===========================
-SYNOPSYS
+SYNOPSIS
--------------
.. _kadmin_synopsys:
maximum renewable life of tickets for the principal
**-kvno** *kvno*
- explicity set the key version number.
+ explicitly set the key version number.
**-policy** *policy*
policy used by this principal.
ERRORS::
- KADM5_AUTH_DELETE (reequires "delete" privilege)
+ KADM5_AUTH_DELETE (requires "delete" privilege)
KADM5_UNK_PRINC (principal does not exist)
.. _delete_principal_end:
If no expression is provided, all principal names are printed.
If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression.
- .. note:: Requires the *list* priviledge.
+ .. note:: Requires the *list* privilege.
Aliases::
All policy names matching the expression are printed.
If no expression is provided, all existing policy names are printed.
- .. note:: Requires the *list* priviledge.
+ .. note:: Requires the *list* privilege.
Alias::
HISTORY
-------------
-The *kadmin* prorgam was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.
+The *kadmin* program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.
SEE ALSO
-----------
This command starts the KADM5 administration server. If the database is db2, the administration server runs on the master Kerberos server,
-which stores the KDC prinicpal database and the KADM5 policy database. If the database is LDAP, the administration server and
+which stores the KDC principal database and the KADM5 policy database. If the database is LDAP, the administration server and
the KDC server need not run on the same machine. *kadmind* accepts remote requests to administer the information in these databases.
Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of *kadmind*.
*kadmind* requires a number of configuration files to be set up in order for it to work:
:ref:`kdc.conf`
- The KDC configuration file contains configuration informatin for the KDC and the KADM5 system. *kadmind* understands a number
- of variable settings in this file, some of whch are mandatory and some of which are optional.
+ The KDC configuration file contains configuration information for the KDC and the KADM5 system. *kadmind* understands a number
+ of variable settings in this file, some of which are mandatory and some of which are optional.
See the CONFIGURATION VALUES section below.
*keytab*
wildcarded using the asterisk ( \* ) character.
**operation-mask**
- Specifies what operations may or may not be peformed by a principal matching a particular entry. This is a string of one or
+ Specifies what operations may or may not be performed by a principal matching a particular entry. This is a string of one or
more of the following list of characters or their upper-case counterparts. If the character is upper-case, then the operation
is disallowed. If the character is lower-case, then the operation is permitted.
The key data in the database will not be changed.
**-rev**
- dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occured.
+ dumps in reverse order. This may recover principals that do not dump normally, in cases where database corruption has occurred.
**-recurse**
causes the dump to walk the database recursively (btree only). This may recover principals that do not dump normally,
- in cases where database corruption has occured.
+ in cases where database corruption has occurred.
In cases of such corruption, this option will probably retrieve more principals than the *-rev* option will.
.. _kdb5_util_dump_end:
-------------
*kprop* is used to propagate a Kerberos V5 database dump file from the master Kerberos server to a slave Kerberos server,
-which is specfied by *slave_host*. This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel.
+which is specified by *slave_host*. This is done by transmitting the dumped database file to the slave server over an encrypted, secure channel.
The dump file must be created by :ref:`kdb5_util(8)`.
OPTIONS
The KDC may service requests for multiple realms (maximum 32 realms).
The realms are listed on the command line. Per-realm options that can be specified on the command line pertain for each realm
-that follows it and are superceded by subsequent definitions of the same option.
+that follows it and are superseded by subsequent definitions of the same option.
For example::
krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
**host_based_services**
This relation lists the services that will get host-based referral processing even if the server principal is not marked as host-based by the client.
**kdc_max_dgram_reply_size**
- Specifes the maximum packet size that can be sent over UDP. The default value is 4096 bytes.
+ Specifies the maximum packet size that can be sent over UDP. The default value is 4096 bytes.
**kdc_ports**
This relation lists the ports on which the Kerberos server should listen for UDP requests by default. This list is a comma separated list of integers. If this relation is not specified, the compiled-in default is 88,750, the first being the assigned Kerberos port and the second which was used by Kerberos V4.
**kdc_tcp_ports**
**master_key_type**
(Key type string.) Specifies the master key's key type. The default value for this is des3-cbc-sha1. For a list of all possible values, see :ref:`Supported_Encryption_Types_and_Salts`.
**max_life**
- (Delta time string.) Specifes the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours.
+ (Delta time string.) Specifies the maximum time period for which a ticket may be valid in this realm. The default value is 24 hours.
**max_renewable_life**
(Delta time string.) Specifies the maximum time period during which a valid ticket may be renewed in this realm. The default value is 0.
**no_host_referral**
*ksu* can be compiled with the following 4 flags (see the Imakefile):
**GET_TGT_VIA_PASSWD**
- In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring *ksu* with this macro is if the source user is loged in remotely and does not have a secure channel, the password may get exposed.
+ In case no appropriate tickets are found in the source cache, the user will be prompted for a Kerberos password. The password is then used to get a ticket granting ticket from the Kerberos server. The danger of configuring *ksu* with this macro is if the source user is logged in remotely and does not have a secure channel, the password may get exposed.
**PRINC_LOOK_AHEAD**
During the resolution of the default principal name, *PRINC_LOOK_AHEAD* enables *ksu* to find principal names in the *.k5users* file as described in the *OPTIONS* section (see *-n* option).