1KADMIN(1)                        MIT Kerberos                        KADMIN(1)
2
3
4

NAME

6       kadmin - Kerberos V5 database administration program
7

SYNOPSIS

9       kadmin   [-O|-N]   [-r   realm]   [-p   principal]   [-q   query]  [[-c
10       cache_name]|[-k [-t keytab]]|-n] [-w password] [-s admin_server[:port]]
11       [command args...]
12
13       kadmin.local  [-r  realm]  [-p  principal]  [-q  query] [-d dbname] [-e
14       enc:salt ...]  [-m] [-x db_args] [command args...]
15

DESCRIPTION

17       kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
18       administration  system.  They provide nearly identical functionalities;
19       the difference is that kadmin.local directly accesses the KDC database,
20       while  kadmin  performs operations using kadmind.  Except as explicitly
21       noted otherwise, this man page will use "kadmin" to refer to both  ver‐
22       sions.   kadmin  provides  for  the maintenance of Kerberos principals,
23       password policies, and service key tables (keytabs).
24
25       The remote kadmin client uses Kerberos to authenticate to kadmind using
26       the service principal kadmin/admin or kadmin/ADMINHOST (where ADMINHOST
27       is the fully-qualified hostname of the admin server).  If  the  creden‐
28       tials  cache  contains a ticket for one of these principals, and the -c
29       credentials_cache option is specified, that ticket is used to authenti‐
30       cate  to kadmind.  Otherwise, the -p and -k options are used to specify
31       the client Kerberos principal name used to authenticate.   Once  kadmin
32       has  determined  the  principal name, it requests a service ticket from
33       the KDC, and uses that service ticket to authenticate to kadmind.
34
35       Since kadmin.local directly accesses the KDC database, it usually  must
36       be  run directly on the primary KDC with sufficient permissions to read
37       the KDC database.  If the KDC database uses the LDAP  database  module,
38       kadmin.local can be run on any host which can access the LDAP server.
39

OPTIONS

41       -r realm
42              Use realm as the default database realm.
43
44       -p principal
45              Use  principal  to  authenticate.  Otherwise, kadmin will append
46              /admin to the primary principal name of the default ccache,  the
47              value  of  the USER environment variable, or the username as ob‐
48              tained with getpwuid, in order of preference.
49
50       -k     Use a keytab to decrypt the KDC response  instead  of  prompting
51              for  a  password.   In  this case, the default principal will be
52              host/hostname.  If there is no keytab specified with the -t  op‐
53              tion, then the default keytab will be used.
54
55       -t keytab
56              Use  keytab  to decrypt the KDC response.  This can only be used
57              with the -k option.
58
59       -n     Requests anonymous processing.  Two types of  anonymous  princi‐
60              pals  are  supported.   For  fully anonymous Kerberos, configure
61              PKINIT on the KDC and configure pkinit_anchors in  the  client's
62              krb5.conf.   Then use the -n option with a principal of the form
63              @REALM (an empty principal name followed by the  at-sign  and  a
64              realm  name).  If permitted by the KDC, an anonymous ticket will
65              be returned.  A second form of anonymous tickets  is  supported;
66              these  realm-exposed tickets hide the identity of the client but
67              not the client's realm.  For this mode, use kinit -n with a nor‐
68              mal principal name.  If supported by the KDC, the principal (but
69              not realm) will be replaced by the anonymous principal.   As  of
70              release  1.8, the MIT Kerberos KDC only supports fully anonymous
71              operation.
72
73       -c credentials_cache
74              Use credentials_cache  as  the  credentials  cache.   The  cache
75              should  contain  a  service  ticket for the kadmin/admin or kad‐
76              min/ADMINHOST (where ADMINHOST is the  fully-qualified  hostname
77              of  the admin server) service; it can be acquired with the kinit
78              program.  If this option is not specified, kadmin requests a new
79              service  ticket from the KDC, and stores it in its own temporary
80              ccache.
81
82       -w password
83              Use password instead of prompting for one.  Use this option with
84              care, as it may expose the password to other users on the system
85              via the process list.
86
87       -q query
88              Perform the specified query and then exit.
89
90       -d dbname
91              Specifies the name of the KDC database.  This  option  does  not
92              apply to the LDAP database module.
93
94       -s admin_server[:port]
95              Specifies the admin server which kadmin should contact.
96
97       -m     If  using  kadmin.local, prompt for the database master password
98              instead of reading it from a stash file.
99
100       -e "enc:salt ..."
101              Sets the keysalt list to be used for any new keys created.   See
102              Keysalt lists in kdc.conf for a list of possible values.
103
104       -O     Force use of old AUTH_GSSAPI authentication flavor.
105
106       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.
107
108       -x db_args
109              Specifies the database specific arguments.  See the next section
110              for supported options.
111
112       Starting with release 1.14, if any command-line arguments remain  after
113       the  options,  they  will  be treated as a single query to be executed.
114       This mode of operation is intended for scripts and behaves  differently
115       from the interactive mode in several respects:
116
117       • Query arguments are split by the shell, not by kadmin.
118
119       • Informational  and  warning  messages are suppressed.  Error messages
120         and query output (e.g. for get_principal) will still be displayed.
121
122       • Confirmation prompts are disabled (as if -force was given).  Password
123         prompts will still be issued as required.
124
125       • The exit status will be non-zero if the query fails.
126
127       The -q option does not carry these behavior differences; the query will
128       be processed as if it was entered interactively.  The -q option  cannot
129       be used in combination with a query in the remaining arguments.
130

DATABASE OPTIONS

132       Database  options  can  be used to override database-specific defaults.
133       Supported options for the DB2 module are:
134
135          -x dbname=*filename*
136                 Specifies the base filename of the DB2 database.
137
138          -x lockiter
139                 Make iteration operations hold the lock for the  duration  of
140                 the  entire  operation, rather than temporarily releasing the
141                 lock while handling each principal.  This is the default  be‐
142                 havior, but this option exists to allow command line override
143                 of a [dbmodules] setting.  First introduced in release 1.13.
144
145          -x unlockiter
146                 Make iteration operations unlock the database for each  prin‐
147                 cipal,  instead  of  holding the lock for the duration of the
148                 entire operation.  First introduced in release 1.13.
149
150       Supported options for the LDAP module are:
151
152          -x host=ldapuri
153                 Specifies the LDAP server to connect to by a LDAP URI.
154
155          -x binddn=bind_dn
156                 Specifies the DN used to bind to the LDAP server.
157
158          -x bindpwd=password
159                 Specifies the password or SASL secret used  to  bind  to  the
160                 LDAP  server.   Using  this option may expose the password to
161                 other users on the system via  the  process  list;  to  avoid
162                 this, instead stash the password using the stashsrvpw command
163                 of kdb5_ldap_util.
164
165          -x sasl_mech=mechanism
166                 Specifies the SASL mechanism used to bind to the LDAP server.
167                 The  bind  DN is ignored if a SASL mechanism is used.  New in
168                 release 1.13.
169
170          -x sasl_authcid=name
171                 Specifies the authentication name used when  binding  to  the
172                 LDAP  server with a SASL mechanism, if the mechanism requires
173                 one.  New in release 1.13.
174
175          -x sasl_authzid=name
176                 Specifies the authorization name used  when  binding  to  the
177                 LDAP server with a SASL mechanism.  New in release 1.13.
178
179          -x sasl_realm=realm
180                 Specifies the realm used when binding to the LDAP server with
181                 a SASL mechanism, if the mechanism uses one.  New in  release
182                 1.13.
183
184          -x debug=level
185                 sets  the  OpenLDAP  client library debug level.  level is an
186                 integer to be interpreted by the library.  Debugging messages
187                 are printed to standard error.  New in release 1.12.
188

COMMANDS

190       When  using the remote client, available commands may be restricted ac‐
191       cording to the privileges specified in the kadm5.acl file on the  admin
192       server.
193
194   add_principal
195          add_principal [options] newprinc
196
197       Creates  the principal newprinc, prompting twice for a password.  If no
198       password policy is specified with the -policy option,  and  the  policy
199       named default is assigned to the principal if it exists.  However, cre‐
200       ating a policy named default will not automatically assign this  policy
201       to  previously existing principals.  This policy assignment can be sup‐
202       pressed with the -clearpolicy option.
203
204       This command requires the add privilege.
205
206       Aliases: addprinc, ank
207
208       Options:
209
210       -expire expdate
211              (getdate time string) The expiration date of the principal.
212
213       -pwexpire pwexpdate
214              (getdate time string) The password expiration date.
215
216       -maxlife maxlife
217              (Time duration or getdate time string) The maximum  ticket  life
218              for the principal.
219
220       -maxrenewlife maxrenewlife
221              (Time  duration  or  getdate  time string) The maximum renewable
222              life of tickets for the principal.
223
224       -kvno kvno
225              The initial key version number.
226
227       -policy policy
228              The password policy used by this principal.  If  not  specified,
229              the  policy default is used if it exists (unless -clearpolicy is
230              specified).
231
232       -clearpolicy
233              Prevents any policy from being  assigned  when  -policy  is  not
234              specified.
235
236       {-|+}allow_postdated
237              -allow_postdated  prohibits  this principal from obtaining post‐
238              dated tickets.  +allow_postdated clears this flag.
239
240       {-|+}allow_forwardable
241              -allow_forwardable prohibits this principal from obtaining  for‐
242              wardable tickets.  +allow_forwardable clears this flag.
243
244       {-|+}allow_renewable
245              -allow_renewable  prohibits this principal from obtaining renew‐
246              able tickets.  +allow_renewable clears this flag.
247
248       {-|+}allow_proxiable
249              -allow_proxiable prohibits this principal from obtaining  proxi‐
250              able tickets.  +allow_proxiable clears this flag.
251
252       {-|+}allow_dup_skey
253              -allow_dup_skey  disables  user-to-user  authentication for this
254              principal by prohibiting others from obtaining a service  ticket
255              encrypted  in this principal's TGT session key.  +allow_dup_skey
256              clears this flag.
257
258       {-|+}requires_preauth
259              +requires_preauth requires this principal to preauthenticate be‐
260              fore  being  allowed  to  kinit.   -requires_preauth clears this
261              flag.  When +requires_preauth is set on a service principal, the
262              KDC  will  only issue service tickets for that service principal
263              if the  client's  initial  authentication  was  performed  using
264              preauthentication.
265
266       {-|+}requires_hwauth
267              +requires_hwauth  requires this principal to preauthenticate us‐
268              ing a hardware device  before  being  allowed  to  kinit.   -re‐
269              quires_hwauth clears this flag.  When +requires_hwauth is set on
270              a service principal, the KDC will only issue service tickets for
271              that  service  principal  if the client's initial authentication
272              was performed using a hardware device to preauthenticate.
273
274       {-|+}ok_as_delegate
275              +ok_as_delegate sets the okay as delegate flag on tickets issued
276              with  this  principal as the service.  Clients may use this flag
277              as a hint that credentials should be delegated when authenticat‐
278              ing to the service.  -ok_as_delegate clears this flag.
279
280       {-|+}allow_svr
281              -allow_svr  prohibits  the  issuance of service tickets for this
282              principal.  In release  1.17  and  later,  user-to-user  service
283              tickets  are  still  allowed  unless the -allow_dup_skey flag is
284              also set.  +allow_svr clears this flag.
285
286       {-|+}allow_tgs_req
287              -allow_tgs_req specifies that a  Ticket-Granting  Service  (TGS)
288              request  for  a service ticket for this principal is not permit‐
289              ted.  +allow_tgs_req clears this flag.
290
291       {-|+}allow_tix
292              -allow_tix forbids the issuance of any tickets for this  princi‐
293              pal.  +allow_tix clears this flag.
294
295       {-|+}needchange
296              +needchange forces a password change on the next initial authen‐
297              tication to this principal.  -needchange clears this flag.
298
299       {-|+}password_changing_service
300              +password_changing_service marks this principal  as  a  password
301              change service principal.
302
303       {-|+}ok_to_auth_as_delegate
304              +ok_to_auth_as_delegate  allows  this  principal to acquire for‐
305              wardable tickets to itself from arbitrary users,  for  use  with
306              constrained delegation.
307
308       {-|+}no_auth_data_required
309              +no_auth_data_required  prevents  PAC or AD-SIGNEDPATH data from
310              being added to service tickets for the principal.
311
312       {-|+}lockdown_keys
313              +lockdown_keys prevents keys for this principal from leaving the
314              KDC  via  kadmind.  The chpass and extract operations are denied
315              for a principal with this attribute.  The  chrand  operation  is
316              allowed,  but  will not return the new keys.  The delete and re‐
317              name operations are also denied if this attribute is set, in or‐
318              der  to prevent a malicious administrator from replacing princi‐
319              pals like krbtgt/* or kadmin/* with new principals  without  the
320              attribute.   This attribute can be set via the network protocol,
321              but can only be removed using kadmin.local.
322
323       -randkey
324              Sets the key of the principal to a random value.
325
326       -nokey Causes the principal to be created with no key.  New in  release
327              1.12.
328
329       -pw password
330              Sets  the  password of the principal to the specified string and
331              does not prompt for a password.  Note: using this  option  in  a
332              shell  script may expose the password to other users on the sys‐
333              tem via the process list.
334
335       -e enc:salt,...
336              Uses the specified keysalt list for  setting  the  keys  of  the
337              principal.  See Keysalt lists in kdc.conf for a list of possible
338              values.
339
340       -x db_princ_args
341              Indicates database-specific options.  The options for  the  LDAP
342              database module are:
343
344              -x dn=dn
345                     Specifies  the LDAP object that will contain the Kerberos
346                     principal being created.
347
348              -x linkdn=dn
349                     Specifies the LDAP object to which the newly created Ker‐
350                     beros principal object will point.
351
352              -x containerdn=container_dn
353                     Specifies  the  container object under which the Kerberos
354                     principal is to be created.
355
356              -x tktpolicy=policy
357                     Associates a ticket policy to the Kerberos principal.
358
359              NOTE:
360
361                 • The containerdn and linkdn options cannot be specified with
362                   the dn option.
363
364                 • If  the  dn  or containerdn options are not specified while
365                   adding the principal, the principals are created under  the
366                   principal  container  configured  in the realm or the realm
367                   container.
368
369dn and containerdn should be within the subtrees or princi‐
370                   pal container configured in the realm.
371
372       Example:
373
374          kadmin: addprinc jennifer
375          No policy specified for "jennifer@ATHENA.MIT.EDU";
376          defaulting to no policy.
377          Enter password for principal jennifer@ATHENA.MIT.EDU:
378          Re-enter password for principal jennifer@ATHENA.MIT.EDU:
379          Principal "jennifer@ATHENA.MIT.EDU" created.
380          kadmin:
381
382   modify_principal
383          modify_principal [options] principal
384
385       Modifies  the  specified  principal,  changing the fields as specified.
386       The options to add_principal also apply to this command, except for the
387       -randkey,  -pw,  and  -e options.  In addition, the option -clearpolicy
388       will clear the current policy of a principal.
389
390       This command requires the modify privilege.
391
392       Alias: modprinc
393
394       Options (in addition to the addprinc options):
395
396       -unlock
397              Unlocks a locked principal (one  which  has  received  too  many
398              failed  authentication attempts without enough time between them
399              according to its password policy) so that  it  can  successfully
400              authenticate.
401
402   rename_principal
403          rename_principal [-force] old_principal new_principal
404
405       Renames  the  specified  old_principal  to new_principal.  This command
406       prompts for confirmation, unless the -force option is given.
407
408       This command requires the add and delete privileges.
409
410       Alias: renprinc
411
412   delete_principal
413          delete_principal [-force] principal
414
415       Deletes the  specified  principal  from  the  database.   This  command
416       prompts for deletion, unless the -force option is given.
417
418       This command requires the delete privilege.
