[**-q** *query*]
[[**-c** *cache_name*] | [**-k** [**-t** *keytab* ]] | **-n**]
[**-w** *password*]
- [**-s** *admin_server* [:*port*]
+ [**-s** *admin_server* [:*port*]]
**kadmin.local**
Once *kadmin* has determined the principal name, it requests a *kadmin/admin* Kerberos service ticket from the KDC,
and uses that service ticket to authenticate to KADM5.
-If the database is db2, the local client *kadmin.local*, is intended to run directly on the master KDC without Kerberos authentication.
+If the database is db2, the local client *kadmin.local* is intended to run directly on the master KDC without Kerberos authentication.
The local version provides all of the functionality of the now obsolete kdb5_edit(8), except for database dump and load,
which is now provided by the :ref:`kdb5_util(8)` utility.
**-x** bindpwd=<bind_password>
specifies the password for the above mentioned binddn. It is recommended not to use this option.
- Instead, the password can be stashed using the stashsrvpw command of :ref:`kdb5_ldap_util(8)`
+ Instead, the password can be stashed using the *stashsrvpw* command of :ref:`kdb5_ldap_util(8)`
.. _kadmin_options_end:
{- | +} **allow_postdated**
*-allow_postdated* prohibits this principal from obtaining postdated tickets.
- (Sets the KRB5_*KDB_DISALLOW_POSTDATED* flag.) *+allow_postdated* clears this flag.
+ (Sets the *KRB5_KDB_DISALLOW_POSTDATED* flag.) *+allow_postdated* clears this flag.
{- | +} **allow_forwardable**
*-allow_forwardable* prohibits this principal from obtaining forwardable tickets.
admin 15552000 0 6 2 5 17
kadmin:
-The *Reference count* is the number of principals using that policy.
+ The *Reference count* is the number of principals using that policy.
ERRORS::
The enctype-salttype pairs may be delimited with commas or whitespace.
The quotes are necessary for whitespace-delimited list.
If this option is not specified, then *supported_enctypes* from :ref:`krb5.conf` will be used.
- This will not function against kadmin daemons earlier than krb5-1.2.
See :ref:`Supported_Encryption_Types_and_Salts` for all possible values.
**-q**
x Short for admcil.
* Same as x.
-Some examples of valid entries here are:
+ Some examples of valid entries here are:
-*user/instance@realm adm*
- A standard fully qualified name. The *operation-mask* only applies to this principal and specifies that [s]he may add, delete or
- modify principals and policies, but not change anybody else's password.
-*user/instance@realm cim service/instance@realm*
- A standard fully qualified name and a standard fully qualified target. The *operation-mask* only applies to this principal oper‐
- ating on this target and specifies that [s]he may change the target's password, request information about the target and modify
- it.
+ *user/instance@realm adm*
+ A standard fully qualified name.
+ The *operation-mask* only applies to this principal and specifies that [s]he may add,
+ delete or modify principals and policies, but not change anybody else's password.
-*user/\*@realm ac*
- A wildcarded name. The *operation-mask* applies to all principals in realm "realm" whose first component is "user" and specifies
- that [s]he may add principals and change anybody's password.
+ *user/instance@realm cim service/instance@realm*
+ A standard fully qualified name and a standard fully qualified target.
+ The *operation-mask* only applies to this principal operating on this target and specifies
+ that [s]he may change the target's password, request information about the target and modify it.
-*user/\*@realm i \*/instance@realm*
- A wildcarded name and target. The *operation-mask* applies to all principals in realm "realm" whose first component is "user" and
- specifies that [s]he may perform inquiries on principals whose second component is "instance" and realm is "realm".
+ *user/\*@realm ac*
+ A wildcarded name. The *operation-mask* applies to all principals in realm "realm" whose first component is "user" and specifies
+ that [s]he may add principals and change anybody's password.
+
+ *user/\*@realm i \*/instance@realm*
+ A wildcarded name and target. The *operation-mask* applies to all principals in realm "realm" whose first component is "user" and
+ specifies that [s]he may perform inquiries on principals whose second component is "instance" and realm is "realm".
FILES
-----------
-=================== ===================================================================
-principal.db default name for Kerberos principal database
-
-<dbname>.kadm5 KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information.
-
-<dbname>.kadm5.lock lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., kadmin will exit with an error if this file does not exist.
-=================== ===================================================================
-
-Note: The above three files are specific to db2 database.
