👤
Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages
Man Page or Keyword Search:
Select Section of Man Page:
Select Man Page Repository:

RedHat 9 (Linux i386) - man page for kadmin.local (redhat section 8)

KADMIN(8)										KADMIN(8)

NAME
       kadmin - Kerberos V5 database administration program

SYNOPSYS
       kadmin [-r realm] [-p principal] [-q query]
	      [[-c cache_name] | [-k [-t keytab]]] [-w password] [-s admin_server[:port]

       kadmin.local    [-r realm] [-p principal] [-q query]
		       [-d dbname] [-e "enc:salt ..."] [-m]

DESCRIPTION
       kadmin  and  kadmin.local are command-line interfaces to the Kerberos V5 KADM5 administra-
       tion system.  Both kadmin and kadmin.local provide identical functionalities; the  differ-
       ence is that kadmin.local runs on the master KDC and does not use Kerberos to authenticate
       to the database.  Except as explicitly noted otherwise, this man page will use  kadmin  to
       refer to both versions.	kadmin provides for the maintenance of Kerberos principals, KADM5
       policies, and service key tables (keytabs).

       The remote version uses Kerberos authentication and an encrypted RPC, to operate  securely
       from  anywhere  on  the	network.   It authenticates to the KADM5 server using the service
       principal kadmin/admin.	If the credentials cache contains a ticket for	the  kadmin/admin
       principal,  and	the  -c  credentials_cache  option  is	specified, that ticket is used to
       authenticate to KADM5.  Otherwise, the -p and -k options are used to  specify  the  client
       Kerberos  principal  name  used to authenticate.  Once kadmin has determined the principal
       name, it requests a kadmin/admin Kerberos service ticket from the KDC, and uses that  ser-
       vice ticket to authenticate to KADM5.

       The  local client kadmin.local, is intended to run directly on the master KDC without Ker-
       beros authentication.  The local version provides all of  the  functionality  of  the  now
       obsolete  kdb5_edit(8),	except	for  database dump and load, which is now provided by the
       kdb5_util(8) utility.

OPTIONS
       -r realm
	      Use realm as the default database realm.

       -p principal
	      Use principal to authenticate.  Otherwise, kadmin will append "/admin" to the  pri-
	      mary  principal name of the default ccache, the value of the USER environment vari-
	      able, or the username as obtained with getpwuid, in order of preference.

       -k keytab
	      Use keytab to decrypt the KDC response instead of prompting for a password  on  the
	      TTY.  In this case, the default principal will be host/hostname.

       -c credentials_cache
	      Use  credentials_cache as the credentials cache.	The credentials_cache should con-
	      tain a service ticket for the kadmin/admin service; it can  be  acquired	with  the
	      kinit(1)	program.   If this option is not specified, kadmin requests a new service
	      ticket from the KDC, and stores it in its own temporary ccache.

       -w password
	      Use password instead of prompting for one on the TTY.  Note:  placing the  password
	      for a Kerberos principal with administration access into a shell script can be dan-
	      gerous if unauthorized users gain read access to the script.

       -q query
	      pass query directly to kadmin, which will perform query and then exit.  This can be
	      useful for writing scripts.

DATE FORMAT
       Various	commands  in  kadmin  can take a variety of date formats, specifying durations or
       absolute times.	Examples of valid formats are:

	      1 month ago
	      2 hours ago
	      400000 seconds ago
	      last year
	      this Monday
	      next Monday
	      yesterday
	      tomorrow
	      now
	      second Monday
	      a fortnight ago
	      3/31/92 10:00:07 PST
	      January 23, 1987 10:05pm
	      22:00 GMT

       Dates which do not have the "ago" specifier default to being absolute dates,  unless  they
       appear  in  a field where a duration is expected.  In that case the time specifier will be
       interpreted as relative.  Specifying "ago" in a duration may result in  unexpected  behav-
       ior.

COMMANDS
       add_principal [options] newprinc
	      creates  the  principal  newprinc, prompting twice for a password.  If no policy is
	      specified with the -policy option, and the policy named "default" exists, then that
	      policy  is  assigned  to	the  principal;  note  that  the assignment of the policy
	      "default" only occurs automatically when a principal is first created, so the  pol-
	      icy  "default"  must already exist for the assignment to occur.  This assignment of
	      "default" can be suppressed with the -clearpolicy option.   This	command  requires
	      the  add	privilege.   This  command has the aliases addprinc and ank.  The options
	      are:

	      -expire expdate
		     expiration date of the principal

	      -pwexpire pwexpdate
		     password expiration date

	      -maxlife maxlife
		     maximum ticket life for the principal

	      -maxrenewlife maxrenewlife
		     maximum renewable life of tickets for the principal

	      -kvno kvno
		     explicity set the key version number.

	      -policy policy
		     policy used by this principal.  If no policy is supplied, then if the policy
		     "default" exists and the -clearpolicy is not also specified, then the policy
		     "default" is used; otherwise, the principal will have no policy, and a warn-
		     ing message will be printed.

	      -clearpolicy
		     -clearpolicy  prevents the policy "default" from being assigned when -policy
		     is not specified.	This option has no effect if the  policy  "default"  does
		     not exist.

	      {-|+}allow_postdated
		     -allow_postdated  prohibits this principal from obtaining postdated tickets.
		     (Sets the KRB5_KDB_DISALLOW_POSTDATED flag.)  +allow_postdated  clears  this
		     flag.

	      {-|+}allow_forwardable
		     -allow_forwardable prohibits this principal from obtaining forwardable tick-
		     ets.  (Sets  the  KRB5_KDB_DISALLOW_FORWARDABLE  flag.)   +allow_forwardable
		     clears this flag.

	      {-|+}allow_renewable
		     -allow_renewable  prohibits this principal from obtaining renewable tickets.
		     (Sets the KRB5_KDB_DISALLOW_RENEWABLE flag.)  +allow_renewable  clears  this
		     flag.

	      {-|+}allow_proxiable
		     -allow_proxiable  prohibits this principal from obtaining proxiable tickets.
		     (Sets the KRB5_KDB_DISALLOW_PROXIABLE flag.)  +allow_proxiable  clears  this
		     flag.

	      {-|+}allow_dup_skey
		     -allow_dup_skey  Disables	user-to-user authentication for this principal by
		     prohibiting this principal from obtaining a session key  for  another  user.
		     (Sets  the  KRB5_KDB_DISALLOW_DUP_SKEY  flag.)   +allow_dup_skey clears this
		     flag.

	      {-|+}requires_preauth
		     +requires_preauth requires this principal to  preauthenticate  before  being
		     allowed	to    kinit.	(Sets	the   KRB5_KDB_REQUIRES_PRE_AUTH   flag.)
		     -requires_preauth clears this flag.

	      {-|+}requires_hwauth
		     +requires_hwauth requires this principal to preauthenticate using a hardware
		     device  before  being allowed to kinit.  (Sets the KRB5_KDB_REQUIRES_HW_AUTH
		     flag.)  -requires_hwauth clears this flag.

	      {-|+}allow_svr
		     -allow_svr prohibits the issuance of service  tickets  for  this  principal.
		     (Sets the KRB5_KDB_DISALLOW_SVR flag.)  +allow_svr clears this flag.

	      {-|+}allow_tgs_req
		     -allow_tgs_req  specifies that a Ticket-Granting Service (TGS) request for a
		     service ticket for this principal is not permitted.  This option is  useless
		     for   most  things.   +allow_tgs_req  clears  this  flag.	 The  default  is
		     +allow_tgs_req.   In  effect,  -allow_tgs_req   sets   the   KRB5_KDB_DISAL-
		     LOW_TGT_BASED flag on the principal in the database.

	      {-|+}allow_tix
		     -allow_tix   forbids  the	issuance  of  any  tickets  for  this  principal.
		     +allow_tix clears	this  flag.   The  default  is	+allow_tix.   In  effect,
		     -allow_tix  sets  the KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the
		     database.

	      {-|+}needchange
		     +needchange sets a flag in attributes field  to  force  a	password  change;
		     -needchange  clears it.  The default is -needchange.  In effect, +needchange
		     sets the KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.

	      {-|+}password_changing_service
		     +password_changing_service sets a flag in the attributes field marking  this
		     as  a  password  change service principal (useless for most things).  -pass-
		     word_changing_service clears the flag.  This flag intentionally has  a  long
		     name.    The  default  is	-password_changing_service.   In  effect,  +pass-
		     word_changing_service sets the KRB5_KDB_PWCHANGE_SERVICE flag on the princi-
		     pal in the database.

	      -randkey
		     sets the key of the principal to a random value

	      -pw password
		     sets  the	key  of the principal to the specified string and does not prompt
		     for a password.  Note:  using this option in a shell script can be dangerous
		     if unauthorized users gain read access to the script.

	      -e "enc:salt ..."
		     uses the specified list of enctype-salttype pairs for setting the key of the
		     principal.  The quotes are necessary if there are multiple  enctype-salttype
		     pairs.  This will not function against kadmin daemons earlier than krb5-1.2.

	      EXAMPLE:
		     kadmin: addprinc tlyu/admin
		     WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
		     defaulting to no policy.
		     Enter password for principal tlyu/admin@BLEEP.COM:
		     Re-enter password for principal tlyu/admin@BLEEP.COM:
		     Principal "tlyu/admin@BLEEP.COM" created.
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_ADD (requires "add" privilege)
		     KADM5_BAD_MASK (shouldn't happen)
		     KADM5_DUP (principal exists already)
		     KADM5_UNK_POLICY (policy does not exist)
		     KADM5_PASS_Q_* (password quality violations)

       delete_principal [-force] principal
	      deletes  the specified principal from the database.  This command prompts for dele-
	      tion, unless the -force option is given. This command requires  the  delete  privi-
	      lege.  Aliased to delprinc.

	      EXAMPLE:
		     kadmin: delprinc mwm_user
		     Are you sure you want to delete the principal
		     "mwm_user@BLEEP.COM"? (yes/no): yes
		     Principal "mwm_user@BLEEP.COM" deleted.
		     Make sure that you have removed this principal from
		     all ACLs before reusing.
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_DELETE (reequires "delete" privilege)
		     KADM5_UNK_PRINC (principal does not exist)

       modify_principal [options] principal
	      modifies	the  specified	principal, changing the fields as specified.  The options
	      are as above for add_principal, except that password changing and flags related  to
	      password	changing  are forbidden by this command.  In addition, the option -clear-
	      policy will clear the current policy of a principal.   This  command  requires  the
	      modify privilege.  Aliased to modprinc.

	      ERRORS:
		     KADM5_AUTH_MODIFY (requires "modify" privilege)
		     KADM5_UNK_PRINC (principal does not exist)
		     KADM5_UNK_POLICY (policy does not exist)
		     KADM5_BAD_MASK (shouldn't happen)

       change_password [options] principal
	      changes  the password of principal.  Prompts for a new password if neither -randkey
	      or -pw is specified.  Requires the changepw privilege, or that the  principal  that
	      is  running  the	program  to be the same as the one changed.  Aliased to cpw.  The
	      following options are available:

	      -randkey
		     sets the key of the principal to a random value

	      -pw password
		     set the password to the specified string.	Not recommended.

	      -e "enc:salt ..."
		     uses the specified list of enctype-salttype pairs for setting the key of the
		     principal.   The quotes are necessary if there are multiple enctype-salttype
		     pairs.  This will not function against kadmin daemons earlier than krb5-1.2.

	      -keepold
		     Keeps the previous kvno's keys around.  There is no easy way to  delete  the
		     old  keys,  and  this  flag  is usually not necessary except perhaps for TGS
		     keys.  Don't use this flag unless you know what you're doing.

	      EXAMPLE:
		     kadmin: cpw systest
		     Enter password for principal systest@BLEEP.COM:
		     Re-enter password for principal systest@BLEEP.COM:
		     Password for systest@BLEEP.COM changed.
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_MODIFY (requires the modify privilege)
		     KADM5_UNK_PRINC (principal does not exist)
		     KADM5_PASS_Q_* (password policy violation errors)
		     KADM5_PADD_REUSE (password is in principal's password
		     history)
		     KADM5_PASS_TOOSOON (current password minimum life not
		     expired)

       get_principal [-terse] principal
	      gets the attributes of principal.  Requires the  inquire	privilege,  or	that  the
	      principal  that  is running the the program to be the same as the one being listed.
	      With the -terse option, outputs fields  as  quoted  tab-separated  strings.   Alias
	      listprincs.

	      EXAMPLES:
		     kadmin: getprinc tlyu/admin
		     Principal: tlyu/admin@BLEEP.COM
		     Expiration date: [never]
		     Last password change: Mon Aug 12 14:16:47 EDT 1996
		     Password expiration date: [none]
		     Maximum ticket life: 0 days 10:00:00
		     Maximum renewable life: 7 days 00:00:00
		     Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
		     Last successful authentication: [never]
		     Last failed authentication: [never]
		     Failed password attempts: 0
		     Number of keys: 2
		     Key: vno 1, DES cbc mode with CRC-32, no salt
		     Key: vno 1, DES cbc mode with CRC-32, Version 4
		     Attributes:
		     Policy: [none]
		     kadmin: getprinc -terse systest
		     systest@BLEEP.COM	 3    86400	604800	  1
		     785926535 753241234 785900000
		     tlyu/admin@BLEEP.COM     786100034 0    0
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_GET (requires the get (inquire) privilege)
		     KADM5_UNK_PRINC (principal does not exist)

       list_principals [expression]
	      Retrieves all or some principal names.  Expression is a shell-style glob expression
	      that can contain the wild-card characters ?, *,  and  []'s.   All  principal  names
	      matching	the  expression are printed.  If no expression is provided, all principal
	      names are printed.  If the expression does not contain an  "@"  character,  an  "@"
	      character  followed by the local realm is appended to the expression.  Requires the
	      list priviledge.	Alias listprincs.

	      EXAMPLES:
		     kadmin:  listprincs test*
		     test3@SECURE-TEST.OV.COM
		     test2@SECURE-TEST.OV.COM
		     test1@SECURE-TEST.OV.COM
		     testuser@SECURE-TEST.OV.COM
		     kadmin:

       add_policy [options] policy
	      adds the named policy to the policy database.  Requires the add privilege.  Aliased
	      to addpol.  The following options are available:

	      -maxlife time
		     sets the maximum lifetime of a password

	      -minlife time
		     sets the minimum lifetime of a password

	      -minlength length
		     sets the minimum length of a password

	      -minclasses number
		     sets the minimum number of character classes allowed in a password

	      -history number
		     sets the number of past keys kept for a principal

	      ERRORS:
		     KADM5_AUTH_ADD (requires the add privilege)
		     KADM5_DUP (policy already exists)

       delete_policy policy
	      deletes  the  named policy.  Prompts for confirmation before deletion.  The command
	      will fail if the policy is in use by any principals.  Requires  the  delete  privi-
	      lege.  Alias delpol.

	      EXAMPLE:
		     kadmin: del_policy guests
		     Are you sure you want to delete the policy "guests"?
		     (yes/no): yes
		     Policy "guests" deleted.
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_DELETE (requires the delete privilege)
		     KADM5_UNK_POLICY (policy does not exist)
		     KADM5_POLICY_REF (reference count on policy is not zero)

       modify_policy [options] policy
	      modifies the named policy.  Options are as above for add_policy.	Requires the mod-
	      ify privilege.  Alias modpol.

	      ERRORS:
		     KADM5_AUTH_MODIFY (requires the modify privilege)
		     KADM5_UNK_POLICY (policy does not exist)

       get_policy [-terse] policy
	      displays the values of the named policy.	Requires the inquire privilege.  With the
	      -terse flag, outputs the fields as quoted strings separated by tabs.  Alias getpol.

	      EXAMPLES:
		     kadmin: get_policy admin
		     Policy: admin
		     Maximum password life: 180 days 00:00:00
		     Minimum password life: 00:00:00
		     Minimum password length: 6
		     Minimum number of password character classes: 2
		     Number of old keys kept: 5
		     Reference count: 17
		     kadmin: get_policy -terse admin
		     admin     15552000  0    6    2	5    17
		     kadmin:

	      ERRORS:
		     KADM5_AUTH_GET (requires the get privilege)
		     KADM5_UNK_POLICY (policy does not exist)

       list_policies [expression]
	      Retrieves  all  or  some policy names.  Expression is a shell-style glob expression
	      that can contain the wild-card characters ?, *, and []'s.  All policy names  match-
	      ing  the expression are printed.	If no expression is provided, all existing policy
	      names are printed.  Requires the list priviledge.  Alias listpols.

	      EXAMPLES:
		     kadmin:  listpols
		     test-pol
		     dict-only
		     once-a-min
		     test-pol-nopw
		     kadmin:  listpols t*
		     test-pol
		     test-pol-nopw
		     kadmin:

       ktadd [-k keytab] [-q] [-e keysaltlist]
	      [principal | -glob princ-exp] [...]
	      Adds a principal or all principals matching princ-exp to a keytab, randomizing each
	      principal's  key in the process.	Requires the inquire and changepw privileges.  An
	      entry for each of the principal's unique encryption types is added, ignoring multi-
	      ple  keys  with the same encryption type but different salt types.  If the -k argu-
	      ment is not specified, the default keytab /etc/krb5.keytab  is  used.   If  the  -q
	      option is specified, less verbose status information is displayed.

	      The  -glob  option  requires  the list privilege.  princ-exp follows the same rules
	      described for the list_principals command.

	      EXAMPLE:
		     kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
		     Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
			  kvno 3, encryption type DES-CBC-CRC added to keytab
			  WRFILE:/tmp/foo-new-keytab
		     kadmin:

       ktremove [-k keytab] [-q] principal [kvno | all | old]
	      Removes entries for the specified principal from a  keytab.   Requires  no  permis-
	      sions,  since this does not require database access.  If the string "all" is speci-
	      fied, all entries for that principal are removed; if the string "old" is specified,
	      all  entries  for  that  principal  except those with the highest kvno are removed.
	      Otherwise, the value specified is parsed as an integer, and all entries whose  kvno
	      match  that  integer are removed.  If the -k argument is not specifeid, the default
	      keytab /etc/krb5.keytab is used.	If the -q option is specified, less verbose  sta-
	      tus information is displayed.

	      EXAMPLE:
		     kadmin: ktremove -k /var/kerberos/krb5kdc/kadm5.keytab kadmin/admin
		     Entry for principal kadmin/admin with kvno 3 removed
			  from keytab WRFILE:/var/kerberos/krb5kdc/kadm5.keytab.
		     kadmin:

FILES
       principal.db	    default name for Kerberos principal database

       <dbname>.kadm5	    KADM5  administrative database.  (This would be "principal.kadm5", if
			    you use the default database name.)  Contains policy information.

       <dbname>.kadm5.lock  lock file for the KADM5 administrative  database.	This  file  works
			    backwards from most other lock files.  I.e., kadmin will exit with an
			    error if this file does not exist.

       kadm5.acl	    file containing list of principals and  their  kadmin  administrative
			    privileges.  See kadmind(8) for a description.

       kadm5.keytab	    keytab file for kadmin/admin principal.

       kadm5.dict	    file  containing dictionary of strings explicitly disallowed as pass-
			    words.

HISTORY
       The kadmin prorgam was originally written by Tom Yu at MIT, as an interface to the OpenVi-
       sion Kerberos administration program.

SEE ALSO
       kerberos(1), kpasswd(1), kadmind(8)

BUGS
       Command output needs to be cleaned up.

       There  is no way to delete a key kept around from a "-keepold" option to a password-chang-
       ing command, other than to do a password change without the "-keepold" option, which  will
       of course cause problems if the key is a TGS key.  There will be more powerful key-manipu-
       lation commands in the future.

											KADMIN(8)


All times are GMT -4. The time now is 06:46 PM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
×
UNIX.COM Login
Username:
Password:  
Show Password