419
420       Alias: delprinc
421
422   change_password
423          change_password [options] principal
424
425       Changes  the password of principal.  Prompts for a new password if nei‐
426       ther -randkey or -pw is specified.
427
428       This command requires the changepw privilege,  or  that  the  principal
429       running the program is the same as the principal being changed.
430
431       Alias: cpw
432
433       The following options are available:
434
435       -randkey
436              Sets the key of the principal to a random value.
437
438       -pw password
439              Set  the password to the specified string.  Using this option in
440              a script may expose the password to other users  on  the  system
441              via the process list.
442
443       -e enc:salt,...
444              Uses  the  specified  keysalt  list  for setting the keys of the
445              principal.  See Keysalt lists in kdc.conf for a list of possible
446              values.
447
448       -keepold
449              Keeps  the  existing keys in the database.  This flag is usually
450              not necessary except perhaps for krbtgt principals.
451
452       Example:
453
454          kadmin: cpw systest
455          Enter password for principal systest@BLEEP.COM:
456          Re-enter password for principal systest@BLEEP.COM:
457          Password for systest@BLEEP.COM changed.
458          kadmin:
459
460   purgekeys
461          purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal
462
463       Purges previously retained old keys (e.g., from change_password  -keep‐
464       old)  from principal.  If -keepkvno is specified, then only purges keys
465       with kvnos lower than oldest_kvno_to_keep.  If -all is specified,  then
466       all keys are purged.  The -all option is new in release 1.12.
467
468       This command requires the modify privilege.
469
470   get_principal
471          get_principal [-terse] principal
472
473       Gets  the  attributes  of  principal.   With the -terse option, outputs
474       fields as quoted tab-separated strings.
475
476       This command requires the inquire privilege, or that the principal run‐
477       ning the the program to be the same as the one being listed.
478
479       Alias: getprinc
480
481       Examples:
482
483          kadmin: getprinc tlyu/admin
484          Principal: tlyu/admin@BLEEP.COM
485          Expiration date: [never]
486          Last password change: Mon Aug 12 14:16:47 EDT 1996
487          Password expiration date: [never]
488          Maximum ticket life: 0 days 10:00:00
489          Maximum renewable life: 7 days 00:00:00
490          Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
491          Last successful authentication: [never]
492          Last failed authentication: [never]
493          Failed password attempts: 0
494          Number of keys: 1
495          Key: vno 1, aes256-cts-hmac-sha384-192
496          MKey: vno 1
497          Attributes:
498          Policy: [none]
499
500          kadmin: getprinc -terse systest
501          systest@BLEEP.COM   3    86400     604800    1
502          785926535 753241234 785900000
503          tlyu/admin@BLEEP.COM     786100034 0    0
504          kadmin:
505
506   list_principals
507          list_principals [expression]
508
509       Retrieves  all  or  some  principal names.  expression is a shell-style
510       glob expression that can contain the wild-card characters ?, *, and [].
511       All principal names matching the expression are printed.  If no expres‐
512       sion is provided, all principal names are printed.  If  the  expression
513       does  not  contain an @ character, an @ character followed by the local
514       realm is appended to the expression.
515
516       This command requires the list privilege.
517
518       Alias: listprincs, get_principals, getprincs
519
520       Example:
521
522          kadmin:  listprincs test*
523          test3@SECURE-TEST.OV.COM
524          test2@SECURE-TEST.OV.COM
525          test1@SECURE-TEST.OV.COM
526          testuser@SECURE-TEST.OV.COM
527          kadmin:
528
529   get_strings
530          get_strings principal
531
532       Displays string attributes on principal.
533
534       This command requires the inquire privilege.
535
536       Alias: getstrs
537
538   set_string
539          set_string principal name value
540
541       Sets a string attribute on principal.  String attributes  are  used  to
542       supply  per-principal configuration to the KDC and some KDC plugin mod‐
543       ules.  The following string attribute names are recognized by the KDC:
544
545       require_auth
546              Specifies an authentication indicator which is required  to  au‐
547              thenticate  to  the principal as a service.  Multiple indicators
548              can be specified, separated by spaces; in this case any  of  the
549              specified indicators will be accepted.  (New in release 1.14.)
550
551       session_enctypes
552              Specifies  the  encryption types supported for session keys when
553              the principal is authenticated to as a server.   See  Encryption
