NAME
kadmin —
Kerberos administration
utility
SYNOPSIS
kadmin |
[-p
string | --principal=string]
[-K string | --keytab=string]
[-c file | --config-file=file]
[-k file | --key-file=file]
[-r realm | --realm=realm]
[-a host | --admin-server=host]
[-s port number | --server-port=port number]
[-l | --local]
[-h | --help]
[-v | --version]
[command] |
DESCRIPTION
The
kadmin program is used to make modifications to the
Kerberos database, either remotely via the
kadmind(8) daemon, or locally
(with the
-l option).
Supported options:
-
-
- -p
string,
--principal=string
- principal to authenticate as
-
-
- -K
string,
--keytab=string
- keytab for authentication principal
-
-
- -c
file,
--config-file=file
- location of config file
-
-
- -k
file,
--key-file=file
- location of master key file
-
-
- -r
realm,
--realm=realm
- realm to use
-
-
- -a
host,
--admin-server=host
- server to contact
-
-
- -s
port number,
--server-port=port
number
- port to use
-
-
- -l,
--local
- local admin mode
If no
command is given on the command line,
kadmin will prompt for commands to process. Some of the
commands that take one or more principals as argument
(
delete,
ext_keytab,
get,
modify, and
passwd)
will accept a glob style wildcard, and perform the operation on all matching
principals.
Commands include:
add [
-r |
- -random-key]
[
--random-password]
[
-p string |
--password=string]
[
--key=string]
[
--max-ticket-life=lifetime]
[
--max-renewable-life=lifetime]
[
--attributes=attributes]
[
--expiration-time=time]
[
--pw-expiration-time=time]
[
--policy=policy-name]
principal...
Adds a new principal to the
database. The options not passed on the command line will be promped for. The
only policy supported by Heimdal servers is
‘default
’.
add_enctype [
-r |
--random-key]
principal enctypes...
Adds a new encryption type to the
principal, only random key are supported.
delete principal...
Removes a principal.
del_enctype principal enctypes...
Removes some enctypes from a
principal; this can be useful if the service belonging to the principal is
known to not handle certain enctypes.
ext_keytab [
-k
string |
--keytab=string]
principal...
Creates a keytab with the keys of
the specified principals. Requires get-keys rights, otherwise the principal's
keys are changed and saved in the keytab.
get [
-l |
- -long]
[
-s |
--short]
[
-t |
--terse]
[
-o string |
--column-info=string]
principal...
Lists the matching principals,
short prints the result as a table, while long format produces a more verbose
output. Which columns to print can be selected with the
-o
option. The argument is a comma separated list of column names optionally
appended with an equal sign (‘=’) and a column header. Which
columns are printed by default differ slightly between short and long output.
The default terse output format is similar to
-s
-o principal=, just printing the names
of matched principals.
Possible column names include:
principal
,
princ_expire_time
,
pw_expiration
,
last_pwd_change
,
max_life
,
max_rlife
,
mod_time
,
mod_name
,
attributes
,
kvno
,
mkvno
,
last_success
,
last_failed
,
fail_auth_count
,
policy
, and
keytypes
.
modify [
-a
attributes |
--attributes=attributes]
[
--max-ticket-life=lifetime]
[
--max-renewable-life=lifetime]
[
--expiration-time=time]
[
--pw-expiration-time=time]
[
--kvno=number]
[
--policy=policy-name]
principal...
Modifies certain attributes of a
principal. If run without command line options, you will be prompted. With
command line options, it will only change the ones specified.
Only policy supported by Heimdal is
‘
default
’.
Possible attributes are:
new-princ
,
support-desmd5
,
pwchange-service
,
disallow-svr
,
requires-pw-change
,
requires-hw-auth
,
requires-pre-auth
,
disallow-all-tix
,
disallow-dup-skey
,
disallow-proxiable
,
disallow-renewable
,
disallow-tgt-based
,
disallow-forwardable
,
disallow-postdated
Attributes may be negated with a "-", e.g.,
kadmin -l modify -a -disallow-proxiable user
passwd
[
--keepold]
[
-r |
--random-key]
[
--random-password]
[
-p string |
--password=string]
[
--key=string]
principal...
Changes the password of an existing
principal.
password-quality principal
password
Run the password quality check
function locally. You can run this on the host that is configured to run the
kadmind process to verify that your configuration file is correct. The
verification is done locally, if kadmin is run in remote mode, no rpc call is
done to the server.
privileges
Lists the operations you are
allowed to perform. These include add
,
add_enctype
, change-password
,
delete
, del_enctype
,
get
, get-keys
,
list
, and modify
.
rename from to
Renames a principal. This is
normally transparent, but since keys are salted with the principal name, they
will have a non-standard salt, and clients which are unable to cope with this
will fail. Kerberos 4 suffers from this.
check [
realm]
Check database for strange
configurations on important principals. If no realm is given, the default
realm is used.
When running in local mode, the following commands can also be used:
dump [
-d |
- -decrypt]
[
-fformat |
--format=format]
[
dump-file]
Writes the database in
“machine readable text” form to the specified file, or standard
out. If the database is encrypted, the dump will also have encrypted keys,
unless --decrypt is used. If
--format=MIT is used then the dump will be
in MIT format. Otherwise it will be in Heimdal format.
init
[
--realm-max-ticket-life=string]
[
--realm-max-renewable-life=string]
realm
Initializes the Kerberos database
with entries for a new realm. It's possible to have more than one realm served
by one server.
load file
Reads a previously dumped database,
and re-creates that database from scratch.
merge file
Similar to load
but just modifies the database with the entries in the dump file.
stash [
-e
enctype |
--enctype=enctype]
[
-k keyfile |
--key-file=keyfile]
[
--convert-file]
[
--master-key-fd=fd]
Writes the Kerberos master key to a
file used by the KDC.
SEE ALSO
kadmind(8),
kdc(8)