1KADMIN(1) BSD General Commands Manual KADMIN(1)
2
4 kadmin — Kerberos administration utility
5
7 kadmin [-p string | --principal=string] [-K string | --keytab=string]
8 [-c file | --config-file=file] [-k file | --key-file=file]
9 [-r realm | --realm=realm] [-a host | --admin-server=host]
10 [-s port number | --server-port=port number] [-l | --local]
11 [-h | --help] [-v | --version] [command]
12
14 The kadmin program is used to make modifications to the Kerberos data‐
15 base, either remotely via the kadmind(8) daemon, or locally (with the -l
16 option).
17
18 Supported options:
19
20 -p string, --principal=string
21 principal to authenticate as
22
23 -K string, --keytab=string
24 keytab for authentication principal
25
26 -c file, --config-file=file
27 location of config file
28
29 -k file, --key-file=file
30 location of master key file
31
32 -r realm, --realm=realm
33 realm to use
34
35 -a host, --admin-server=host
36 server to contact
37
38 -s port number, --server-port=port number
39 port to use
40
41 -l, --local
42 local admin mode
43
44 If no command is given on the command line, kadmin will prompt for com‐
45 mands to process. Some of the commands that take one or more principals
46 as argument (delete, ext_keytab, get, modify, and passwd) will accept a
47 glob style wildcard, and perform the operation on all matching princi‐
48 pals.
49
50 Commands include:
51
52 add [-r | --random-key] [--random-password] [-p string |
53 --password=string] [--key=string] [--max-ticket-life=lifetime]
54 [--max-renewable-life=lifetime] [--attributes=attributes]
55 [--expiration-time=time] [--pw-expiration-time=time]
56 [--policy=policy-name] principal...
57
58 Adds a new principal to the database. The options not passed on the
59 command line will be promped for. The only policy supported by
60 Heimdal servers is ‘default’.
61
62 add_enctype [-r | --random-key] principal enctypes...
63
64 Adds a new encryption type to the principal, only random key are
65 supported.
66
67 delete principal...
68
69 Removes a principal.
70
71 del_enctype principal enctypes...
72
73 Removes some enctypes from a principal; this can be useful if the
74 service belonging to the principal is known to not handle certain
75 enctypes.
76
77 ext_keytab [-k string | --keytab=string] principal...
78
79 Creates a keytab with the keys of the specified principals.
80 Requires get-keys rights, otherwise the principal's keys are
81 changed and saved in the keytab.
82
83 get [-l | --long] [-s | --short] [-t | --terse] [-o string |
84 --column-info=string] principal...
85
86 Lists the matching principals, short prints the result as a table,
87 while long format produces a more verbose output. Which columns to
88 print can be selected with the -o option. The argument is a comma
89 separated list of column names optionally appended with an equal
90 sign (‘=’) and a column header. Which columns are printed by
91 default differ slightly between short and long output.
92
93 The default terse output format is similar to -s -o principal=,
94 just printing the names of matched principals.
95
96 Possible column names include: principal, princ_expire_time,
97 pw_expiration, last_pwd_change, max_life, max_rlife, mod_time,
98 mod_name, attributes, kvno, mkvno, last_success, last_failed,
99 fail_auth_count, policy, and keytypes.
100
101 modify [-a attributes | --attributes=attributes]
102 [--max-ticket-life=lifetime] [--max-renewable-life=lifetime]
103 [--expiration-time=time] [--pw-expiration-time=time] [--kvno=number]
104 [--policy=policy-name] principal...
105
106 Modifies certain attributes of a principal. If run without command
107 line options, you will be prompted. With command line options, it
108 will only change the ones specified.
109
110 Only policy supported by Heimdal is ‘default’.
111
112 Possible attributes are: new-princ, support-desmd5,
113 pwchange-service, disallow-svr, requires-pw-change,
114 requires-hw-auth, requires-pre-auth, disallow-all-tix,
115 disallow-dup-skey, disallow-proxiable, disallow-renewable,
116 disallow-tgt-based, disallow-forwardable, disallow-postdated
117
118 Attributes may be negated with a "-", e.g.,
119
120 kadmin -l modify -a -disallow-proxiable user
121
122 passwd [--keepold] [-r | --random-key] [--random-password] [-p string |
123 --password=string] [--key=string] principal...
124
125 Changes the password of an existing principal.
126
127 verify-password-quality principal password
128
129 Run the password quality check function locally. You can run this
130 on the host that is configured to run the kadmind process to verify
131 that your configuration file is correct. The verification is done
132 locally, if kadmin is run in remote mode, no rpc call is done to
133 the server. NOTE: if the environment has verify-password-quality
134 configured to use a back-end that stores password history (such as
135 heimdal-history), running verify-quality-password will cause an
136 update to the password database meaning that merely verifying the
137 quality of the password using verify-quality-password invalidates
138 the use of that principal/password in the future.
139
140 privileges
141
142 Lists the operations you are allowed to perform. These include add,
143 add_enctype, change-password, delete, del_enctype, get, get-keys,
144 list, and modify.
145
146 rename from to
147
148 Renames a principal. This is normally transparent, but since keys
149 are salted with the principal name, they will have a non-standard
150 salt, and clients which are unable to cope with this will fail.
151 Kerberos 4 suffers from this.
152
153 check [realm]
154
155 Check database for strange configurations on important principals.
156 If no realm is given, the default realm is used.
157
158 When running in local mode, the following commands can also be used:
159
160 dump [-d | --decrypt] [-fformat | --format=format] [dump-file]
161
162 Writes the database in “machine readable text” form to the speci‐
163 fied file, or standard out. If the database is encrypted, the dump
164 will also have encrypted keys, unless --decrypt is used. If
165 --format=MIT is used then the dump will be in MIT format. Other‐
166 wise it will be in Heimdal format.
167
168 init [--realm-max-ticket-life=string] [--realm-max-renewable-life=string]
169 realm
170
171 Initializes the Kerberos database with entries for a new realm.
172 It's possible to have more than one realm served by one server.
173
174 load file
175
176 Reads a previously dumped database, and re-creates that database
177 from scratch.
178
179 merge file
180
181 Similar to load but just modifies the database with the entries in
182 the dump file.
183
184 stash [-e enctype | --enctype=enctype] [-k keyfile | --key-file=keyfile]
185 [--convert-file] [--master-key-fd=fd]
186
187 Writes the Kerberos master key to a file used by the KDC.
188
190 kadmind(8), kdc(8)
191
192HEIMDAL Feb 22, 2007 HEIMDAL