554              types in kdc.conf for a list of the accepted values.
555
556       otp    Enables  One Time Passwords (OTP) preauthentication for a client
557              principal.  The value is a JSON string representing an array  of
558              objects, each having optional type and username fields.
559
560       pkinit_cert_match
561              Specifies a matching expression that defines the certificate at‐
562              tributes required for the client certificate used by the princi‐
563              pal during PKINIT authentication.  The matching expression is in
564              the same format as those used by the pkinit_cert_match option in
565              krb5.conf.  (New in release 1.16.)
566
567       This command requires the modify privilege.
568
569       Alias: setstr
570
571       Example:
572
573          set_string host/foo.mit.edu session_enctypes aes128-cts
574          set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
575
576   del_string
577          del_string principal key
578
579       Deletes a string attribute from principal.
580
581       This command requires the delete privilege.
582
583       Alias: delstr
584
585   add_policy
586          add_policy [options] policy
587
588       Adds a password policy named policy to the database.
589
590       This command requires the add privilege.
591
592       Alias: addpol
593
594       The following options are available:
595
596       -maxlife time
597              (Time duration or getdate time string) Sets the maximum lifetime
598              of a password.
599
600       -minlife time
601              (Time duration or getdate time string) Sets the minimum lifetime
602              of a password.
603
604       -minlength length
605              Sets the minimum length of a password.
606
607       -minclasses number
608              Sets the minimum number of character classes required in a pass‐
609              word.  The five character classes are lower  case,  upper  case,
610              numbers, punctuation, and whitespace/unprintable characters.
611
612       -history number
613              Sets  the number of past keys kept for a principal.  This option
614              is not supported with the LDAP KDC database module.
615
616       -maxfailure maxnumber
617              Sets the number of authentication failures before the  principal
618              is locked.  Authentication failures are only tracked for princi‐
619              pals which require preauthentication.  The counter of failed at‐
620              tempts  resets  to 0 after a successful attempt to authenticate.
621              A maxnumber value of 0 (the default) disables lockout.
622
623       -failurecountinterval failuretime
624              (Time duration or getdate time string) Sets the  allowable  time
625              between  authentication  failures.  If an authentication failure
626              happens after failuretime has elapsed since the  previous  fail‐
627              ure,  the  number  of  authentication failures is reset to 1.  A
628              failuretime value of 0 (the default) means forever.
629
630       -lockoutduration lockouttime
631              (Time duration or getdate time string)  Sets  the  duration  for
632              which  the  principal  is locked from authenticating if too many
633              authentication failures  occur  without  the  specified  failure
634              count  interval  elapsing.   A duration of 0 (the default) means
635              the principal remains locked out until  it  is  administratively
636              unlocked with modprinc -unlock.
637
638       -allowedkeysalts
639              Specifies  the key/salt tuples supported for long-term keys when
640              setting or changing a principal's  password/keys.   See  Keysalt
641              lists  in  kdc.conf  for a list of the accepted values, but note
642              that key/salt tuples must be separated with commas  (',')  only.
643              To clear the allowed key/salt policy use a value of '-'.
644
645       Example:
646
647          kadmin: add_policy -maxlife "2 days" -minlength 5 guests
648          kadmin:
649
650   modify_policy
651          modify_policy [options] policy
652
653       Modifies  the  password  policy named policy.  Options are as described
654       for add_policy.
655
656       This command requires the modify privilege.
657
658       Alias: modpol
659
660   delete_policy
661          delete_policy [-force] policy
662
663       Deletes the password policy named policy.  Prompts for confirmation be‐
664       fore  deletion.   The  command will fail if the policy is in use by any
665       principals.
666
667       This command requires the delete privilege.
668
669       Alias: delpol
670
671       Example:
672
673          kadmin: del_policy guests
674          Are you sure you want to delete the policy "guests"?
675          (yes/no): yes
676          kadmin:
677
678   get_policy
679          get_policy [ -terse ] policy
680
681       Displays the values of the password  policy  named  policy.   With  the
