1kdb5_util(1M) System Administration Commands kdb5_util(1M)
2
6 kdb5_util - Kerberos Database maintenance utility
7
9 /usr/sbin/kdb5_util [-d dbname] [-f stashfile_name]
10 [-k mkeytype] [-m ] [-M mkeyname] [-P password] [-r realm]
11 [-x db_args]... cmd
12
15 The kdb5_util utility enables you to create, dump, load, and destroy
16 the Kerberos V5 database. You can also use kdb5_util to create a stash
17 file containing the Kerberos database master key.
18
20 The following options are supported:
21 -d dbname
23 Specify the database name. .db is appended to whatever name is
25 specified. You can specify an absolute path. If you do not specify
26 the -d option, the default database name is /var/krb5/principal.
27 -f stashfile_name
30 Specify the stash file name. You can specify an absolute path.
32 -k mkeytype
35 Specify the master key type. Valid values are des3-cbc-sha1, des-
37 cbc-crc, des-cbc-md5, des-cbc-raw, arcfour-hmac-md5, arcfour-hmac-
38 md5-exp, aes128-cts-hmac-sha1-96, and aes256-cts-hmac-sha1-96.
39 -m
42 Enter the master key manually.
44 -M mkeyname
47 Specify the master key name.
49 -P password
52 Use the specified password instead of the stash file.
54 -r realm
57 Use realm as the default database realm.
59 -x db_args
62 Pass database-specific arguments to kadmin. Supported arguments are
64 for LDAP and the Berkeley-db2 plug-in. These arguments are:
65 binddn=binddn
67 LDAP simple bind DN for authorization on the directory server.
69 Overrides the ldap_kadmind_dn parameter setting in
70 krb5.conf(4).
71 bindpwd=bindpwd
74 Bind password.
76 dbname=name
79 For the Berkeley-db2 plug-in, specifies a name for the Kerberos
81 database.
82 nconns=num
85 Maximum number of server connections.
87 port=num
90 Directory server connection port.
92
96 The following operands are supported:
97 cmd
99 Specifies whether to create, destroy, dump, or load the database,
101 or to create a stash file.
102 You can specify the following commands:
104 create -s
106 Creates the database specified by the -d option. You will be
108 prompted for the database master password. If you specify -s, a
109 stash file is created as specified by the -f option. If you did
110 not specify -f, the default stash file name is
111 /var/krb5/.k5.realm. If you use the -f, -k, or -M options when
112 you create a database, then you must use the same options when
113 modifying or destroying the database.
114 destroy
117 Destroys the database specified by the -d option.
119 stash
122 Creates a stash file. If -f was not specified, the default
124 stash file name is /var/krb5/.k5.realm. You will be prompted
125 for the master database password. This command is useful when
126 you want to generate the stash file from the password.
127 dump [-old] [-b6] [-b7] [-ov] [-verbose] [-mkey_convert]
130 [-new_mkey_file mkey_file] [-rev] [-recurse] [filename [princi‐
131 pals...]]
132 Dumps the current Kerberos and KADM5 database into an ASCII
134 file. By default, the database is dumped in current format,
135 "kdb5_util load_dumpversion 5". If filename is not specified or
136 is the string "-", the dump is sent to standard output. Options
137 are as follows:
138 -old
140 Causes the dump to be in the Kerberos 5 Beta 5 and earlier
142 dump format ("kdb5_edit load_dump version 2.0").
143 -b6
146 Causes the dump to be in the Kerberos 5 Beta 6 format
148 ("kdb5_edit load_dump version 3.0").
149 -b7
152 Causes the dump to be in the Kerberos 5 Beta 7 format
154 ("kdb5_util load_dump version 4"). This was the dump format
155 produced on releases prior to 1.2.2.
156 -ov
159 Causes the dump to be in ovsec_adm_export format.
161 -verbose
164 Causes the name of each principal and policy to be dis‐
166 played as it is dumped.
167 -mkey_convert
170 Prompts for a new master key. This new master key will be
172 used to re-encrypt the key data in the dumpfile. The key
173 data in the database will not be changed.
174 -new_mkey_file mkey_file
177 The filename of a stash file. The master key in this stash
179 file will be used to re-encrypt the key data in the dump‐
180 file. The key data in the database will not be changed.
181 -rev
184 Dumps in reverse order. This might recover principals that
186 do not dump normally, in cases where database corruption
187 has occured.
188 -recurse
191 Causes the dump to walk the database recursively (btree
193 only). This might recover principals that do not dump nor‐
194 mally, in cases where database corruption has occurred. In
195 cases of such corruption, this option will probably
196 retrieve more principals than will the -rev option.
197 load [-old] [-b6] [-b7] [-ov] [-hash] [-verbose] [-update] filename
201 dbname [admin_dbname]
202 Loads a database dump from filename into dbname. Unless the
204 -old or -b6 option is specified, the format of the dump file is
205 detected automatically and handled appropriately. Unless the
206 -update option is specified, load creates a new database con‐
207 taining only the principals in the dump file, overwriting the
208 contents of any existing database. The -old option requires the
209 database to be in the Kerberos 5 Beta 5 or earlier format
210 ("kdb5_edit load_dump version 2.0").
211 -b6
213 Requires the database to be in the Kerberos 5 Beta 6 format
215 ("kdb5_edit load_dump version 3.0").
216 -b7
219 Requires the database to be in the Kerberos 5 Beta 7 format
221 ("kdb5_util load_dump version 4").
222 -ov
225 Requires the database to be in ovsec_adm_import format.
227 Must be used with the -update option.
228 -hash
231 Requires the database to be stored as a hash. If this
233 option is not specified, the database will be stored as a
234 btree. This option is not recommended, as databases stored
235 in hash format are known to corrupt data and lose princi‐
236 pals.
237 -verbose
240 Causes the name of each principal and policy to be dis‐
242 played as it is dumped.
243 -update
246 Records from the dump file are added to or updated in the
248 existing database. Otherwise, a new database is created
249 containing only what is in the dump file and the old one is
250 destroyed upon successful completion.
251 filename
254 Required argument that specifies a path to a file contain‐
256 ing database dump.
257 dbname
260 Required argument that overrides the value specified on the
262 command line or overrides the default.
263 admin_dbname
266 Optional argument that is derived from dbname if not speci‐
268 fied.
269
274 Example 1 Creating File that Contains Information about Two Principals
275 The following example creates a file named slavedata that contains the
278 information about two principals, jdb@ACME.COM and pak@ACME.COM.
279 # /usr/krb5/bin/kdb5_util dump -verbose slavedata
282 jdb@ACME.COM pak@ACME.COM
283
287 /var/krb5/principal
288 Kerberos principal database.
290 /var/krb5/principal.kadm5
293 Kerberos administrative database. Contains policy information.
295 /var/krb5/principal.kadm5.lock
298 Lock file for the Kerberos administrative database. This file works
300 backwards from most other lock files (that is, kadmin exits with an
301 error if this file does not exist).
302 /var/krb5/principal.ulog
305 The update log file for incremental propagation.
307
310 See attributes(5) for descriptions of the following attributes:
311 ┌─────────────────────────────┬─────────────────────────────┐
316 │ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
317 ├─────────────────────────────┼─────────────────────────────┤
318 │Availability │SUNWkdcu │
319 ├─────────────────────────────┼─────────────────────────────┤
320 │Interface Stability │Evolving │
321 └─────────────────────────────┴─────────────────────────────┘
322
324 kpasswd(1), gkadmin(1M), kadmin(1M), kadmind(1M), kadmin.local(1M),
325 kdb5_ldap_util(1M), kproplog(1M), kadm5.acl(4), kdc.conf(4),
326 attributes(5), kerberos(5)
327SunOS 5.11 29 Feb 2008 kdb5_util(1M)