kerberos(1), kpasswd(1), kadmind(8)
-BUGS
---------
-
-Command output needs to be cleaned up.
-
SYNOPSIS
---------------
+
+.. _kdb5_util_synopsys:
**kdb5_util**
[**-r** *realm*]
[**-m**]
*command* [*command_options*]
+.. _kdb5_util_synopsys_end:
+
DESCRIPTION
---------------
COMMAND-LINE OPTIONS
----------------------
+.. _kdb5_util_options:
+
**-r** *realm*
specifies the Kerberos realm of the database; by default the realm returned by krb5_default_local_realm(3) is used.
**-P** *password*
specifies the master database password. This option is not recommended.
+.. _kdb5_util_options_end:
+
COMMANDS
---------------
+.. _kdb5_util_create:
+
**create** [**-s**]
Creates a new database. If the *-s* option is specified, the stash file is also created. This command fails if the database already exists.
If the command is successful, the database is opened just as if it had already existed when the program was first run.
+.. _kdb5_util_create_end:
+
+.. _kdb5_util_destroy:
+
**destroy** [**-f**]
Destroys the database, first overwriting the disk sectors and then unlinking the files, after prompting the user for confirmation.
With the *-f* argument, does not prompt the user.
+.. _kdb5_util_destroy_end:
+
+.. _kdb5_util_stash:
+
**stash** [**-f** *keyfile*]
Stores the master principal's keys in a stash file. The *-f* argument can be used to override the *keyfile* specified at startup.
+.. _kdb5_util_stash_end:
+
+.. _kdb5_util_dump:
+
**dump** [**-old|-b6|-b7|-ov|-r13**] [**-verbose**] [**-mkey_convert**] [**-new_mkey_file** *mkey_file*] [**-rev**] [**-recurse**] [*filename* [*principals*...]]
Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "*kdb5_util*
load_dump version 6". If filename is not specified, or is the string "-", the dump is sent to standard output. Options:
This was the dump format produced on releases prior to 1.2.2.
**-ov**
- causes the dump to be in ovsec_adm_export format.
+ causes the dump to be in *ovsec_adm_export* format.
**-r13**
causes the dump to be in the Kerberos 5 1.3 format ("*kdb5_util* load_dump version 5").
in cases where database corruption has occured.
In cases of such corruption, this option will probably retrieve more principals than the *-rev* option will.
+.. _kdb5_util_dump_end:
+
+.. _kdb5_util_load:
**load** [**-old|-b6|-b7|-ov|-r13**] [**-hash**] [**-verbose**] [**-update**] *filename dbname*
Loads a database dump from the named file into the named database.
causes the name of each principal and policy to be printed as it is dumped.
**-update**
- records from the dump file are added to or updated in the existing database;
- otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion.
+ records from the dump file are added to or updated in the existing database.
+ (This is useful in conjunction with an *ovsec_adm_export* format dump if you want to preserve per-principal policy information,
+ since the current default format does not contain this data.)
+ Otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion.
*dbname* is required and overrides the value specified on the command line or the default.
+.. _kdb5_util_load_end:
+
**ark**
Adds a random key.
Delete master keys from the K/M principal that are not used to protect any principals.
This command can be used to remove old master keys from a K/M principal once all principal keys are protected by a newer master key.
- **-f**
- does not prompt user.
+ **-f**
+ does not prompt user.
- **-n**
- do a dry run, shows master keys that would be purged, does not actually purge any keys.
+ **-n**
+ do a dry run, shows master keys that would be purged, does not actually purge any keys.
- **-v**
- verbose output.
+ **-v**
+ verbose output.
**update_princ_encryption** [**-f**] [**-n**] [**-v**] [*princ-pattern*]
Update all principal records (or only those matching the princ-pattern glob pattern)
Creating and destroying a Kerberos database
===================================================
-If you need to create a new Kerberos database, use the *kdb5_util create* command. The syntax is::
+If you need to create a new Kerberos database, use the :ref:`kdb5_util(8)` **create** command.
