1KADMIN(1)                        MIT Kerberos                        KADMIN(1)
2
3
4

NAME

6       kadmin - Kerberos V5 database administration program
7

SYNOPSIS

9       kadmin   [-O|-N]   [-r   realm]   [-p   principal]   [-q   query]  [[-c
10       cache_name]|[-k [-t keytab]]|-n] [-w password] [-s admin_server[:port]]
11       [command args...]
12
13       kadmin.local  [-r  realm]  [-p  principal]  [-q  query] [-d dbname] [-e
14       enc:salt ...]  [-m] [-x db_args] [command args...]
15

DESCRIPTION

17       kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
18       administration  system.  They provide nearly identical functionalities;
19       the difference is that kadmin.local directly accesses the KDC database,
20       while  kadmin  performs operations using kadmind.  Except as explicitly
21       noted otherwise, this man page will use "kadmin" to refer to both  ver‐
22       sions.   kadmin  provides  for  the maintenance of Kerberos principals,
23       password policies, and service key tables (keytabs).
24
25       The remote kadmin client uses Kerberos to authenticate to kadmind using
26       the service principal kadmin/admin or kadmin/ADMINHOST (where ADMINHOST
27       is the fully-qualified hostname of the admin server).  If  the  creden‐
28       tials  cache  contains a ticket for one of these principals, and the -c
29       credentials_cache option is specified, that ticket is used to authenti‐
30       cate  to kadmind.  Otherwise, the -p and -k options are used to specify
31       the client Kerberos principal name used to authenticate.   Once  kadmin
32       has  determined  the  principal name, it requests a service ticket from
33       the KDC, and uses that service ticket to authenticate to kadmind.
34
35       Since kadmin.local directly accesses the KDC database, it usually  must
36       be  run directly on the primary KDC with sufficient permissions to read
37       the KDC database.  If the KDC database uses the LDAP  database  module,
38       kadmin.local can be run on any host which can access the LDAP server.
39

OPTIONS

41       -r realm
42              Use realm as the default database realm.
43
44       -p principal
45              Use  principal  to  authenticate.  Otherwise, kadmin will append
46              /admin to the primary principal name of the default ccache,  the
47              value  of  the USER environment variable, or the username as ob‐
48              tained with getpwuid, in order of preference.
49
50       -k     Use a keytab to decrypt the KDC response  instead  of  prompting
51              for  a  password.   In  this case, the default principal will be
52              host/hostname.  If there is no keytab specified with the -t  op‐
53              tion, then the default keytab will be used.
54
55       -t keytab
56              Use  keytab  to decrypt the KDC response.  This can only be used
57              with the -k option.
58
59       -n     Requests anonymous processing.  Two types of  anonymous  princi‐
60              pals  are  supported.   For  fully anonymous Kerberos, configure
61              PKINIT on the KDC and configure pkinit_anchors in  the  client's
62              krb5.conf.   Then use the -n option with a principal of the form
63              @REALM (an empty principal name followed by the  at-sign  and  a
64              realm  name).  If permitted by the KDC, an anonymous ticket will
65              be returned.  A second form of anonymous tickets  is  supported;
66              these  realm-exposed tickets hide the identity of the client but
67              not the client's realm.  For this mode, use kinit -n with a nor‐
68              mal principal name.  If supported by the KDC, the principal (but
69              not realm) will be replaced by the anonymous principal.   As  of
70              release  1.8, the MIT Kerberos KDC only supports fully anonymous
71              operation.
72
73       -c credentials_cache
74              Use credentials_cache  as  the  credentials  cache.   The  cache
75              should  contain  a  service  ticket for the kadmin/admin or kad‐
76              min/ADMINHOST (where ADMINHOST is the  fully-qualified  hostname
77              of  the admin server) service; it can be acquired with the kinit
78              program.  If this option is not specified, kadmin requests a new
79              service  ticket from the KDC, and stores it in its own temporary
80              ccache.
81
82       -w password
83              Use password instead of prompting for one.  Use this option with
84              care, as it may expose the password to other users on the system
85              via the process list.
86
87       -q query
88              Perform the specified query and then exit.
89
90       -d dbname
91              Specifies the name of the KDC database.  This  option  does  not
92              apply to the LDAP database module.
93
94       -s admin_server[:port]
95              Specifies the admin server which kadmin should contact.
96
97       -m     If  using  kadmin.local, prompt for the database master password
98              instead of reading it from a stash file.
99
100       -e "enc:salt ..."
101              Sets the keysalt list to be used for any new keys created.   See
102              Keysalt lists in kdc.conf for a list of possible values.
103
104       -O     Force use of old AUTH_GSSAPI authentication flavor.
105
106       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.
107
108       -x db_args
109              Specifies the database specific arguments.  See the next section
110              for supported options.
111
112       Starting with release 1.14, if any command-line arguments remain  after
113       the  options,  they  will  be treated as a single query to be executed.
114       This mode of operation is intended for scripts and behaves  differently
115       from the interactive mode in several respects:
116
117       • Query arguments are split by the shell, not by kadmin.
118
119       • Informational  and  warning  messages are suppressed.  Error messages
120         and query output (e.g. for get_principal) will still be displayed.
121
122       • Confirmation prompts are disabled (as if -force was given).  Password
123         prompts will still be issued as required.
124
125       • The exit status will be non-zero if the query fails.
126
127       The -q option does not carry these behavior differences; the query will
128       be processed as if it was entered interactively.  The -q option  cannot
129       be used in combination with a query in the remaining arguments.
130

