Home Man
Search
Today's Posts
Register

Linux & Unix Commands - Search Man Pages

RedHat 9 (Linux i386) - man page for kdb5_util (redhat section 8)

KDB5_UTIL(8)			     System Manager's Manual			     KDB5_UTIL(8)

NAME
       kdb5_util - Kerberos database maintainance utility

SYNOPSIS
       kdb5_util [-r realm] [-d dbname] [-k mkeytype] [-M mkeyname] [-sf stashfilename] [-m] com-
       mand [command_options]

DESCRIPTION
       kdb5_util allows an administrator to perform low-level maintainance procedures on the Ker-
       beros  and  KADM5 database.  Databases can be created, destroyed, and dumped to and loaded
       from ASCII files.  Additionally, kdb5_util can create a Kerberos master	key  stash  file.
       kdb5_util  subsumes  the  functionality	of and makes obsolete the previous database main-
       tainance programs kdb5_create, kdb5_edit, kdb5_destroy, and kdb5_stash.

       When kdb5_util is run, it attempts to acquire the master key and open the database.   How-
       ever,  execution  continues  regardless of whether or not kdb5_util successfully opens the
       database, because the database may not exist yet or the stash file may be corrupt.

COMMAND-LINE OPTIONS
       -r realm
	      specifies the Kerberos realm of the database; by	default  the  realm  returned  by
	      krb5_default_local_realm(3) is used.

       -d dbname
	      specifies  the  name  under  which the principal database is stored; by default the
	      database is that listed in kdc.conf(5).  The KADM5 policy database  and  lock  file
	      are also derived from this value.

       -k mkeytype
	      specifies the key type of the master key in the database; the default is that given
	      in kdc.conf.

       -M mkeyname
	      principal name for the master key in the database; the default  is  that	given  in
	      kdc.conf.

       -m     specifies that the master database password should be read from the TTY rather than
	      fetched from a file on disk.

COMMANDS
       create [-s]
	      Creates a new database.  If the -s option is specified, the stash file is also cre-
	      ated.   This  command fails if the database already exists.  If the command is suc-
	      cessful, the database is opened just as if it had already existed when the  program
	      was first run.

       destroy [-f]
	      Destroys	the  database,	first overwriting the disk sectors and then unlinking the
	      files, after prompting the user for confirmation.  With the -f argument,	does  not
	      prompt the user.

       stash [-f keyfile]
	      Stores the master principal's keys in a stash file.  The -f argument can be used to
	      override the keyfile specified at startup.

       dump [-old] [-b6] [-b7] [-ov]
	      [-verbose] [-mkey_convert] [-new_mkey_file mkey_file] [-rev]  [-recurse]	[filename
	      [principals...]]
	      Dumps  the current Kerberos and KADM5 database into an ASCII file.  By default, the
	      database is dumped in current format, "kdb5_util load_dumpversion 5".  If  filename
	      is  not  specified,  or  is  the	string	"-", the dump is sent to standard output.
	      Options:

	      -old   causes the dump to be in the Kerberos 5  Beta  5  and  earlier  dump  format
		     ("kdb5_edit load_dump version 2.0").

	      -b6    causes  the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump
		     version 3.0").

	      -b7    causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util	load_dump
		     version 4").  This was the dump format produced on releases prior to 1.2.2.

	      -ov    causes the dump to be in ovsec_adm_export format.

	      -verbose
		     causes the name of each principal and policy to be printed as it is dumped.

	      -mkey_convert
		     prompts  for  a  new  master  key.   This new master key will be used to re-
		     encrypt the key data in the dumpfile.  The key data in the database will not
		     be changed.

	      -new_mkey_file mkey_file
		     the  filename  of	a  stash file.	The master key in this stash file will be
		     used to re-encrypt the key data in the dumpfile.  The key data in the  data-
		     base will not be changed.

	      -rev   dumps  in	reverse order.	This may recover principals that do not dump nor-
		     mally, in cases where database corruption has occured.

	      -recurse
		     causes the dump to walk the database recursively  (btree  only).	This  may
		     recover  principals  that do not dump normally, in cases where database cor-
		     ruption has occured.  In cases of such corruption, this option will probably
		     retrieve more principals than the -rev option will.

       load [-old] [-b6] [-ov]
	      [-verbose] [-update] filename dbname [admin_dbname]
	      Loads a database dump from the named file into the named database.  Unless the -old
	      or -b6 option is given, the format of the dump file is detected  automatically  and
	      handled  as  appropriate.   Unless  the -update option is given, load creates a new
	      database containing only the principals in the dump file, overwriting the  contents
	      of any previously existing database.  Options:

	      -old   requires  the  database  to  be  in the Kerberos 5 Beta 5 and earlier format
		     ("kdb5_edit load_dump version 2.0").

	      -b6    requires the database to be in the Kerberos  5  Beta  6  format  ("kdb5_edit
		     load_dump version 3.0").

	      -b7    requires  the  database  to  be  in the Kerberos 5 Beta 7 format ("kdb5_util
		     load_dump version 4").

	      -ov    requires the database to be in ovsec_adm_import format.  Must be  used  with
		     the -update option.

	      -hash  requires  the database to be stored as a hash.  If this option is not speci-
		     fied, the database will be stored as a btree.  This  option  is  not  recom-
		     mended,  as  databases  stored  in hash format are known to corrupt data and
		     lose principals.

	      -verbose
		     causes the name of each principal and policy to be printed as it is dumped.

	      -update
		     records from the dump file are added to or updated in the existing database;
		     otherwise,  a  new  database  is created containing only what is in the dump
		     file and the old one destroyed upon successful completion.

	      dbname is required and overrides the value specified on the  command  line  or  the
		     default.

	      admin_dbname
		     is optional and is derived from dbname if not specified.

       dump_v4 [filename]
	      Dumps the current database into the Kerberos 4 database dump format.

       load_v4 [-T] [-v] [-h]
	      [-t] [-n] [-K] [-s stashfile] inputfile
	      Loads a Kerberos 4 database dump file.  Options:

	      -K     prompts for the V5 master key instead of using the stashed version.

	      -n     prompts for the V4 master key, instead of reading from the stash file.

	      -s stashfile
		     gets the V4 master key out of stashfile instead of /.k

	      -T     creates  a  new krbtgt instead of converting the V4 one.  The V5 server will
		     thus not recognize outstanding tickets, so this should be used with caution.

	      -v     lists each principal as it is converted or ignored.

	      -t     uses a temporary database, then moves that into place, instead of adding the
		     keys to the current database.

	      -h     Stores the database as a hash instead of a btree.	This option is not recom-
		     mended, as databases stored in hash format are known  to  corrupt	data  and
		     lose principals.

	      Note:  if  the  Kerberos	4 database had a default expiration date of 12/31/1999 or
	      12/31/2009 (the compiled in defaults for older or newer Kerberos releases) then any
	      entries  which have the same expiration date will be converted to "never" expire in
	      the version 5 database.  If the default did not match either value, all  expiration
	      dates will be preserved.

	      Also, Kerberos 4 stored a single modification time for any change to a record; Ver-
	      sion 5 stores a seperate modification time and last password change time.  In prac-
	      tice,  Version  4 "modifications" were always password changes.  load_v4 copies the
	      value into both fields.

       ark    Adds a random key.

SEE ALSO
       kadmin(8)

										     KDB5_UTIL(8)


All times are GMT -4. The time now is 12:54 AM.

Unix & Linux Forums Content Copyrightę1993-2018. All Rights Reserved.
UNIX.COM Login
Username:
Password:  
Show Password