- kdb5_util create [-s]
-
+.. include:: ../../admin_commands/kdb5_util.rst
+ :start-after: _kdb5_util_create:
+ :end-before: _kdb5_util_create_end:
+
+
+If you need to destroy the current Kerberos database, use the :ref:`kdb5_util(8)` **destroy** command.
-If you specify the -s option, kdb5_util will stash a copy of the master key in a stash file. (See :ref:`create_stash`) For example::
+.. include:: ../../admin_commands/kdb5_util.rst
+ :start-after: _kdb5_util_destroy:
+ :end-before: _kdb5_util_destroy_end:
+
+EXAMPLES::
shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU create -s
- kdb5_util: No such file or directory while setting active database to
- => '/usr/local/var/krb5kdc/principal'
- Initializing database '/usr/local/var/krb5kdc/principal' for
- => realm 'ATHENA.MIT.EDU',
+ kdb5_util: No such file or directory while setting active database to'/usr/local/var/krb5kdc/principal'
+ Initializing database '/usr/local/var/krb5kdc/principal' for realm 'ATHENA.MIT.EDU',
master key name 'K/M@ATHENA.MIT.EDU'
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
shell%
-If you need to destroy the current Kerberos database, use the *kdb5_util destroy* command. The syntax is::
-
- kdb5_util destroy [-f]
-
-
-The *destroy* command destroys the database, first overwriting the disk sectors and then unlinking the files. If you specify the *-f* option, *kdb5_util* will not prompt you for a confirmation before destroying the database.
-
-::
-
shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU destroy
- kdb5_util: Deleting KDC database stored in /usr/local/var/krb5kdc/principal, are you sure
- (type yes to confirm)? <== yes
+ kdb5_util: Deleting KDC database stored in /usr/local/var/krb5kdc/principal, are you sure (type yes to confirm)? <== yes
OK, deleting database '/usr/local/var/krb5kdc/principal'...
-
shell%
------------
.. _create_stash:
-Creating a Stash File
+Creating a stash file
============================
A stash file allows a KDC to authenticate itself to the database utilities, such as *kadmin, kadmind, krb5kdc*, and *kdb5_util*.
-To create a stash file, use the *kdb5_util stash* command. The syntax is::
+To create a stash file, use the :ref:`kdb5_util(8)` *stash* command.
+
+.. include:: ../../admin_commands/kdb5_util.rst
+ :start-after: _kdb5_util_stash:
+ :end-before: _kdb5_util_stash_end:
+
- kdb5_util stash [-f keyfile]
-
-For example::
+EXAMPLE::
shell% kdb5_util stash
kdb5_util: Cannot find/read stored master key while reading master key
shell%
-If you do not specify a stash file, *kdb5_util* will stash the key in the file specified in your *kdc.conf* file.
+If you do not specify a stash file, *kdb5_util* will stash the key in the file specified in your :ref:`kdc.conf` file.
Dumping a Kerberos database to a file
=============================================
-To dump a Kerberos database into a file, use the *kdb5_util dump* command on one of the KDCs. The syntax is:
+To dump a Kerberos database into a file, use the :ref:`kdb5_util(8)` **dump** command on one of the KDCs.
- kdb5_util dump [-old] [-b6] [-b7] [-ov]
- [-verbose] [-mkey_convert] [-new_mkey_file] [filename
- [principals...]]
-
-The kdb5_util dump command takes the following options
+.. include:: ../../admin_commands/kdb5_util.rst
+ :start-after: _kdb5_util_dump:
+ :end-before: _kdb5_util_dump_end:
+
-================= ============================================================
--old Causes the dump to be in the Kerberos 5 Beta 5 and earlier dump format ("kdb5_edit load_dump version 2.0").
--b6 Causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0").
--b7 Causes the dump to be in the Kerberos 5 Beta 7 format ("kdbt_edit load_dump version 4").
--ov Causes the dump to be in ovsec_adm_export format. Currently, the only way to preserve per-principal policy information is to use this in conjunction with a normal dump.
--verbose Causes the name of each principal and policy to be printed as it is dumped.
