next available key version
188       number.  Keys for the current highest key version number will  be  pre‐
189       served.   The -e option specifies the list of encryption and salt types
190       to be used for the new keys.
191
192   add_mkey
193          add_mkey [-e etype] [-s]
194
195       Adds a new master key to the master key principal, but does not mark it
196       as  active.  Existing master keys will remain.  The -e option specifies
197       the encryption type of the new  master  key;  see  Encryption_types  in
198       kdc.conf(5)  for  a list of possible values.  The -s option stashes the
199       new master key in the stash file, which will be created if  it  doesn't
200       already exist.
201
202       After  a  new  master  key  is  added, it should be propagated to slave
203       servers via a manual or periodic invocation  of  kprop(8).   Then,  the
204       stash  files  on the slave servers should be updated with the kdb5_util
205       stash command.  Once those steps are complete, the key is ready  to  be
206       marked active with the kdb5_util use_mkey command.
207
208   use_mkey
209          use_mkey mkeyVNO [time]
210
211       Sets  the activation time of the master key specified by mkeyVNO.  Once
212       a master key becomes active, it will be used to encrypt  newly  created
213       principal  keys.   If  no  time  argument is given, the current time is
214       used, causing the specified master key version to become active immedi‐
215       ately.  The format for time is getdate string.
216
217       After    a    new    master   key   becomes   active,   the   kdb5_util
218       update_princ_encryption command can be used  to  update  all  principal
219       keys to be encrypted in the new master key.
220
221   list_mkeys
222          list_mkeys
223
224       List  all  master keys, from most recent to earliest, in the master key
225       principal.  The output will show the kvno, enctype, and salt  type  for
226       each  mkey, similar to the output of kadmin(1) getprinc.  A * following
227       an mkey denotes the currently active master key.
228
229   purge_mkeys
230          purge_mkeys [-f] [-n] [-v]
231
232       Delete master keys from the master key principal that are not  used  to
233       protect  any principals.  This command can be used to remove old master
234       keys all principal keys are protected by a newer master key.
235
236       -f     does not prompt for confirmation.
237
238       -n     performs a dry run, showing master keys that  would  be  purged,
239              but not actually purging any keys.
240
241       -v     gives more verbose output.
242
243   update_princ_encryption
244          update_princ_encryption [-f] [-n] [-v] [princ-pattern]
245
246       Update  all principal records (or only those matching the princ-pattern
247       glob pattern) to re-encrypt the key data using the active database mas‐
248       ter  key,  if  they are encrypted using a different version, and give a
249       count at the end of the number of principals updated.  If the -f option
250       is  not  given,  ask  for confirmation before starting to make changes.
251       The -v option causes each principal processed to  be  listed,  with  an
252       indication as to whether it needed updating or not.  The -n option per‐
253       forms a dry run, only showing the actions which would have been taken.
254
255   tabdump
256          tabdump [-H] [-c] [-e] [-n] [-o outfile] dumptype
257
258       Dump selected fields of the database in a tabular format  suitable  for
259       reporting  (e.g.,  using  traditional  Unix  text  processing tools) or
260       importing into relational databases.  The data format is  tab-separated
261       (default),  or optionally comma-separated (CSV), with a fixed number of
262       columns.  The output begins with a header line containing field  names,
263       unless suppression is requested using the -H option.
264
265       The  dumptype  parameter  specifies  the  name  of an output table (see
266       below).
267
268       Options:
269
270       -H     suppress writing the field names in a header line
271
272       -c     use comma separated values (CSV) format, with  minimal  quoting,
273              instead  of the default tab-separated (unquoted, unescaped) for‐
274              mat
275
276       -e     write empty hexadecimal string fields as empty fields instead of
277              as "-1".
278
279       -n     produce  numeric  output  for fields that normally have symbolic
280              output, such as enctypes and flag names.  Also  requests  output
281              of time stamps as decimal POSIX time_t values.
282
283       -o outfile
284              write  the dump to the specified output file instead of to stan‐
285              dard output
286
287       Dump types:
288
289       keydata
290              principal encryption key information, including actual key  data
291              (which is still encrypted in the master key)
292
293              name   principal name
294
295              keyindex
296                     index of this key in the principal's key list
297
298              kvno   key version number
299
300              enctype
301                     encryption type
302
303              key    key data as a hexadecimal string
304
305              salttype
306                     salt type
307
308              salt   salt data as a hexadecimal string
309
310       keyinfo
311              principal  encryption  key  information  (as  in keydata above),
312              excluding actual key data
313
314       princ_flags
315              principal boolean attributes.  Flag names print  as  hexadecimal
316              numbers  if  the  -n option is specified, and all flag positions
317              are printed regardless of whether or not they are set.  If -n is
318              not  specified,  print  all known flag names for each principal,
319              but only print hexadecimal flag names if the corresponding  flag
320              is set.
321
322              name   principal name
323
324              flag   flag name
325
326              value  boolean value (0 for clear, or 1 for set)
327
328       princ_lockout
329              state information used for tracking repeated password failures
330
331              name   principal name
332
333              last_success
334                     time stamp of most recent successful authentication
335
336              last_failed
337                     time stamp of most recent failed authentication
338
339              fail_count
340                     count of failed attempts
341
342       princ_meta
343              principal metadata
344
345              name   principal name
346
347              modby  name of last principal to modify this principal
348
349              modtime
350                     timestamp of last modification
351
352              lastpwd
353                     timestamp of last password change
354
355              policy policy object name
356
357              mkvno  key  version  number of the master key that encrypts this
358                     principal's key data
359
360              hist_kvno
361                     key version number of the history key that  encrypts  the
362                     key history data for this principal
363
364       princ_stringattrs
365              string attributes (key/value pairs)
366
367              name   principal name
368
369              key    attribute name
370
371              value  attribute value
372
373       princ_tktpolicy
374              per-principal ticket policy data, including maximum ticket life‐
375              times
376
377              name   principal name
378
379              expiration
380                     principal expiration date
381
382              pw_expiration
383                     password expiration date
384
385              max_life
386                     maximum ticket lifetime
387
388              max_renew_life
389                     maximum renewable ticket lifetime
390
391       Examples:
392
393          $ kdb5_util tabdump -o keyinfo.txt keyinfo
394          $ cat keyinfo.txt
395          name        keyindex        kvno    enctype salttype        salt
396          foo@EXAMPLE.COM     0       1       aes128-cts-hmac-sha1-96 normal  -1
397          bar@EXAMPLE.COM     0       1       aes128-cts-hmac-sha1-96 normal  -1
398          bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
399          $ sqlite3
400          sqlite> .mode tabs
401          sqlite> .import keyinfo.txt keyinfo
402          sqlite> select * from keyinfo where enctype like 'des-cbc-%';
403          bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
404          sqlite> .quit
405          $ awk -F'\t' '$4 ~ /des-cbc-/ { print }' keyinfo.txt
406          bar@EXAMPLE.COM     1       1       des-cbc-crc     normal  -1
407

SEE ALSO

409       kadmin(1)
410

AUTHOR

412       MIT
413
415       1985-2017, MIT
416
417
418
419
4201.15.1                                                            KDB5_UTIL(8)
Impressum