682       -terse flag, outputs the fields as quoted strings separated by tabs.
683
684       This command requires the inquire privilege.
685
686       Alias: getpol
687
688       Examples:
689
690          kadmin: get_policy admin
691          Policy: admin
692          Maximum password life: 180 days 00:00:00
693          Minimum password life: 00:00:00
694          Minimum password length: 6
695          Minimum number of password character classes: 2
696          Number of old keys kept: 5
697          Reference count: 17
698
699          kadmin: get_policy -terse admin
700          admin     15552000  0    6    2    5    17
701          kadmin:
702
703       The  "Reference  count"  is the number of principals using that policy.
704       With the LDAP KDC database module, the reference  count  field  is  not
705       meaningful.
706
707   list_policies
708          list_policies [expression]
709
710       Retrieves  all  or some policy names.  expression is a shell-style glob
711       expression that can contain the wild-card characters ?, *, and [].  All
712       policy  names matching the expression are printed.  If no expression is
713       provided, all existing policy names are printed.
714
715       This command requires the list privilege.
716
717       Aliases: listpols, get_policies, getpols.
718
719       Examples:
720
721          kadmin:  listpols
722          test-pol
723          dict-only
724          once-a-min
725          test-pol-nopw
726
727          kadmin:  listpols t*
728          test-pol
729          test-pol-nopw
730          kadmin:
731
732   ktadd
733          ktadd [options] principal
734          ktadd [options] -glob princ-exp
735
736
737       Adds a principal, or all principals matching  princ-exp,  to  a  keytab
738       file.   Each principal's keys are randomized in the process.  The rules
739       for princ-exp are described in the list_principals command.
740
741       This command requires the inquire and changepw  privileges.   With  the
742       -glob form, it also requires the list privilege.
743
744       The options are:
745
746       -k[eytab] keytab
747              Use keytab as the keytab file.  Otherwise, the default keytab is
748              used.
749
750       -e enc:salt,...
751              Uses the specified keysalt list for setting the new keys of  the
752              principal.  See Keysalt lists in kdc.conf for a list of possible
753              values.
754
755       -q     Display less verbose information.
756
757       -norandkey
758              Do not randomize the keys. The keys and  their  version  numbers
759              stay  unchanged.  This option cannot be specified in combination
760              with the -e option.
761
762       An entry for each of the principal's unique encryption types is  added,
763       ignoring multiple keys with the same encryption type but different salt
764       types.
765
766       Alias: xst
767
768       Example:
769
770          kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
771          Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
772               encryption type aes256-cts-hmac-sha1-96 added to keytab
773               FILE:/tmp/foo-new-keytab
774          kadmin:
775
776   ktremove
777          ktremove [options] principal [kvno | all | old]
778
779       Removes entries for the specified principal from a keytab.  Requires no
780       permissions, since this does not require database access.
781
782       If  the  string  "all" is specified, all entries for that principal are
783       removed; if the string "old" is specified, all entries for that princi‐
784       pal  except  those  with  the highest kvno are removed.  Otherwise, the
785       value specified is parsed as an integer, and  all  entries  whose  kvno
786       match that integer are removed.
787
788       The options are:
789
790       -k[eytab] keytab
791              Use keytab as the keytab file.  Otherwise, the default keytab is
792              used.
793
794       -q     Display less verbose information.
795
796       Alias: ktrem
797
798       Example:
799
800          kadmin: ktremove kadmin/admin all
801          Entry for principal kadmin/admin with kvno 3 removed from keytab
802               FILE:/etc/krb5.keytab
803          kadmin:
804
805   lock
806       Lock database exclusively.  Use with  extreme  caution!   This  command
807       only works with the DB2 KDC database module.
808
809   unlock
810       Release the exclusive database lock.
811
812   list_requests
813       Lists available for kadmin requests.
814
815       Aliases: lr, ?
816
817   quit
818       Exit program.  If the database was locked, the lock is released.
819
820       Aliases: exit, q
821

HISTORY

823       The  kadmin  program was originally written by Tom Yu at MIT, as an in‐
824       terface to the OpenVision Kerberos administration program.
825

ENVIRONMENT

827       See kerberos for a description of Kerberos environment variables.
828

SEE ALSO

830       kpasswd, kadmind, kerberos
831

AUTHOR

833       MIT
834
836       1985-2022, MIT
837
838
839
840
8411.19.2                                                               KADMIN(1)
Impressum