:end-before: _list_principals_end:
+Changing passwords
+~~~~~~~~~~~~~~~~~~
+
+To change a principal's password use the :ref:`kadmin(1)`
+**change_password** command.
+
+.. include:: admin_commands/kadmin_local.rst
+ :start-after: _change_password:
+ :end-before: _change_password_end:
+
+.. note:: Password changes through kadmin are subject to the same
+ password policies as would apply to password changes through
+ :ref:`kpasswd(1)`.
+
+
+Policies
+--------
+
+A policy is a set of rules governing passwords. Policies can dictate
+minimum and maximum password lifetimes, minimum number of characters
+and character classes a password must contain, and the number of old
+passwords kept in the database.
+
+
+Adding, modifying and deleting policies
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+To add a new policy, use the :ref:`kadmin(1)` **add_policy** command.
+
+To modify attributes of a principal, use the kadmin **modify_policy**
+command.
+
+To delete a policy, use the kadmin **delete_policy** command.
+
+.. include:: admin_commands/kadmin_local.rst
+ :start-after: _add_policy:
+ :end-before: _add_policy_end:
+
+.. note:: The policies are created under **realm** container in the
+ LDAP database.
+
+.. include:: admin_commands/kadmin_local.rst
+ :start-after: _modify_policy:
+ :end-before: _modify_policy_end:
+
+.. include:: admin_commands/kadmin_local.rst
+ :start-after: _delete_policy:
+ :end-before: _delete_policy_end:
+
+.. note:: You must cancel the policy from *all* principals before
+ deleting it. The *delete_policy* command will fail if it is
+ in use by any principals.
+
+
+Retrieving policies
+~~~~~~~~~~~~~~~~~~~
+
+To retrieve a policy, use the :ref:`kadmin(1)` **get_policy** command.
+
+You can retrieve the list of policies with the kadmin
+**list_policies** command.
+
+.. include:: admin_commands/kadmin_local.rst
+ :start-after: _get_policy:
+ :end-before: _get_policy_end:
+
+.. include:: admin_commands/kadmin_local.rst
+ :start-after: _list_policies:
+ :end-before: _list_policies_end:
+
+
+Updating the history key
+~~~~~~~~~~~~~~~~~~~~~~~~
+
+If a policy specifies a number of old keys kept of two or more, the
+stored old keys are encrypted in a history key, which is found in the
+key data of the ``kadmin/history`` principal.
+
+Currently there is no support for proper rollover of the history key,
+but you can change the history key (for example, to use a better
+encryption type) at the cost of invalidating currently stored old
+keys. To change the history key, run::
+
+ kadmin: change_password -randkey kadmin/history
+
+This command will fail if you specify the **-keepold** flag. Only one
+new history key will be created, even if you specify multiple key/salt
+combinations.
+
+In the future, we plan to migrate towards encrypting old keys in the
+master key instead of the history key, and implementing proper
+rollover support for stored old keys.
+
+
.. _privileges:
Privileges
-~~~~~~~~~~
+----------
Administrative privileges for the Kerberos database are stored in the
file kadm5.acl.
Permissions
-###########
+~~~~~~~~~~~
The permissions are represented by single letters; UPPER-CASE letters
represent negative permissions. The permissions are:
Restrictions
-############
+~~~~~~~~~~~~
The restrictions are a string of flags. Allowed restrictions are:
life of longer than 9 hours.
-Changing passwords
-~~~~~~~~~~~~~~~~~~
-
-To change a principal's password use the :ref:`kadmin(1)`
-**change_password** command.
-
-.. include:: admin_commands/kadmin_local.rst
- :start-after: _change_password:
- :end-before: _change_password_end:
-
-.. note:: Password changes through kadmin are subject to the same
- password policies as would apply to password changes through
- :ref:`kpasswd(1)`.
-
-
-Policies
---------
-
-A policy is a set of rules governing passwords. Policies can dictate
-minimum and maximum password lifetimes, minimum number of characters
-and character classes a password must contain, and the number of old
-passwords kept in the database.
-
-
-Adding, modifying and deleting policies
-~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-To add a new policy, use the :ref:`kadmin(1)` **add_policy** command.
-
-To modify attributes of a principal, use the kadmin **modify_policy**
-command.
-
-To delete a policy, use the kadmin **delete_policy** command.
-
-.. include:: admin_commands/kadmin_local.rst
- :start-after: _add_policy:
- :end-before: _add_policy_end:
-
-.. note:: The policies are created under **realm** container in the
- LDAP database.
-
-.. include:: admin_commands/kadmin_local.rst
- :start-after: _modify_policy:
- :end-before: _modify_policy_end:
-
-.. include:: admin_commands/kadmin_local.rst
- :start-after: _delete_policy:
- :end-before: _delete_policy_end:
-
-.. note:: You must cancel the policy from *all* principals before
- deleting it. The *delete_policy* command will fail if it is
- in use by any principals.
-
-
-Retrieving policies
-~~~~~~~~~~~~~~~~~~~
-
-To retrieve a policy, use the :ref:`kadmin(1)` **get_policy** command.
-
-You can retrieve the list of policies with the kadmin
-**list_policies** command.
-
-.. include:: admin_commands/kadmin_local.rst
- :start-after: _get_policy:
- :end-before: _get_policy_end:
-
-.. include:: admin_commands/kadmin_local.rst
- :start-after: _list_policies:
- :end-before: _list_policies_end:
-
-
-Updating the history key
-~~~~~~~~~~~~~~~~~~~~~~~~
-
-If a policy specifies a number of old keys kept of two or more, the
-stored old keys are encrypted in a history key, which is found in the
-key data of the ``kadmin/history`` principal.
-
-Currently there is no support for proper rollover of the history key,
-but you can change the history key (for example, to use a better
-encryption type) at the cost of invalidating currently stored old
-keys. To change the history key, run::
-
- kadmin: change_password -randkey kadmin/history
-
-This command will fail if you specify the **-keepold** flag. Only one
-new history key will be created, even if you specify multiple key/salt
-combinations.
-
-In the future, we plan to migrate towards encrypting old keys in the
-master key instead of the history key, and implementing proper
-rollover support for stored old keys.
-
-
.. _db_operations:
Operations on the Kerberos database