--mkey_convert Prompts for a new master password, and then dumps the database with all keys reencrypted in this new master key
--new_mkey_file Reads a new key from the default keytab and then dumps the database with all keys reencrypted in this new master key
-================= ============================================================
-For example::
+
+EXAMPLES::
shell% kdb5_util dump dumpfile
shell%
-
shell% kbd5_util dump -verbose dumpfile
kadmin/admin@ATHENA.MIT.EDU
shell%
-If you specify which principals to dump, you must use the full principal, as in the following example. (The line beginning with => is a continuation of the previous line.)::
+If you specify which principals to dump, you must use the full principal, as in the following example::
- shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU
- => kadmin/admin@ATHENA.MIT.EDU
+ shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU kadmin/admin@ATHENA.MIT.EDU
kadmin/admin@ATHENA.MIT.EDU
K/M@ATHENA.MIT.EDU
shell%
Restoring a Kerberos database from a dump file
================================================
-To restore a Kerberos database dump from a file, use the *kdb5_util load* command on one of the KDCs. The syntax is::
+To restore a Kerberos database dump from a file, use the :ref:`kdb5_util(8)` **load** command on one of the KDCs.
- kdb5_util load [-old] [-b6] [-b7] [-ov] [-verbose]
- [-update] [-hash] dumpfilename dbname [admin_dbname]
-
-
-The kdb5_util load command takes the following options
+.. include:: ../../admin_commands/kdb5_util.rst
+ :start-after: _kdb5_util_load:
+ :end-before: _kdb5_util_load_end:
-==================== ===========================================================
--old Requires the dump to be in the Kerberos 5 Beta 5 and earlier dump format ("kdb5_edit load_dump version 2.0").
--b6 Requires the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit load_dump version 3.0").
--b7 Requires the dump to be in the Kerberos 5 Beta 7 format ("kdb5_edit load_dump version 4").
--ov Requires the dump to be in ovsec_adm_export format.
--verbose Causes the name of each principal and policy to be printed as it is loaded.
--update Causes records from the dump file to be updated in or added to the existing database. This is useful in conjunction with an ovsec_adm_export format dump if you want to preserve per-principal policy information, since the current default format does not contain this data.
--hash Causes the database to be stored as a hash rather than a binary tree.
-==================== ===========================================================
-For example::
+EXAMPLES::
shell% kdb5_util load dumpfile principal
shell%
shell%
-If the database file exists, and the *-update* flag was not given, kdb5_util will overwrite the existing database.
+.. note:: If the database file exists, and the *-update* flag was not given, *kdb5_util* will overwrite the existing database.
------------
Operations on the Kerberos database
=============================================
-The *kdb5_util command* is the primary tool for administrating the Kerberos database. The syntax is::
+The :ref:`kdb5_util(8)` command is the primary tool for administrating the Kerberos database.
- kdb5_util command [kdb5_util_options] [command_options]
-
+.. include:: ../../admin_commands/kdb5_util.rst
+ :start-after: _kdb5_util_synopsys:
+ :end-before: _kdb5_util_synopsys_end:
-The *kdb5_util command* takes the following options, which **override the defaults** specified in the configuration files:
+**OPTIONS**
-========================== =============================================================
--r *realm* Specifies the the Kerberos realm of the database.
--d *database_name* Specifies the name under which the principal database is stored.
--k *master_key_type* Specifies the key type of the master key in the database.
--M *master_key_name* Specifies the principal name of the master key in the database.
--m Indicates that the master database password should be read from the TTY rather than fetched from a file on disk.
--sf *stash_file* Specifies the stash file of the master database password
--P *password* Specifies the master database password. MIT does not recommend using this option.
-========================== =============================================================
-
-|
+.. include:: ../../admin_commands/kdb5_util.rst
+ :start-after: _kdb5_util_options:
+ :end-before: _kdb5_util_options_end:
.. toctree::
:maxdepth: 1
-
db2file.rst
file2db.rst
create_stash.rst
create_destroy_db.rst
-
-
------------
Feedback: