kadmin_util(8) [osx man page]
kadmin_util(8) BSD System Manager's Manual kadmin_util(8) NAME
kadmin_util -- Kerberos -- Open Directory Single Sign On SYNOPSIS
kadmin_util -a principal_name -d principal_name [-r REALM] [-h] [-p] [-v debug_level] DESCRIPTION
kadmin_util is a tool for managing the access control list used by kadmind to control which users have the ability to modify the Kerberos database of user information. It will look at the acl_file item in the realm section of the kdc config file to determine which acl files to update. -a principal_name Adds the given principal name to the acl file with administrator privs. -d principal_name Removes the given principal name from the acl. (-a & -d are mutually exclusinve) -h Send a HUP signal to kadmind if the update completes without errors -p Write the output error to standard out in an XML Plist format -r REALM Denotes which realm to update. If this parameter is omitted, kadmin_util will operate on the first realm it finds in the kdc config file. To operate on all the available realms use '*' for the realm name -v debug_level Sets the debug level (1 = progress >1 for more detail) EXAMPLES
To add adminuser@REALM.COM to the acl file as kerberos administrator for realm REALM.COM kadmin_util -a adminuser@REALM.COM -r REALM.COM To remove adminuser@REALM.COM from all the realms serviced by this kdc (you need the quotes around the * to keep the shell from substituting filenames) kadmin_util -d adminuser@REALM.COM -r '*' FILES
/var/db/krb5kdc/kadm5.acl the standard acl file location /var/db/krb5kdc/kdc.conf the default kdc config file DIAGNOSTICS
You can add -v debug_level to any kadmin_util command. Debug level 1 provides status information, higher levels add progressivly more levels of detail. NOTES
The kadmin_util tool is used by the Apple Single Sign On system to set up a KDC integrated with the rest of the Single Sign On components. SEE ALSO
DirectoryService(1), kerberos(1), kadmind(8), kerberosautoconfig(8), krbservicesetup(8), krb5kdc(8), sso_util(8) Darwin June 2, 2019 Darwin
Check Out this Related Man Page
krbservicesetup(8) BSD System Manager's Manual krbservicesetup(8) NAME
krbservicesetup -- Kerberos -- Open Directory Single Sign On SYNOPSIS
krbservicesetup [-r REALM] -a admin_name [-p password] [-t keytab] [-f setup_file] [service_type service_principal] DESCRIPTION
krbservicesetup is used by sso_util to configure Kerberized services on the current host. It uses kadmin to add service principals to the KDC database and create the krb5.keytab file. And then edits/creates the config files of the given service to use the proper service principal. krbservicesetup knows how to configure the FTP, AFP, POP, IMAP, SMTP and SSH services shipped by Apple in Mac OS X 10.3 krbservicesetup takes either a service_type, service_principal pair or a plist file with a list of services to configure. The plist file also allows more control over the options used when creating the principals. krbservicesetup arguments: -x Use kadmin.local instead of kadmin. -r REALM The Kerberos realm of the server -a admin_name Name of an administrator with priveleges to add principals to the KDC -p password Password for the above user -t keytab The path of the keytab file to write -f setup_file The path of the plist file containing the list of services to be configured service_type service_principal A single service to configure The service_types understood by krbservicesetup are: afp Apple Filing Protocol ftp File Transfer Protocol imap IMAP mail protocol pop POP mail protocol smtp SMTP mail protocol ssh Secure Shell The plist file format used by krbservicesetup consists of a couple of optional boolean flag items and an array of dictionaries representing the services to be configured. noConfig - Boolean Flag indicating that just the service principals should be created in the KDC configOnly - Boolean Flag indicating that the services need to be configured Services - array of dictionaries Array of service dictionaries to be configured serviceType - string Type of the service (see above for definitions) servicePrincipal - string Kerberos principal name for the service option - Boolean Options passed on to the add_princ command within kadmin If the boolean value is true, the option passed to kadmin is the option name with a '+' prepended. If the value is false a '-' is prepended option - string Options passed on to the add_princ command within kadmin If the key is foo and the string value is bar then the option passed in the add_princ command is "-foo bar" The options for the add_princ command are detailed in the man page for kadmin Some of the possibly options are restricted specifically the pw and needchange commands are ignored. Every service principal is generated with the randkey option. FILES
/etc/krb5.keytab The file where Kerberos stores the service principals for the services on this host DIAGNOSTICS
You can add -v debug_level to the krbservicesetup command. Debug level 1 provides status information, higher levels add progressivly more levels of detail. EXAMPLES
It is better to use the configure command in sso_util to configure multiple services. Here is an example of using krbservicesetup to config- ure a FTP server in the realm FOO.ORG krbservicesetup -r FOO.ORG -a admin -p password ftp ftp/myhost.foo.org@FOO.ORG (the above should be all on one line) NOTES
The krbservicesetup tool is used by the Apple Single Sign On system to set up Kerberized services integrated with the rest of the Single Sign On components. SEE ALSO
kadmin(8), kdcsetup(8), sso_util(8) Darwin June 2, 2019 Darwin