DATABASE OPTIONS

132       Database  options  can  be used to override database-specific defaults.
133       Supported options for the DB2 module are:
134
135          -x dbname=*filename*
136                 Specifies the base filename of the DB2 database.
137
138          -x lockiter
139                 Make iteration operations hold the lock for the  duration  of
140                 the  entire  operation, rather than temporarily releasing the
141                 lock while handling each principal.  This is the default  be‐
142                 havior, but this option exists to allow command line override
143                 of a [dbmodules] setting.  First introduced in release 1.13.
144
145          -x unlockiter
146                 Make iteration operations unlock the database for each  prin‐
147                 cipal,  instead  of  holding the lock for the duration of the
148                 entire operation.  First introduced in release 1.13.
149
150       Supported options for the LDAP module are:
151
152          -x host=ldapuri
153                 Specifies the LDAP server to connect to by a LDAP URI.
154
155          -x binddn=bind_dn
156                 Specifies the DN used to bind to the LDAP server.
157
158          -x bindpwd=password
159                 Specifies the password or SASL secret used  to  bind  to  the
160                 LDAP  server.   Using  this option may expose the password to
161                 other users on the system via  the  process  list;  to  avoid
162                 this, instead stash the password using the stashsrvpw command
163                 of kdb5_ldap_util.
164
165          -x sasl_mech=mechanism
166                 Specifies the SASL mechanism used to bind to the LDAP server.
167                 The  bind  DN is ignored if a SASL mechanism is used.  New in
168                 release 1.13.
169
170          -x sasl_authcid=name
171                 Specifies the authentication name used when  binding  to  the
172                 LDAP  server with a SASL mechanism, if the mechanism requires
173                 one.  New in release 1.13.
174
175          -x sasl_authzid=name
176                 Specifies the authorization name used  when  binding  to  the
177                 LDAP server with a SASL mechanism.  New in release 1.13.
178
179          -x sasl_realm=realm
180                 Specifies the realm used when binding to the LDAP server with
181                 a SASL mechanism, if the mechanism uses one.  New in  release
182                 1.13.
183
184          -x debug=level
185                 sets  the  OpenLDAP  client library debug level.  level is an
186                 integer to be interpreted by the library.  Debugging messages
187                 are printed to standard error.  New in release 1.12.
188

COMMANDS

190       When  using the remote client, available commands may be restricted ac‐
191       cording to the privileges specified in the kadm5.acl file on the  admin
192       server.
193
194   add_principal
195          add_principal [options] newprinc
196
197       Creates  the principal newprinc, prompting twice for a password.  If no
198       password policy is specified with the -policy option,  and  the  policy
199       named default is assigned to the principal if it exists.  However, cre‐
200       ating a policy named default will not automatically assign this  policy
201       to  previously existing principals.  This policy assignment can be sup‐
202       pressed with the -clearpolicy option.
203
204       This command requires the add privilege.
205
206       Aliases: addprinc, ank
207
208       Options:
209
210       -expire expdate
211              (getdate time string) The expiration date of the principal.
212
213       -pwexpire pwexpdate
214              (getdate time string) The password expiration date.
215
216       -maxlife maxlife
217              (Time duration or getdate time string) The maximum  ticket  life
218              for the principal.
219
220       -maxrenewlife maxrenewlife
221              (Time  duration  or  getdate  time string) The maximum renewable
222              life of tickets for the principal.
223
224       -kvno kvno
225              The initial key version number.
226
227       -policy policy
228              The password policy used by this principal.  If  not  specified,
229              the  policy default is used if it exists (unless -clearpolicy is
230              specified).
231
232       -clearpolicy
233              Prevents any policy from being  assigned  when  -policy  is  not
234              specified.
235
236       {-|+}allow_postdated
237              -allow_postdated  prohibits  this principal from obtaining post‐
238              dated tickets.  +allow_postdated clears this flag.
239
240       {-|+}allow_forwardable
241              -allow_forwardable prohibits this principal from obtaining  for‐
242              wardable tickets.  +allow_forwardable clears this flag.
243
244       {-|+}allow_renewable
245              -allow_renewable  prohibits this principal from obtaining renew‐
246              able tickets.  +allow_renewable clears this flag.
247
248       {-|+}allow_proxiable
249              -allow_proxiable prohibits this principal from obtaining  proxi‐
250              able tickets.  +allow_proxiable clears this flag.
251
252       {-|+}allow_dup_skey
253              -allow_dup_skey  disables  user-to-user  authentication for this
254              principal by prohibiting others from obtaining a service  ticket
255              encrypted  in this principal's TGT session key.  +allow_dup_skey
256              clears this flag.
257
258       {-|+}requires_preauth
259              +requires_preauth requires this principal to preauthenticate be‐
260              fore  being  allowed  to  kinit.   -requires_preauth clears this
261              flag.  When +requires_preauth is set on a service principal, the
262              KDC  will  only issue service tickets for that service principal
263              if the  client's  initial  authentication  was  performed  using
264              preauthentication.
265
266       {-|+}requires_hwauth
267              +requires_hwauth  requires this principal to preauthenticate us‐
268              ing a hardware device  before  being  allowed  to  kinit.   -re‐
269              quires_hwauth clears this flag.  When +requires_hwauth is set on
270              a service principal, the KDC will only issue service tickets for
271              that  service  principal  if the client's initial authentication
272              was performed using a hardware device to preauthenticate.
273
274       {-|+}ok_as_delegate
275              +ok_as_delegate sets the okay as delegate flag on tickets issued
276              with  this  principal as the service.  Clients may use this flag
277              as a hint that credentials should be delegated when authenticat‐
278              ing to the service.  -ok_as_delegate clears this flag.
279
280       {-|+}allow_svr
281              -allow_svr  prohibits  the  issuance of service tickets for this
282              principal.  In release  1.17  and  later,  user-to-user  service
283              tickets  are  still  allowed  unless the -allow_dup_skey flag is
284              also set.  +allow_svr clears this flag.
285
286       {-|+}allow_tgs_req
287              -allow_tgs_req specifies that a  Ticket-Granting  Service  (TGS)
288              request  for  a service ticket for this principal is not permit‐
289              ted.  +allow_tgs_req clears this flag.
290
291       {-|+}allow_tix
292              -allow_tix forbids the issuance of any tickets for this  princi‐
293              pal.  +allow_tix clears this flag.
294
295       {-|+}needchange
296              +needchange forces a password change on the next initial authen‐
297              tication to this principal.  -needchange clears this flag.
298
299       {-|+}password_changing_service
300              +password_changing_service marks this principal  as  a  password
301              change service principal.
302
303       {-|+}ok_to_auth_as_delegate
304              +ok_to_auth_as_delegate  allows  this  principal to acquire for‐
305              wardable tickets to itself from arbitrary users,  for  use  with
306              constrained delegation.
307
308       {-|+}no_auth_data_required
309              +no_auth_data_required  prevents  PAC or AD-SIGNEDPATH data from
310              being added to service tickets for the principal.
311
312       {-|+}lockdown_keys
313              +lockdown_keys prevents keys for this principal from leaving the
314              KDC  via  kadmind.  The chpass and extract operations are denied
315              for a principal with this attribute.  The  chrand  operation  is
316              allowed,  but  will not return the new keys.  The delete and re‐
317              name operations are also denied if this attribute is set, in or‐
318              der  to prevent a malicious administrator from replacing princi‐
319              pals like krbtgt/* or kadmin/* with new principals  without  the
320              attribute.   This attribute can be set via the network protocol,
321              but can only be removed using kadmin.local.
322
323       -randkey
324              Sets the key of the principal to a random value.
325
326       -nokey Causes the principal to be created with no key.  New in  release
327              1.12.
328
329       -pw password
330              Sets  the  password of the principal to the specified string and
331              does not prompt for a password.  Note: using this  option  in  a
332              shell  script may expose the password to other users on the sys‐
333              tem via the process list.
334
335       -e enc:salt,...
336              Uses the specified keysalt list for  setting  the  keys  of  the
337              principal.  See Keysalt lists in kdc.conf for a list of possible
338              values.
339
340       -x db_princ_args
341              Indicates database-specific options.  The options for  the  LDAP
342              database module are:
343
344              -x dn=dn
345                     Specifies  the LDAP object that will contain the Kerberos
346                     principal being created.
347
348              -x linkdn=dn
349                     Specifies the LDAP object to which the newly created Ker‐
350                     beros principal object will point.
351
352              -x containerdn=container_dn
353                     Specifies  the  container object under which the Kerberos
354                     principal is to be created.
355
356              -x tktpolicy=policy
357                     Associates a ticket policy to the Kerberos principal.
358
359              NOTE:
360
361                 • The containerdn and linkdn options cannot be specified with
362                   the dn option.
363
364                 • If  the  dn  or containerdn options are not specified while
365                   adding the principal, the principals are created under  the
366                   principal  container  configured  in the realm or the realm
367                   container.
368
369dn and containerdn should be within the subtrees or princi‐
370                   pal container configured in the realm.
371
372       Example:
373
374          kadmin: addprinc jennifer
375          No policy specified for "jennifer@ATHENA.MIT.EDU";
376          defaulting to no policy.
377          Enter password for principal jennifer@ATHENA.MIT.EDU:
378          Re-enter password for principal jennifer@ATHENA.MIT.EDU:
379          Principal "jennifer@ATHENA.MIT.EDU" created.
380          kadmin:
381
382   modify_principal
383          modify_principal [options] principal
384
385       Modifies  the  specified  principal,  changing the fields as specified.
386       The options to add_principal also apply to this command, except for the
387       -randkey,  -pw,  and  -e options.  In addition, the option -clearpolicy
388       will clear the current policy of a principal.
389
390       This command requires the modify privilege.
391
392       Alias: modprinc
393
394       Options (in addition to the addprinc options):
395
396       -unlock
397              Unlocks a locked principal (one  which  has  received  too  many
398              failed  authentication attempts without enough time between them
399              according to its password policy) so that  it  can  successfully
400              authenticate.
401
402   rename_principal
403          rename_principal [-force] old_principal new_principal
404
405       Renames  the  specified  old_principal  to new_principal.  This command
406       prompts for confirmation, unless the -force option is given.
407
408       This command requires the add and delete privileges.
409
410       Alias: renprinc
411
412   delete_principal
413          delete_principal [-force] principal
414
415       Deletes the  specified  principal  from  the  database.   This  command
416       prompts for deletion, unless the -force option is given.
417
418       This command requires the delete privilege.
419
420       Alias: delprinc
421
422   change_password
423          change_password [options] principal
424
425       Changes  the password of principal.  Prompts for a new password if nei‐
426       ther -randkey or -pw is specified.
427
428       This command requires the changepw privilege,  or  that  the  principal
429       running the program is the same as the principal being changed.
430
431       Alias: cpw
432
433       The following options are available:
434
435       -randkey
436              Sets the key of the principal to a random value.
437
438       -pw password
439              Set  the password to the specified string.  Using this option in
440              a script may expose the password to other users  on  the  system
441              via the process list.
442
443       -e enc:salt,...
444              Uses  the  specified  keysalt  list  for setting the keys of the
445              principal.  See Keysalt lists in kdc.conf for a list of possible
446              values.
447
448       -keepold
449              Keeps  the  existing keys in the database.  This flag is usually
450              not necessary except perhaps for krbtgt principals.
451
452       Example:
453
454          kadmin: cpw systest
455          Enter password for principal systest@BLEEP.COM:
456          Re-enter password for principal systest@BLEEP.COM:
457          Password for systest@BLEEP.COM changed.
458          kadmin:
459
460   purgekeys
461          purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal
462
463       Purges previously retained old keys (e.g., from change_password  -keep‐
464       old)  from principal.  If -keepkvno is specified, then only purges keys
465       with kvnos lower than oldest_kvno_to_keep.  If -all is specified,  then
466       all keys are purged.  The -all option is new in release 1.12.
467
468       This command requires the modify privilege.
469
470   get_principal
471          get_principal [-terse] principal
472
473       Gets  the  attributes  of  principal.   With the -terse option, outputs
474       fields as quoted tab-separated strings.
475
476       This command requires the inquire privilege, or that the principal run‐
477       ning the the program to be the same as the one being listed.
478
479       Alias: getprinc
480
481       Examples:
482
483          kadmin: getprinc tlyu/admin
484          Principal: tlyu/admin@BLEEP.COM
485          Expiration date: [never]
486          Last password change: Mon Aug 12 14:16:47 EDT 1996
487          Password expiration date: [never]
488          Maximum ticket life: 0 days 10:00:00
489          Maximum renewable life: 7 days 00:00:00
490          Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
491          Last successful authentication: [never]
492          Last failed authentication: [never]
493          Failed password attempts: 0
494          Number of keys: 1
495          Key: vno 1, aes256-cts-hmac-sha384-192
496          MKey: vno 1
497          Attributes:
498          Policy: [none]
499
500          kadmin: getprinc -terse systest
501          systest@BLEEP.COM   3    86400     604800    1
502          785926535 753241234 785900000
503          tlyu/admin@BLEEP.COM     786100034 0    0
504          kadmin:
505
506   list_principals
507          list_principals [expression]
508
509       Retrieves  all  or  some  principal names.  expression is a shell-style
510       glob expression that can contain the wild-card characters ?, *, and [].
511       All principal names matching the expression are printed.  If no expres‐
512       sion is provided, all principal names are printed.  If  the  expression
513       does  not  contain an @ character, an @ character followed by the local
514       realm is appended to the expression.
515
516       This command requires the list privilege.
517
518       Alias: listprincs, get_principals, getprincs
519
520       Example:
521
522          kadmin:  listprincs test*
523          test3@SECURE-TEST.OV.COM
524          test2@SECURE-TEST.OV.COM
525          test1@SECURE-TEST.OV.COM
526          testuser@SECURE-TEST.OV.COM
527          kadmin:
528
529   get_strings
530          get_strings principal
531
532       Displays string attributes on principal.
533
534       This command requires the inquire privilege.
535
536       Alias: getstrs
537
538   set_string
539          set_string principal name value
540
541       Sets a string attribute on principal.  String attributes  are  used  to
542       supply  per-principal configuration to the KDC and some KDC plugin mod‐
543       ules.  The following string attribute names are recognized by the KDC:
544
545       require_auth
546              Specifies an authentication indicator which is required  to  au‐
547              thenticate  to  the principal as a service.  Multiple indicators
548              can be specified, separated by spaces; in this case any  of  the
549              specified indicators will be accepted.  (New in release 1.14.)
550
551       session_enctypes
552              Specifies  the  encryption types supported for session keys when
553              the principal is authenticated to as a server.   See  Encryption
554              types in kdc.conf for a list of the accepted values.
555
556       otp    Enables  One Time Passwords (OTP) preauthentication for a client
557              principal.  The value is a JSON string representing an array  of
558              objects, each having optional type and username fields.
559
560       pkinit_cert_match
561              Specifies a matching expression that defines the certificate at‐
562              tributes required for the client certificate used by the princi‐
563              pal during PKINIT authentication.  The matching expression is in
564              the same format as those used by the pkinit_cert_match option in
565              krb5.conf.  (New in release 1.16.)
566
567       pac_privsvr_enctype
568              Forces  the  encryption  type of the PAC KDC checksum buffers to
569              the specified encryption type for tickets issued to this server,
570              by  deriving  a key from the local krbtgt key if it is of a dif‐
571              ferent encryption type.  It may be necessary to set  this  value
572              to  "aes256-sha1"  on the cross-realm krbtgt entry for an Active
573              Directory realm when using aes-sha2 keys on the local krbtgt en‐
574              try.
575
576       optional_pac_tkt_chksum
577              Boolean  value  defining  the behavior of the KDC in case an ex‐
578              pected ticket checksum signed with one of this principal keys is
579              not  present  in  the PAC. This is typically the case for TGS or
580              cross-realm TGS principals when processing S4U2Proxy requests.
581
582       This command requires the modify privilege.
583
584       Alias: setstr
585
586       Example:
587
588          set_string host/foo.mit.edu session_enctypes aes128-cts
589          set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
590
591   del_string
592          del_string principal key
593
594       Deletes a string attribute from principal.
595
596       This command requires the delete privilege.
597
598       Alias: delstr
599
600   add_policy
601          add_policy [options] policy
602
603       Adds a password policy named policy to the database.
604
605       This command requires the add privilege.
606
607       Alias: addpol
608
609       The following options are available:
610
611       -maxlife time
612              (Time duration or getdate time string) Sets the maximum lifetime
613              of a password.
614
615       -minlife time
616              (Time duration or getdate time string) Sets the minimum lifetime
617              of a password.
618
619       -minlength length
620              Sets the minimum length of a password.
621
622       -minclasses number
623              Sets the minimum number of character classes required in a pass‐
624              word.   The  five  character classes are lower case, upper case,
625              numbers, punctuation, and whitespace/unprintable characters.
626
627       -history number
628              Sets the number of past keys kept for a principal.  This  option
629              is not supported with the LDAP KDC database module.
630
631       -maxfailure maxnumber
632              Sets  the number of authentication failures before the principal
633              is locked.  Authentication failures are only tracked for princi‐
634              pals which require preauthentication.  The counter of failed at‐
635              tempts resets to 0 after a successful attempt  to  authenticate.
636              A maxnumber value of 0 (the default) disables lockout.
637
638       -failurecountinterval failuretime
639              (Time  duration  or getdate time string) Sets the allowable time
640              between authentication failures.  If an  authentication  failure
641              happens  after  failuretime has elapsed since the previous fail‐
642              ure, the number of authentication failures is  reset  to  1.   A
643              failuretime value of 0 (the default) means forever.
644
645       -lockoutduration lockouttime
646              (Time  duration  or  getdate  time string) Sets the duration for
647              which the principal is locked from authenticating  if  too  many
648              authentication  failures  occur  without  the  specified failure
649              count interval elapsing.  A duration of 0  (the  default)  means
650              the  principal  remains  locked out until it is administratively
651              unlocked with modprinc -unlock.
652
653       -allowedkeysalts
654              Specifies the key/salt tuples supported for long-term keys  when
655              setting  or  changing  a principal's password/keys.  See Keysalt
656              lists in kdc.conf for a list of the accepted  values,  but  note
657              that  key/salt  tuples must be separated with commas (',') only.
658              To clear the allowed key/salt policy use a value of '-'.
659
660       Example:
661
662          kadmin: add_policy -maxlife "2 days" -minlength 5 guests
663          kadmin:
664
665   modify_policy
666          modify_policy [options] policy
667
668       Modifies the password policy named policy.  Options  are  as  described
669       for add_policy.
670
671       This command requires the modify privilege.
672
673       Alias: modpol
674
675   delete_policy
676          delete_policy [-force] policy
677
678       Deletes the password policy named policy.  Prompts for confirmation be‐
679       fore deletion.  The command will fail if the policy is in  use  by  any
680       principals.
681
682       This command requires the delete privilege.
683
684       Alias: delpol
685
686       Example:
687
688          kadmin: del_policy guests
689          Are you sure you want to delete the policy "guests"?
690          (yes/no): yes
691          kadmin:
692
693   get_policy
694          get_policy [ -terse ] policy
695
696       Displays  the  values  of  the  password policy named policy.  With the
697       -terse flag, outputs the fields as quoted strings separated by tabs.
698
699       This command requires the inquire privilege.
700
701       Alias: getpol
702
703       Examples:
704
705          kadmin: get_policy admin
706          Policy: admin
707          Maximum password life: 180 days 00:00:00
708          Minimum password life: 00:00:00
709          Minimum password length: 6
710          Minimum number of password character classes: 2
711          Number of old keys kept: 5
712          Reference count: 17
713
714          kadmin: get_policy -terse admin
715          admin     15552000  0    6    2    5    17
716          kadmin:
717
718       The "Reference count" is the number of principals  using  that  policy.
719       With  the  LDAP  KDC  database module, the reference count field is not
720       meaningful.
721
722   list_policies
723          list_policies [expression]
724
725       Retrieves all or some policy names.  expression is a  shell-style  glob
726       expression that can contain the wild-card characters ?, *, and [].  All
727       policy names matching the expression are printed.  If no expression  is
728       provided, all existing policy names are printed.
729
730       This command requires the list privilege.
731
732       Aliases: listpols, get_policies, getpols.
733
734       Examples:
735
736          kadmin:  listpols
737          test-pol
738          dict-only
739          once-a-min
740          test-pol-nopw
741
742          kadmin:  listpols t*
743          test-pol
744          test-pol-nopw
745          kadmin:
746
747   ktadd
748          ktadd [options] principal
749          ktadd [options] -glob princ-exp
750
751
752       Adds  a  principal,  or  all principals matching princ-exp, to a keytab
753       file.  Each principal's keys are randomized in the process.  The  rules
754       for princ-exp are described in the list_principals command.
755
756       This  command  requires  the inquire and changepw privileges.  With the
757       -glob form, it also requires the list privilege.
758
759       The options are:
760
761       -k[eytab] keytab
762              Use keytab as the keytab file.  Otherwise, the default keytab is
763              used.
764
765       -e enc:salt,...
766              Uses  the specified keysalt list for setting the new keys of the
767              principal.  See Keysalt lists in kdc.conf for a list of possible
768              values.
769
770       -q     Display less verbose information.
771
772       -norandkey
773              Do  not  randomize  the keys. The keys and their version numbers
774              stay unchanged.  This option cannot be specified in  combination
775              with the -e option.
776
777       An  entry for each of the principal's unique encryption types is added,
778       ignoring multiple keys with the same encryption type but different salt
779       types.
780
781       Alias: xst
782
783       Example:
784
785          kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
786          Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
787               encryption type aes256-cts-hmac-sha1-96 added to keytab
788               FILE:/tmp/foo-new-keytab
789          kadmin:
790
791   ktremove
792          ktremove [options] principal [kvno | all | old]
793
794       Removes entries for the specified principal from a keytab.  Requires no
795       permissions, since this does not require database access.
796
797       If the string "all" is specified, all entries for  that  principal  are
798       removed; if the string "old" is specified, all entries for that princi‐
799       pal except those with the highest kvno  are  removed.   Otherwise,  the
800       value  specified  is  parsed  as an integer, and all entries whose kvno
801       match that integer are removed.
802
803       The options are:
804
805       -k[eytab] keytab
806              Use keytab as the keytab file.  Otherwise, the default keytab is
807              used.
808
809       -q     Display less verbose information.
810
811       Alias: ktrem
812
813       Example:
814
815          kadmin: ktremove kadmin/admin all
816          Entry for principal kadmin/admin with kvno 3 removed from keytab
817               FILE:/etc/krb5.keytab
818          kadmin:
819
820   lock
821       Lock  database  exclusively.   Use  with extreme caution!  This command
822       only works with the DB2 KDC database module.
823
824   unlock
825       Release the exclusive database lock.
826
827   list_requests
828       Lists available for kadmin requests.
829
830       Aliases: lr, ?
831
832   quit
833       Exit program.  If the database was locked, the lock is released.
834
835       Aliases: exit, q
836

HISTORY

838       The kadmin program was originally written by Tom Yu at MIT, as  an  in‐
839       terface to the OpenVision Kerberos administration program.
840

ENVIRONMENT

842       See kerberos for a description of Kerberos environment variables.
843

SEE ALSO

845       kpasswd, kadmind, kerberos
846

AUTHOR

848       MIT
849
851       1985-2023, MIT
852
853
854
855
8561.21.2                                                               KADMIN(1)
Impressum