-
-=================== ===================================================================
-kadm5.acl file containing list of principals and their kadmin administrative privileges. See above for a description.
-
-kadm5.keytab keytab file for *kadmin/admin* principal.
+Note: The first three files are specific to db2 database.
-kadm5.dict file containing dictionary of strings explicitly disallowed as passwords.
-=================== ===================================================================
+==================== ===================================================================
+principal.db default name for Kerberos principal database
+<dbname>.kadm5 KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information.
+<dbname>.kadm5.lock lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., kadmin will exit with an error if this file does not exist.
+kadm5.acl file containing list of principals and their kadmin administrative privileges. See above for a description.
+kadm5.keytab keytab file for *kadmin/admin* principal.
+kadm5.dict file containing dictionary of strings explicitly disallowed as passwords.
+==================== ===================================================================
SEE ALSO
-----------
Specifies the master database password. This option is not recommended.
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm (3) is used.
+ Specifies the Kerberos realm of the database.
**-sf** *stashfilename*
Specifies the stash file of the master database password.
Specifies the DN of the container object in which the principals of a realm will be created.
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the Kerberos realm of the database.
**-maxtktlife** *max_ticket_life*
Specifies maximum ticket life for principals in this realm.
Displays the attributes of a realm. Options:
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the Kerberos realm of the database.
EXAMPLE::
If specified, will not prompt the user for confirmation.
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the Kerberos realm of the database.
EXAMPLE::
Creates a ticket policy in directory. Options:
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the Kerberos realm of the database.
**-maxtktlife** *max_ticket_life*
Specifies maximum ticket life for principals.
Modifies the attributes of a ticket policy. Options are same as create_policy.
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the Kerberos realm of the database.
EXAMPLE::
Destroys an existing ticket policy. Options:
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the Kerberos realm of the database.
**-force**
Forces the deletion of the policy object. If not specified, will be prompted for confirmation while deleting the policy.
Lists the ticket policies in realm if specified or in the default realm. Options:
**-r** *realm*
- Specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the Kerberos realm of the database.
EXAMPLE::
.. _kdb5_util_options:
**-r** *realm*
- specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
+ specifies the Kerberos realm of the database.
**-d** *dbname*
specifies the name under which the principal database is stored; by default the database is that listed in :ref:`kdc.conf`.
Adds a random key.
**add_mkey** [**-e** *etype*] [**-s**]
- Adds a new master key to the K/M (master key) principal. Existing master keys will remain.
+ Adds a new master key to the *K/M* (master key) principal. Existing master keys will remain.
The *-e etype* option allows specification of the enctype of the new master key.
The *-s* option stashes the new master key in a local stash file which will be created if it doesn't already exist.
**use_mkey** *mkeyVNO* [*time*]
- Sets the activation time of the master key specified by mkeyVNO.
+ Sets the activation time of the master key specified by *mkeyVNO*.
Once a master key is active (i.e. its activation time has been reached) it will then be used to encrypt principal keys either when
- the principal keys change, are newly created or when the update_princ_encryption command is run.
+ the principal keys change, are newly created or when the *update_princ_encryption* command is run.
If the time argument is provided then that will be the activation time otherwise the current time is used by default.
- The format of the optional time argument is that specified in the Time Formats section of the kadmin man page.
+ The format of the optional time argument is that specified in the *Time Formats* section of the kadmin man page.
**list_mkeys**
- List all master keys from most recent to earliest in K/M principal.
- The output will show the KVNO, enctype and salt for each mkey similar to kadmin getprinc output.
+ List all master keys from most recent to earliest in *K/M* principal.
+ The output will show the kvno, enctype and salt for each mkey similar to kadmin getprinc output.
A \* following an mkey denotes the currently active master key.
**purge_mkeys** [**-f**] [**-n**] [**-v**]
- Delete master keys from the K/M principal that are not used to protect any principals.
- This command can be used to remove old master keys from a K/M principal once all principal keys are protected by a newer master key.
+ Delete master keys from the *K/M* principal that are not used to protect any principals.
+ This command can be used to remove old master keys from a *K/M* principal once all principal keys are protected by a newer master key.
**-f**
does not prompt user.
*kprop* is used to propagate a Kerberos V5 database dump file from the master Kerberos server to a slave Kerberos server,
which is specfied by *slave_host*. This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel.
-The dump file must be created by *kdb5_util*, and is normally *KPROP_DEFAULT_FILE* (/usr/local/var/krb5kdc/slave_datatrans).
+The dump file must be created by :ref:`kdb5_util(8)`.
OPTIONS
-------------
**-r** *realm*
- Specifies the realm of the master server; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the realm of the master server.
**-f** *file*
Specifies the filename where the dumped principal database file is to be found; by default the dumped database file is
- *KPROP_DEFAULT_FILE* (normally /usr/local/var/krb5kdc/slave_datatrans).
+ normally /usr/local/var/krb5kdc/slave_datatrans.
**-P** *port*
Specifies the port to use to contact the :ref:`kpropd(8)` server on the remote host.
When the slave periodically requests incremental updates, *kpropd* updates its *principal.ulog* file with any updates from the master.
:ref:`kproplog(8)` can be used to view a summary of the update entry log on the slave KDC.
-Incremental propagation is not enabled by default; it can be enabled using the *iprop_enable* and *iprop_slave_poll* settings in :ref:`kdc.conf`).
-The principal "kiprop/slavehostname@REALM" (where "slavehostname" is the name of the slave KDC host,
+Incremental propagation is not enabled by default; it can be enabled using the *iprop_enable* and *iprop_slave_poll* settings in :ref:`kdc.conf`.
+The principal "kiprop/slavehostname\@REALM" (where "slavehostname" is the name of the slave KDC host,
and "REALM" is the name of the Kerberos realm) must be present in the slave's keytab file.
OPTIONS
--------
**-r** *realm*
- Specifies the realm of the master server; by default the realm returned by krb5_default_local_realm(3) is used.
+ Specifies the realm of the master server.
**-f** *file*
- Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file is *KPROPD_DEFAULT_FILE*
- (normally /usr/local/var/krb5kdc/from_master).
+ Specifies the filename where the dumped principal database file is to be stored; by default the dumped database file
+ /usr/local/var/krb5kdc/from_master.
**-p**
- Allows the user to specify the pathname to the :ref:`kdb5_util(8)` program; by default the pathname used is *KPROPD_DEFAULT_KDB5_UTIL*
- (normally /usr/local/sbin/kdb5_util).
+ Allows the user to specify the pathname to the :ref:`kdb5_util(8)` program; by default the pathname used is /usr/local/sbin/kdb5_util.
**-S**
Turn on standalone mode. Normally, *kpropd* is invoked out of inetd(8) so it expects a network connection to be passed to it from inetd(8).
- If the *-S* option is specified, *kpropd* will put itself into the background, and wait for connections to the *KPROP_SERVICE* port
- (normally *krb5_prop*).
+ If the *-S* option is specified, *kpropd* will put itself into the background,
+ and wait for connections to the *krb5_prop* port specified in /etc/services.
**-d**
Turn on debug mode. In this mode, if the *-S* option is selected, *kpropd* will not detach itself from the current job
Allow for an alternate port number for *kpropd* to listen on. This is only useful if the program is run in standalone mode.
**-a**
- Allows the user to specify the path to the *kpropd.acl* file; by default the path used is *KPROPD_ACL_FILE*
- (normally /usr/local/var/krb5kdc/kpropd.acl).
+ Allows the user to specify the path to the *kpropd.acl* file; by default the path used is /usr/local/var/krb5kdc/kpropd.acl.
FILES
---------
*kpropd.acl*
- Access file for *kpropd*; the default location is KPROPD_ACL_FILE (normally /usr/local/var/krb5kdc/kpropd.acl).
+ Access file for *kpropd*; the default location is /usr/local/var/krb5kdc/kpropd.acl.
Each entry is a line containing the principal of a host from which the local machine will allow Kerberos database propagation via :ref:`kprop(8)`.
SEE ALSO
SYNOPSIS
------------
-**kproplog** [**-h**] [**-e** *num*]
+**kproplog** [**-h**] [**-e** *num*] [-v]
DESCRIPTION
------------
The *kproplog* command displays the contents of the Kerberos principal update log to standard output.
It can be used to keep track of the incremental updates to the principal database, when enabled.
-The update log file contains the update log maintained by the kadmind process on the master KDC server and the kpropd process on the slave KDC servers.
+The update log file contains the update log maintained by the *kadmind* process on the master KDC server and the *kpropd* process on the slave KDC servers.
When updates occur, they are logged to this file.
-Subsequently any KDC slave configured for incremental updates will request the current data from the master KDC and update their principal.ulog file with any updates returned.
+Subsequently any KDC slave configured for incremental updates will request the current data from the master KDC and update their *principal.ulog* file with any updates returned.
The *kproplog* command can only be run on a KDC server by someone with privileges comparable to the superuser.
It will display update entries for that server only.
the number of updates in the log, the time stamp of the first and last update, and the version number of the first and last update entry.
**-e** *num*
- Display the last num update entries in the log. This is useful when debugging synchronization between KDC servers.
+ Display the last *num* update entries in the log. This is useful when debugging synchronization between KDC servers.
**-v**
Display individual attributes per update. An example of the output generated for one entry::
Specifies the password for the above mentioned binddn. It is recommended not to use this option. Instead, the password can be
stashed using the stashsrvpw command of kdb5_ldap_util.
-The **-r** *realm* option specifies the realm for which the server should provide service;
-by default the realm returned by krb5_default_local_realm(3) is used.
+The **-r** *realm* option specifies the realm for which the server should provide service.
-The **-d** *dbname* option specifies the name under which the principal database can be found;
-by default the database is in DEFAULT_DBM_FILE. This option does not apply to the LDAP database.
+The **-d** *dbname* option specifies the name under which the principal database can be found.
+This option does not apply to the LDAP database.
The **-k** *keytype* option specifies the key type of the master key to be entered manually as a password when **-m** is given;
the default is "des-cbc-crc".
-The **-M** *mkeyname* option specifies the principal name for the master key in the database;
-the default is KRB5_KDB_M_NAME (usually "K/M" in the KDC's realm).
-
-The **-p** *portnum* option specifies the default UDP port number which the KDC should listen on for Kerberos version 5 requests.
-This value is used when no port is specified in the KDC profile and when no port is specified in the Kerberos configuration file.
-If no value is available, then the value in */etc/services* for service "kerberos" is used.
+The **-M** *mkeyname* option specifies the principal name for the master key in the database (usually "K/M" in the KDC's realm).
The **-m** option specifies that the master database password should be fetched from the keyboard rather than from a file on disk.
The **-n** option specifies that the KDC does not put itself in the background and does not disassociate itself from the terminal.
In normal operation, you should always allow the KDC to place itself in the background.
+The **-P** *pid_file* option tells the KDC to write its PID (followed by a newline) into *pid_file* after it starts up.
+This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process.
+
+The **-p** *portnum* option specifies the default UDP port number which the KDC should listen on for Kerberos version 5 requests.
+This value is used when no port is specified in the KDC profile and when no port is specified in the Kerberos configuration file.
+If no value is available, then the value in */etc/services* for service "kerberos" is used.
+
The **-w** *numworkers* option tells the KDC to fork *numworkers* processes to listen to the KDC ports and process requests in parallel.
The top level KDC process (whose pid is recorded in the pid file if the **-P** option is also given) acts as a supervisor.
The supervisor will relay SIGHUP signals to the worker subprocesses, and will terminate the worker subprocess if the it is itself terminated or
.. note:: on operating systems which do not have *pktinfo* support, using worker processes will prevent the KDC from listening for UDP packets on network interfaces created after the KDC starts.
-The **-P** *pid_file* option tells the KDC to write its PID (followed by a newline) into *pid_file* after it starts up.
-This can be used to identify whether the KDC is still running and to allow init scripts to stop the correct process.
+
+EXAMPLE
The KDC may service requests for multiple realms (maximum 32 realms).
The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm
specifies that the KDC listen on port 2001 for REALM1 and on port 2002 for REALM2 and REALM3.
Additionally, per-realm parameters may be specified in the :ref:`kdc.conf` file.
-The location of this file may be specified by the KRB5_KDC_PROFILE environment variable.
+The location of this file may be specified by the *KRB5_KDC_PROFILE* environment variable.
Parameters specified in this file take precedence over options specified on the command line.
-See the kdc.conf(5) description for further details.
+See the :ref:`kdc.conf` description for further details.
SEE ALSO
-----------
krb5(3), kdb5_util(8), kdc.conf(5), kdb5_ldap_util(8)
-BUGS
------------
-
-It should fork and go into the background when it finishes reading the master password from the terminal.
-
-
Aliases: **exit**, **q**
-EXAMPLE:
+EXAMPLE::
ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for alice@BLEEP.COM: