1 .TH "KADMIN" "1" " " "0.0.1" "MIT Kerberos"
3 kadmin \- Kerberos V5 database administration program
5 .nr rst2man-indent-level 0
9 level \\n[rst2man-indent-level]
10 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
17 .\" .rstReportMargin pre:
19 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
20 . nr rst2man-indent-level +1
21 .\" .rstReportMargin post:
25 .\" indent \\n[an-margin]
26 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
27 .nr rst2man-indent-level -1
28 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
31 .\" Man page generated from reStructeredText.
37 [\fB\-r\fP \fIrealm\fP]
38 [\fB\-p\fP \fIprincipal\fP]
39 [\fB\-q\fP \fIquery\fP]
40 [[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP]
41 [\fB\-w\fP \fIpassword\fP]
42 [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]
45 [\fB\-r\fP \fIrealm\fP]
46 [\fB\-p\fP \fIprincipal\fP]
47 [\fB\-q\fP \fIquery\fP]
48 [\fB\-d\fP \fIdbname\fP]
49 [\fB\-e\fP \fIenc\fP:\fIsalt\fP ...]
51 [\fB\-x\fP \fIdb_args\fP]
54 kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
55 administration system. They provide nearly identical functionalities;
56 the difference is that kadmin.local directly accesses the KDC
57 database, while kadmin performs operations using \fIkadmind(8)\fP.
58 Except as explicitly noted otherwise, this man page will use "kadmin"
59 to refer to both versions. kadmin provides for the maintenance of
60 Kerberos principals, password policies, and service key tables
63 The remote kadmin client uses Kerberos to authenticate to kadmind
64 using the service principal \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is
65 the fully\-qualified hostname of the admin server) or \fBkadmin/admin\fP.
66 If the credentials cache contains a ticket for one of these
67 principals, and the \fB\-c\fP credentials_cache option is specified, that
68 ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and
69 \fB\-k\fP options are used to specify the client Kerberos principal name
70 used to authenticate. Once kadmin has determined the principal name,
71 it requests a service ticket from the KDC, and uses that service
72 ticket to authenticate to kadmind.
74 Since kadmin.local directly accesses the KDC database, it usually must
75 be run directly on the master KDC with sufficient permissions to read
76 the KDC database. If the KDC database uses the LDAP database module,
77 kadmin.local can be run on any host which can access the LDAP server.
81 .B \fB\-r\fP \fIrealm\fP
83 Use \fIrealm\fP as the default database realm.
85 .B \fB\-p\fP \fIprincipal\fP
87 Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append
88 \fB/admin\fP to the primary principal name of the default ccache,
89 the value of the \fBUSER\fP environment variable, or the username as
90 obtained with getpwuid, in order of preference.
94 Use a keytab to decrypt the KDC response instead of prompting for
95 a password. In this case, the default principal will be
96 \fBhost/hostname\fP. If there is no keytab specified with the
97 \fB\-t\fP option, then the default keytab will be used.
99 .B \fB\-t\fP \fIkeytab\fP
101 Use \fIkeytab\fP to decrypt the KDC response. This can only be used
102 with the \fB\-k\fP option.
106 Requests anonymous processing. Two types of anonymous principals
107 are supported. For fully anonymous Kerberos, configure PKINIT on
108 the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
109 \fIkrb5.conf(5)\fP. Then use the \fB\-n\fP option with a principal
110 of the form \fB@REALM\fP (an empty principal name followed by the
111 at\-sign and a realm name). If permitted by the KDC, an anonymous
112 ticket will be returned. A second form of anonymous tickets is
113 supported; these realm\-exposed tickets hide the identity of the
114 client but not the client\(aqs realm. For this mode, use \fBkinit
115 \-n\fP with a normal principal name. If supported by the KDC, the
116 principal (but not realm) will be replaced by the anonymous
117 principal. As of release 1.8, the MIT Kerberos KDC only supports
118 fully anonymous operation.
120 .B \fB\-c\fP \fIcredentials_cache\fP
122 Use \fIcredentials_cache\fP as the credentials cache. The
123 cache should contain a service ticket for the \fBkadmin/ADMINHOST\fP
124 (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
125 server) or \fBkadmin/admin\fP service; it can be acquired with the
126 \fIkinit(1)\fP program. If this option is not specified, kadmin
127 requests a new service ticket from the KDC, and stores it in its
128 own temporary ccache.
130 .B \fB\-w\fP \fIpassword\fP
132 Use \fIpassword\fP instead of prompting for one. Use this option with
133 care, as it may expose the password to other users on the system
134 via the process list.
136 .B \fB\-q\fP \fIquery\fP
138 Perform the specified query and then exit. This can be useful for
141 .B \fB\-d\fP \fIdbname\fP
143 Specifies the name of the KDC database. This option does not
144 apply to the LDAP database module.
146 .B \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
148 Specifies the admin server which kadmin should contact.
152 If using kadmin.local, prompt for the database master password
153 instead of reading it from a stash file.
155 .B \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
157 Sets the list of encryption types and salt types to be used for
158 any new keys created. See \fIEncryption_and_salt_types\fP in
159 \fIkdc.conf(5)\fP for a list of possible values.
163 Force use of old AUTH_GSSAPI authentication flavor.
167 Prevent fallback to AUTH_GSSAPI authentication flavor.
169 .B \fB\-x\fP \fIdb_args\fP
171 Specifies the database specific arguments. Options supported for
172 the LDAP database module are:
175 .B \fB\-x host=\fP\fIhostname\fP
177 specifies the LDAP server to connect to by a LDAP URI.
179 .B \fB\-x binddn=\fP\fIbind_dn\fP
181 specifies the DN of the object used by the administration
182 server to bind to the LDAP server. This object should have
183 the read and write privileges on the realm container, the
184 principal container, and the subtree that is referenced by the
187 .B \fB\-x bindpwd=\fP\fIbind_password\fP
189 specifies the password for the above mentioned binddn. Using
190 this option may expose the password to other users on the
191 system via the process list; to avoid this, instead stash the
192 password using the \fBstashsrvpw\fP command of
193 \fIkdb5_ldap_util(8)\fP.
198 Many of the kadmin commands take a duration or time as an
199 argument. The date can appear in a wide variety of formats, such as:
217 January 23, 1987 10:05pm
224 Dates which do not have the "ago" specifier default to being absolute
225 dates, unless they appear in a field where a duration is expected. In
226 that case the time specifier will be interpreted as relative.
227 Specifying "ago" in a duration may result in unexpected behavior.
229 The following is a list of all of the allowable keywords.
237 january, jan, february, feb, march, mar, april, apr, may,
238 june, jun, july, jul, august, aug, september, sep, sept,
239 october, oct, november, nov, december, dec
245 sunday, sun, monday, mon, tuesday, tues, tue, wednesday,
246 wednes, wed, thursday, thurs, thur, thu, friday, fri,
253 year, month, fortnight, week, day, hour, minute, min,
260 tomorrow, yesterday, today, now, last, this, next, first,
261 second, third, fourth, fifth, sixth, seventh, eighth,
262 ninth, tenth, eleventh, twelfth, ago
268 kadmin recognizes abbreviations for most of the world\(aqs
281 When using the remote client, available commands may be restricted
282 according to the privileges specified in the kadm5.acl file on the
288 \fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
292 Creates the principal \fInewprinc\fP, prompting twice for a password. If
293 no password policy is specified with the \fB\-policy\fP option, and the
294 policy named \fBdefault\fP is assigned to the principal if it exists.
295 However, creating a policy named \fBdefault\fP will not automatically
296 assign this policy to previously existing principals. This policy
297 assignment can be suppressed with the \fB\-clearpolicy\fP option.
299 This command requires the \fBadd\fP privilege.
301 Aliases: \fBaddprinc\fP, \fBank\fP
306 .B \fB\-expire\fP \fIexpdate\fP
308 expiration date of the principal
310 .B \fB\-pwexpire\fP \fIpwexpdate\fP
312 password expiration date
314 .B \fB\-maxlife\fP \fImaxlife\fP
316 maximum ticket life for the principal
318 .B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
320 maximum renewable life of tickets for the principal
322 .B \fB\-kvno\fP \fIkvno\fP
324 initial key version number
326 .B \fB\-policy\fP \fIpolicy\fP
328 password policy used by this principal. If not specified, the
329 policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
332 .B \fB\-clearpolicy\fP
334 prevents any policy from being assigned when \fB\-policy\fP is not
337 .B {\-|+}\fBallow_postdated\fP
339 \fB\-allow_postdated\fP prohibits this principal from obtaining
340 postdated tickets. \fB+allow_postdated\fP clears this flag.
342 .B {\-|+}\fBallow_forwardable\fP
344 \fB\-allow_forwardable\fP prohibits this principal from obtaining
345 forwardable tickets. \fB+allow_forwardable\fP clears this flag.
347 .B {\-|+}\fBallow_renewable\fP
349 \fB\-allow_renewable\fP prohibits this principal from obtaining
350 renewable tickets. \fB+allow_renewable\fP clears this flag.
352 .B {\-|+}\fBallow_proxiable\fP
354 \fB\-allow_proxiable\fP prohibits this principal from obtaining
355 proxiable tickets. \fB+allow_proxiable\fP clears this flag.
357 .B {\-|+}\fBallow_dup_skey\fP
359 \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
360 principal by prohibiting this principal from obtaining a session
361 key for another user. \fB+allow_dup_skey\fP clears this flag.
363 .B {\-|+}\fBrequires_preauth\fP
365 \fB+requires_preauth\fP requires this principal to preauthenticate
366 before being allowed to kinit. \fB\-requires_preauth\fP clears this
369 .B {\-|+}\fBrequires_hwauth\fP
371 \fB+requires_hwauth\fP requires this principal to preauthenticate
372 using a hardware device before being allowed to kinit.
373 \fB\-requires_hwauth\fP clears this flag.
375 .B {\-|+}\fBok_as_delegate\fP
377 \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
378 issued with this principal as the service. Clients may use this
379 flag as a hint that credentials should be delegated when
380 authenticating to the service. \fB\-ok_as_delegate\fP clears this
383 .B {\-|+}\fBallow_svr\fP
385 \fB\-allow_svr\fP prohibits the issuance of service tickets for this
386 principal. \fB+allow_svr\fP clears this flag.
388 .B {\-|+}\fBallow_tgs_req\fP
390 \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
391 request for a service ticket for this principal is not permitted.
392 \fB+allow_tgs_req\fP clears this flag.
394 .B {\-|+}\fBallow_tix\fP
396 \fB\-allow_tix\fP forbids the issuance of any tickets for this
397 principal. \fB+allow_tix\fP clears this flag.
399 .B {\-|+}\fBneedchange\fP
401 \fB+needchange\fP forces a password change on the next initial
402 authentication to this principal. \fB\-needchange\fP clears this
405 .B {\-|+}\fBpassword_changing_service\fP
407 \fB+password_changing_service\fP marks this principal as a password
408 change service principal.
412 sets the key of the principal to a random value
414 .B \fB\-pw\fP \fIpassword\fP
416 sets the password of the principal to the specified string and
417 does not prompt for a password. Note: using this option in a
418 shell script may expose the password to other users on the system
419 via the process list.
421 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
423 uses the specified list of enctype\-salttype pairs for setting the
424 key of the principal.
426 .B \fB\-x\fP \fIdb_princ_args\fP
428 indicates database\-specific options. The options for the LDAP
432 .B \fB\-x dn=\fP\fIdn\fP
434 specifies the LDAP object that will contain the Kerberos
435 principal being created.
437 .B \fB\-x linkdn=\fP\fIdn\fP
439 specifies the LDAP object to which the newly created Kerberos
440 principal object will point.
442 .B \fB\-x containerdn=\fP\fIcontainer_dn\fP
444 specifies the container object under which the Kerberos
445 principal is to be created.
447 .B \fB\-x tktpolicy=\fP\fIpolicy\fP
449 associates a ticket policy to the Kerberos principal.
455 The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
456 specified with the \fBdn\fP option.
459 If the \fIdn\fP or \fIcontainerdn\fP options are not specified while
460 adding the principal, the principals are created under the
461 principal container configured in the realm or the realm
465 \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
466 principal container configured in the realm.
477 kadmin: addprinc jennifer
478 WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
479 defaulting to no policy.
480 Enter password for principal jennifer@ATHENA.MIT.EDU:
481 Re\-enter password for principal jennifer@ATHENA.MIT.EDU:
482 Principal "jennifer@ATHENA.MIT.EDU" created.
492 \fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
496 Modifies the specified principal, changing the fields as specified.
497 The options to \fBadd_principal\fP also apply to this command, except
498 for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options. In addition, the
499 option \fB\-clearpolicy\fP will clear the current policy of a principal.
501 This command requires the \fImodify\fP privilege.
503 Alias: \fBmodprinc\fP
505 Options (in addition to the \fBaddprinc\fP options):
510 Unlocks a locked principal (one which has received too many failed
511 authentication attempts without enough time between them according
512 to its password policy) so that it can successfully authenticate.
518 \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP
522 Renames the specified \fIold_principal\fP to \fInew_principal\fP. This
523 command prompts for confirmation, unless the \fB\-force\fP option is
526 This command requires the \fBadd\fP and \fBdelete\fP privileges.
528 Alias: \fBrenprinc\fP
533 \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP
537 Deletes the specified \fIprincipal\fP from the database. This command
538 prompts for deletion, unless the \fB\-force\fP option is given.
540 This command requires the \fBdelete\fP privilege.
542 Alias: \fBdelprinc\fP
547 \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
551 Changes the password of \fIprincipal\fP. Prompts for a new password if
552 neither \fB\-randkey\fP or \fB\-pw\fP is specified.
554 This command requires the \fBchangepw\fP privilege, or that the
555 principal running the program is the same as the principal being
560 The following options are available:
565 Sets the key of the principal to a random value
567 .B \fB\-pw\fP \fIpassword\fP
569 Set the password to the specified string. Using this option in a
570 script may expose the password to other users on the system via
573 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
575 Uses the specified list of enctype\-salttype pairs for setting the
576 key of the principal.
580 Keeps the existing keys in the database. This flag is usually not
581 necessary except perhaps for \fBkrbtgt\fP principals.
591 Enter password for principal systest@BLEEP.COM:
592 Re\-enter password for principal systest@BLEEP.COM:
593 Password for systest@BLEEP.COM changed.
603 \fBpurgekeys\fP [\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
607 Purges previously retained old keys (e.g., from \fBchange_password
608 \-keepold\fP) from \fIprincipal\fP. If \fB\-keepkvno\fP is specified, then
609 only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP.
611 This command requires the \fBmodify\fP privilege.
616 \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP
620 Gets the attributes of principal. With the \fB\-terse\fP option, outputs
621 fields as quoted tab\-separated strings.
623 This command requires the \fBinquire\fP privilege, or that the principal
624 running the the program to be the same as the one being listed.
626 Alias: \fBgetprinc\fP
634 kadmin: getprinc tlyu/admin
635 Principal: tlyu/admin@BLEEP.COM
636 Expiration date: [never]
637 Last password change: Mon Aug 12 14:16:47 EDT 1996
638 Password expiration date: [none]
639 Maximum ticket life: 0 days 10:00:00
640 Maximum renewable life: 7 days 00:00:00
641 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
642 Last successful authentication: [never]
643 Last failed authentication: [never]
644 Failed password attempts: 0
646 Key: vno 1, DES cbc mode with CRC\-32, no salt
647 Key: vno 1, DES cbc mode with CRC\-32, Version 4
651 kadmin: getprinc \-terse systest
652 systest@BLEEP.COM 3 86400 604800 1
653 785926535 753241234 785900000
654 tlyu/admin@BLEEP.COM 786100034 0 0
664 \fBlist_principals\fP [\fIexpression\fP]
668 Retrieves all or some principal names. \fIexpression\fP is a shell\-style
669 glob expression that can contain the wild\-card characters \fB?\fP,
670 \fB*\fP, and \fB[]\fP. All principal names matching the expression are
671 printed. If no expression is provided, all principal names are
672 printed. If the expression does not contain an \fB@\fP character, an
673 \fB@\fP character followed by the local realm is appended to the
676 This command requires the \fBlist\fP privilege.
678 Alias: \fBlistprincs\fP, \fBget_principals\fP, \fBget_princs\fP
686 kadmin: listprincs test*
687 test3@SECURE\-TEST.OV.COM
688 test2@SECURE\-TEST.OV.COM
689 test1@SECURE\-TEST.OV.COM
690 testuser@SECURE\-TEST.OV.COM
700 \fBget_strings\fP \fIprincipal\fP
704 Displays string attributes on \fIprincipal\fP. String attributes are used
705 to supply per\-principal configuration to some KDC plugin modules.
707 This command requires the \fBinquire\fP privilege.
714 \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
718 Sets a string attribute on \fIprincipal\fP.
720 This command requires the \fBmodify\fP privilege.
727 \fBdel_string\fP \fIprincipal\fP \fIkey\fP
731 Deletes a string attribute from \fIprincipal\fP.
733 This command requires the \fBdelete\fP privilege.
740 \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
744 Adds a password policy named \fIpolicy\fP to the database.
746 This command requires the \fBadd\fP privilege.
750 The following options are available:
753 .B \fB\-maxlife\fP \fItime\fP
755 sets the maximum lifetime of a password
757 .B \fB\-minlife\fP \fItime\fP
759 sets the minimum lifetime of a password
761 .B \fB\-minlength\fP \fIlength\fP
763 sets the minimum length of a password
765 .B \fB\-minclasses\fP \fInumber\fP
767 sets the minimum number of character classes required in a
768 password. The five character classes are lower case, upper case,
769 numbers, punctuation, and whitespace/unprintable characters.
771 .B \fB\-history\fP \fInumber\fP
773 sets the number of past keys kept for a principal. This option is
774 not supported with the LDAP KDC database module.
776 .B \fB\-maxfailure\fP \fImaxnumber\fP
778 sets the maximum number of authentication failures before the
779 principal is locked. Authentication failures are only tracked for
780 principals which require preauthentication.
782 .B \fB\-failurecountinterval\fP \fIfailuretime\fP
784 sets the allowable time between authentication failures. If an
785 authentication failure happens after \fIfailuretime\fP has elapsed
786 since the previous failure, the number of authentication failures
789 .B \fB\-lockoutduration\fP \fIlockouttime\fP
791 sets the duration for which the principal is locked from
792 authenticating if too many authentication failures occur without
793 the specified failure count interval elapsing. A duration of 0
803 kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
813 \fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
817 Modifies the password policy named \fIpolicy\fP. Options are as described
818 for \fBadd_policy\fP.
820 This command requires the \fBmodify\fP privilege.
827 \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP
831 Deletes the password policy named \fIpolicy\fP. Prompts for confirmation
832 before deletion. The command will fail if the policy is in use by any
835 This command requires the \fBdelete\fP privilege.
845 kadmin: del_policy guests
846 Are you sure you want to delete the policy "guests"?
857 \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
861 Displays the values of the password policy named \fIpolicy\fP. With the
862 \fB\-terse\fP flag, outputs the fields as quoted strings separated by
865 This command requires the \fBinquire\fP privilege.
875 kadmin: get_policy admin
877 Maximum password life: 180 days 00:00:00
878 Minimum password life: 00:00:00
879 Minimum password length: 6
880 Minimum number of password character classes: 2
881 Number of old keys kept: 5
884 kadmin: get_policy \-terse admin
885 admin 15552000 0 6 2 5 17
892 The "Reference count" is the number of principals using that policy.
893 With the LDAP KDC database module, the reference count field is not
899 \fBlist_policies\fP [\fIexpression\fP]
903 Retrieves all or some policy names. \fIexpression\fP is a shell\-style
904 glob expression that can contain the wild\-card characters \fB?\fP,
905 \fB*\fP, and \fB[]\fP. All policy names matching the expression are
906 printed. If no expression is provided, all existing policy names are
909 This command requires the \fBlist\fP privilege.
911 Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP.
937 \fBktadd\fP [[\fIprincipal\fP|\fB\-glob\fP \fIprinc\-exp\fP]
941 Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a
942 keytab file. Each principal\(aqs keys are randomized in the process.
943 The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP
946 This command requires the \fBinquire\fP and \fBchangepw\fP privileges.
947 With the \fB\-glob\fP option, it also requires the \fBlist\fP privilege.
952 .B \fB\-k[eytab]\fP \fIkeytab\fP
954 Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
957 .B \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
959 Use the specified list of enctype\-salttype pairs for setting the
960 new keys of the principal.
964 Display less verbose information.
968 Do not randomize the keys. The keys and their version numbers stay
969 unchanged. This option is only available in kadmin.local, and
970 cannot be specified in combination with the \fB\-e\fP option.
973 An entry for each of the principal\(aqs unique encryption types is added,
974 ignoring multiple keys with the same encryption type but different
983 kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
984 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
985 encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab
986 FILE:/tmp/foo\-new\-keytab
996 \fBktremove\fP \fIprincipal\fP [\fIkvno\fP|\fIall\fP| \fIold\fP]
1000 Removes entries for the specified \fIprincipal\fP from a keytab. Requires
1001 no permissions, since this does not require database access.
1003 If the string "all" is specified, all entries for that principal are
1004 removed; if the string "old" is specified, all entries for that
1005 principal except those with the highest kvno are removed. Otherwise,
1006 the value specified is parsed as an integer, and all entries whose
1007 kvno match that integer are removed.
1012 .B \fB\-k[eytab]\fP \fIkeytab\fP
1014 Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
1019 Display less verbose information.
1028 kadmin: ktremove kadmin/admin all
1029 Entry for principal kadmin/admin with kvno 3 removed from keytab
1030 FILE:/etc/krb5.keytab
1038 Lock database exclusively. Use with extreme caution! This command
1039 only works with the DB2 KDC database module.
1042 Release the exclusive database lock.
1045 Lists available for kadmin requests.
1047 Aliases: \fBlr\fP, \fB?\fP
1050 Exit program. If the database was locked, the lock is released.
1052 Aliases: \fBexit\fP, \fBq\fP
1055 The kadmin program was originally written by Tom Yu at MIT, as an
1056 interface to the OpenVision Kerberos administration program.
1059 \fIkpasswd(1)\fP, \fIkadmind(8)\fP
1064 .\" Generated by docutils manpage writer.