6 ===========================
19 [[**-c** *cache_name*] | [**-k** [**-t** *keytab* ]] | **-n**]
21 [**-s** *admin_server* [:*port*]
29 [**-e** "enc:salt ..."]
34 .. _kadmin_synopsys_end:
39 *kadmin* and *kadmin.local* are command-line interfaces to the Kerberos V5 KADM5 administration system.
40 Both *kadmin* and *kadmin.local* provide identical functionalities;
41 the difference is that *kadmin.local* runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database.
42 Except as explicitly noted otherwise, this man page will use *kadmin* to refer to both versions.
43 *kadmin* provides for the maintenance of Kerberos principals, KADM5 policies, and service key tables (keytabs).
45 The remote version uses Kerberos authentication and an encrypted RPC, to operate securely from anywhere on the network.
46 It authenticates to the KADM5 server using the service principal *kadmin/admin*.
47 If the credentials cache contains a ticket for the *kadmin/admin* principal, and the *-c* credentials_cache option is specified,
48 that ticket is used to authenticate to KADM5.
49 Otherwise, the *-p* and *-k* options are used to specify the client Kerberos principal name used to authenticate.
50 Once *kadmin* has determined the principal name, it requests a *kadmin/admin* Kerberos service ticket from the KDC,
51 and uses that service ticket to authenticate to KADM5.
53 If the database is db2, the local client *kadmin.local*, is intended to run directly on the master KDC without Kerberos authentication.
54 The local version provides all of the functionality of the now obsolete kdb5_edit(8), except for database dump and load,
55 which is now provided by the :ref:`kdb5_util(8)` utility.
57 If the database is LDAP, *kadmin.local* need not be run on the KDC.
59 *kadmin.local* can be configured to log updates for incremental database propagation.
60 Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database.
61 This facility can be enabled in the :ref:`kdc.conf` file with the *iprop_enable* option.
62 See the :ref:`kdc.conf` documentation for other options for tuning incremental propagation parameters.
71 Use *realm* as the default database realm.
74 Use *principal* to authenticate. Otherwise, *kadmin* will append "/admin" to the primary principal name of the default ccache, the
75 value of the *USER* environment variable, or the username as obtained with *getpwuid*, in order of preference.
78 Use a *keytab* to decrypt the KDC response instead of prompting for a password on the TTY. In this case, the default principal
79 will be *host/hostname*. If there is not a *keytab* specified with the **-t** option, then the default *keytab* will be used.
82 Use *keytab* to decrypt the KDC response. This can only be used with the **-k** option.
85 Requests anonymous processing. Two types of anonymous principals are supported.
86 For fully anonymous Kerberos, configure pkinit on the KDC and configure *pkinit_anchors* in the client's :ref:`krb5.conf`.
87 Then use the *-n* option with a principal of the form *@REALM* (an empty principal name followed by the at-sign and a realm name).
88 If permitted by the KDC, an anonymous ticket will be returned.
89 A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client's realm.
90 For this mode, use *kinit -n* with a normal principal name.
91 If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal.
92 As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.
94 **-c** *credentials_cache*
95 Use *credentials_cache* as the credentials cache. The *credentials_cache* should contain a service ticket for the *kadmin/admin* service;
96 it can be acquired with the :ref:`kinit(1)` program. If this option is not specified, *kadmin* requests a new service ticket from
97 the KDC, and stores it in its own temporary ccache.
100 Use *password* instead of prompting for one on the TTY.
102 .. note:: Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if
103 unauthorized users gain read access to the script.
106 pass query directly to kadmin, which will perform query and then exit. This can be useful for writing scripts.
109 Specifies the name of the Kerberos database. This option does not apply to the LDAP database.
111 **-s** *admin_server* [:port]
112 Specifies the admin server which *kadmin* should contact.
114 **-m** Do not authenticate using a *keytab*. This option will cause *kadmin* to prompt for the master database password.
117 Sets the list of encryption types and salt types to be used for any new keys created.
119 **-O** Force use of old AUTH_GSSAPI authentication flavor.
121 **-N** Prevent fallback to AUTH_GSSAPI authentication flavor.
124 Specifies the database specific arguments.
126 Options supported for LDAP database are:
128 **-x** host=<hostname>
129 specifies the LDAP server to connect to by a LDAP URI.
131 **-x** binddn=<bind_dn>
132 specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the
133 read and write rights on the realm container, principal container and the subtree that is referenced by the realm.
135 **-x** bindpwd=<bind_password>
136 specifies the password for the above mentioned binddn. It is recommended not to use this option.
137 Instead, the password can be stashed using the stashsrvpw command of :ref:`kdb5_ldap_util(8)`
140 .. _kadmin_options_end:
148 Many of the *kadmin* commands take a duration or time as an argument. The date can appear in a wide variety of formats, such as::
162 January 23, 1987 10:05pm
165 Dates which do not have the "ago" specifier default to being absolute dates, unless they appear in a field where a duration is expected.
166 In that case the time specifier will be interpreted as relative.
167 Specifying "ago" in a duration may result in unexpected behavior.
170 The following is a list of all of the allowable keywords.
172 ========================== ============================================
173 Months january, jan, february, feb, march, mar, april, apr, may, june, jun, july, jul, august, aug, september, sep, sept, october, oct, november, nov, december, dec
174 Days sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed, thursday, thurs, thur, thu, friday, fri, saturday, sat
175 Units year, month, fortnight, week, day, hour, minute, min, second, sec
176 Relative tomorrow, yesterday, today, now, last, this, next, first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago
177 Time Zones kadmin recognizes abbreviations for most of the world's time zones. A complete listing appears in kadmin Time Zones.
178 12-hour Time Delimiters am, pm
179 ========================== ============================================
191 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
193 **add_principal** [options] *newprinc*
194 creates the principal *newprinc*, prompting twice for a password. If no policy is specified with the *-policy* option,
195 and the policy named "default" exists, then that policy is assigned to the principal;
196 note that the assignment of the policy "default" only occurs automatically when a principal is first created,
197 so the policy "default" must already exist for the assignment to occur.
198 This assignment of "default" can be suppressed with the *-clearpolicy* option.
200 .. note:: This command requires the *add* privilege.
208 **-x** *db_princ_args*
209 Denotes the database specific options.
211 The options for LDAP database are:
214 Specifies the LDAP object that will contain the Kerberos principal being created.
217 Specifies the LDAP object to which the newly created Kerberos principal object will point to.
219 **-x** containerdn=<container_dn>
220 Specifies the container object under which the Kerberos principal is to be created.
222 **-x** tktpolicy=<policy>
223 Associates a ticket policy to the Kerberos principal.
227 - *containerdn* and *linkdn* options cannot be specified with dn option.
228 - If *dn* or *containerdn* options are not specified while adding the principal, the principals are created under the prinicipal container configured in the realm or the realm container.
229 - *dn* and *containerdn* should be within the subtrees or principal container configured in the realm.
232 **-expire** *expdate*
233 expiration date of the principal
235 **-pwexpire** *pwexpdate*
236 password expiration date
238 **-maxlife** *maxlife*
239 maximum ticket life for the principal
241 **-maxrenewlife** *maxrenewlife*
242 maximum renewable life of tickets for the principal
245 explicity set the key version number.
248 policy used by this principal.
249 If no policy is supplied, then if the policy "default" exists and the *-clearpolicy* is not also specified,
250 then the policy "default" is used;
251 otherwise, the principal will have no policy, and a warning message will be printed.
254 *-clearpolicy* prevents the policy "default" from being assigned when *-policy* is not specified.
255 This option has no effect if the policy "default" does not exist.
257 {- | +} **allow_postdated**
258 *-allow_postdated* prohibits this principal from obtaining postdated tickets.
259 (Sets the KRB5_*KDB_DISALLOW_POSTDATED* flag.) *+allow_postdated* clears this flag.
261 {- | +} **allow_forwardable**
262 *-allow_forwardable* prohibits this principal from obtaining forwardable tickets.
263 (Sets the *KRB5_KDB_DISALLOW_FORWARDABLE* flag.)
264 *+allow_forwardable* clears this flag.
266 {- | +} **allow_renewable**
267 *-allow_renewable* prohibits this principal from obtaining renewable tickets.
268 (Sets the *KRB5_KDB_DISALLOW_RENEWABLE* flag.)
269 *+allow_renewable* clears this flag.
271 {- | +} **allow_proxiable**
272 *-allow_proxiable* prohibits this principal from obtaining proxiable tickets.
273 (Sets the *KRB5_KDB_DISALLOW_PROXIABLE* flag.)
274 *+allow_proxiable* clears this flag.
276 {- | +} **allow_dup_skey**
277 *-allow_dup_skey* disables user-to-user authentication for this principal by prohibiting this principal from obtaining a
278 session key for another user.
279 (Sets the *KRB5_KDB_DISALLOW_DUP_SKEY* flag.)
280 *+allow_dup_skey* clears this flag.
282 {- | +} **requires_preauth**
283 *+requires_preauth* requires this principal to preauthenticate before being allowed to kinit.
284 (Sets the *KRB5_KDB_REQUIRES_PRE_AUTH* flag.)
285 *-requires_preauth* clears this flag.
287 {- | +} **requires_hwauth**
288 *+requires_hwauth* requires this principal to preauthenticate using a hardware device before being allowed to kinit.
289 (Sets the *KRB5_KDB_REQUIRES_HW_AUTH* flag.)
290 *-requires_hwauth* clears this flag.
292 {- | +} **ok_as_delegate**
293 *+ok_as_delegate* sets the OK-AS-DELEGATE flag on tickets issued for use with this principal as the service,
294 which clients may use as a hint that credentials can and should be delegated when authenticating to the service.
295 (Sets the *KRB5_KDB_OK_AS_DELEGATE* flag.)
296 *-ok_as_delegate* clears this flag.
298 {- | +} **allow_svr**
299 *-allow_svr* prohibits the issuance of service tickets for this principal.
300 (Sets the *KRB5_KDB_DISALLOW_SVR* flag.)
301 *+allow_svr* clears this flag.
303 {- | +} **allow_tgs_req**
304 *-allow_tgs_req* specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted.
305 This option is useless for most things.
306 *+allow_tgs_req* clears this flag.
307 The default is +allow_tgs_req.
308 In effect, *-allow_tgs_req sets* the *KRB5_KDB_DISALLOW_TGT_BASED* flag on the principal in the database.
310 {- | +} **allow_tix**
311 *-allow_tix* forbids the issuance of any tickets for this principal.
312 *+allow_tix* clears this flag.
313 The default is *+allow_tix*. In effect, *-allow_tix* sets the *KRB5_KDB_DISALLOW_ALL_TIX* flag on the principal in the database.
315 {- | +} **needchange**
316 *+needchange* sets a flag in attributes field to force a password change;
317 *-needchange* clears it.
318 The default is *-needchange*.
319 In effect, *+needchange* sets the *KRB5_KDB_REQUIRES_PWCHANGE* flag on the principal in the database.
321 {- | +} **password_changing_service**
322 *+password_changing_service* sets a flag in the attributes field marking this as a password change service principal
323 (useless for most things).
324 *-password_changing_service* clears the flag. This flag intentionally has a long name.
325 The default is *-password_changing_service*.
326 In effect, *+password_changing_service* sets the *KRB5_KDB_PWCHANGE_SERVICE* flag on the principal in the database.
329 sets the key of the principal to a random value
332 sets the key of the principal to the specified string and does not prompt for a password. Note: using this option in a
333 shell script can be dangerous if unauthorized users gain read access to the script.
335 **-e** "enc:salt ..."
336 uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if
337 there are multiple enctype-salttype pairs. This will not function against *kadmin* daemons earlier than krb5-1.2.
341 kadmin: addprinc jennifer
342 WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
343 defaulting to no policy.
344 Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.
345 Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.
346 Principal "jennifer@ATHENA.MIT.EDU" created.
352 KADM5_AUTH_ADD (requires "add" privilege)
353 KADM5_BAD_MASK (shouldn't happen)
354 KADM5_DUP (principal exists already)
355 KADM5_UNK_POLICY (policy does not exist)
356 KADM5_PASS_Q_* (password quality violations)
358 .. _add_principal_end:
360 .. _modify_principal:
363 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
365 **modify_principal** [options] *principal*
366 Modifies the specified principal, changing the fields as specified. The options are as above for *add_principal*, except that
367 password changing and flags related to password changing are forbidden by this command.
368 In addition, the option *-clearpolicy* will clear the current policy of a principal.
370 .. note:: This command requires the *modify* privilege.
378 **-x** *db_princ_args*
379 Denotes the database specific options.
381 The options for LDAP database are:
383 **-x** tktpolicy=<policy>
384 Associates a ticket policy to the Kerberos principal.
387 Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not
388 already associated with a LDAP object.
391 Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between
392 them according to its password policy) so that it can successfully authenticate.
396 KADM5_AUTH_MODIFY (requires "modify" privilege)
397 KADM5_UNK_PRINC (principal does not exist)
398 KADM5_UNK_POLICY (policy does not exist)
399 KADM5_BAD_MASK (shouldn't happen)
401 .. _modify_principal_end:
403 .. _delete_principal:
406 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
408 **delete_principal** [ *-force* ] *principal*
409 Deletes the specified *principal* from the database. This command prompts for deletion, unless the *-force* option is given.
411 .. note:: This command requires the *delete* privilege.
420 KADM5_AUTH_DELETE (reequires "delete" privilege)
421 KADM5_UNK_PRINC (principal does not exist)
423 .. _delete_principal_end:
428 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
430 **change_password** [options] *principal*
431 Changes the password of *principal*. Prompts for a new password if neither *-randkey* or *-pw* is specified.
433 .. note:: Requires the *changepw* privilege, or that the principal that is running the program to be the same as the one changed.
439 The following options are available:
442 Sets the key of the principal to a random value
445 Set the password to the specified string. Not recommended.
447 **-e** "enc:salt ..."
448 Uses the specified list of enctype-salttype pairs for setting the key of the principal. The quotes are necessary if
449 there are multiple enctype-salttype pairs. This will not function against *kadmin* daemons earlier than krb5-1.2.
450 See :ref:`Supported_Encryption_Types_and_Salts` for possible values.
453 Keeps the previous kvno's keys around. This flag is usually not necessary except perhaps for TGS keys. Don't use this
454 flag unless you know what you're doing. This option is not supported for the LDAP database.
459 Enter password for principal systest@BLEEP.COM:
460 Re-enter password for principal systest@BLEEP.COM:
461 Password for systest@BLEEP.COM changed.
466 KADM5_AUTH_MODIFY (requires the modify privilege)
467 KADM5_UNK_PRINC (principal does not exist)
468 KADM5_PASS_Q_* (password policy violation errors)
469 KADM5_PADD_REUSE (password is in principal's password
471 KADM5_PASS_TOOSOON (current password minimum life not
475 .. _change_password_end:
480 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
482 **purgekeys** [*-keepkvno oldest_kvno_to_keep* ] *principal*
483 Purges previously retained old keys (e.g., from *change_password -keepold*) from *principal*.
484 If **-keepkvno** is specified, then only purges keys with kvnos lower than *oldest_kvno_to_keep*.
491 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
493 **get_principal** [*-terse*] *principal*
494 Gets the attributes of principal.
495 With the **-terse** option, outputs fields as quoted tab-separated strings.
497 .. note:: Requires the *inquire* privilege, or that the principal that is running the the program to be the same as the one being listed.
506 kadmin: getprinc tlyu/admin
507 Principal: tlyu/admin@BLEEP.COM
508 Expiration date: [never]
509 Last password change: Mon Aug 12 14:16:47 EDT 1996
510 Password expiration date: [none]
511 Maximum ticket life: 0 days 10:00:00
512 Maximum renewable life: 7 days 00:00:00
513 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
514 Last successful authentication: [never]
515 Last failed authentication: [never]
516 Failed password attempts: 0
518 Key: vno 1, DES cbc mode with CRC-32, no salt
519 Key: vno 1, DES cbc mode with CRC-32, Version 4
524 kadmin: getprinc -terse systest
525 systest@BLEEP.COM 3 86400 604800 1
526 785926535 753241234 785900000
527 tlyu/admin@BLEEP.COM 786100034 0 0
533 KADM5_AUTH_GET (requires the get (inquire) privilege)
534 KADM5_UNK_PRINC (principal does not exist)
536 .. _get_principal_end:
541 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
543 **list_principals** [expression]
544 Retrieves all or some principal names.
545 Expression is a shell-style glob expression that can contain the wild-card characters ?, \*, and []'s.
546 All principal names matching the expression are printed.
547 If no expression is provided, all principal names are printed.
548 If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression.
550 .. note:: Requires the *list* priviledge.
554 listprincs get_principals get_princs
558 kadmin: listprincs test*
559 test3@SECURE-TEST.OV.COM
560 test2@SECURE-TEST.OV.COM
561 test1@SECURE-TEST.OV.COM
562 testuser@SECURE-TEST.OV.COM
565 .. _list_principals_end:
570 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
572 **get_strings** *principal*
573 Displays string attributes on *principal*.
574 String attributes are used to supply per-principal configuration to some KDC plugin modules.
583 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
585 **set_string** *principal* *key* *value*
586 Sets a string attribute on *principal*.
595 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
597 **del_string** *principal* *key*
598 Deletes a string attribute from *principal*.
607 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
609 **add_policy** [options] *policy*
610 Adds the named *policy* to the policy database.
612 .. note:: Requires the *add* privilege.
618 The following options are available:
621 sets the maximum lifetime of a password
624 sets the minimum lifetime of a password
626 **-minlength length**
627 sets the minimum length of a password
629 **-minclasses number**
630 sets the minimum number of character classes allowed in a password
633 sets the number of past keys kept for a principal. This option is not supported for LDAP database
635 **-maxfailure maxnumber**
636 sets the maximum number of authentication failures before the principal is locked.
637 Authentication failures are only tracked for principals which require preauthentication.
639 **-failurecountinterval failuretime**
640 sets the allowable time between authentication failures.
641 If an authentication failure happens after *failuretime* has elapsed since the previous failure,
642 the number of authentication failures is reset to 1.
644 **-lockoutduration lockouttime**
645 sets the duration for which the principal is locked from authenticating if too many authentication failures occur without
646 the specified failure count interval elapsing.
651 kadmin: add_policy -maxlife "2 days" -minlength 5 guests
656 KADM5_AUTH_ADD (requires the add privilege)
657 KADM5_DUP (policy already exists)
664 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
666 **modify_policy** [options] *policy*
667 modifies the named *policy*. Options are as above for *add_policy*.
669 .. note:: Requires the *modify* privilege.
678 KADM5_AUTH_MODIFY (requires the modify privilege)
679 KADM5_UNK_POLICY (policy does not exist)
681 .. _modify_policy_end:
686 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
688 **delete_policy** [ *-force* ] *policy*
689 deletes the named *policy*. Prompts for confirmation before deletion.
690 The command will fail if the policy is in use by any principals.
692 .. note:: Requires the *delete* privilege.
701 kadmin: del_policy guests
702 Are you sure you want to delete the policy "guests"?
708 KADM5_AUTH_DELETE (requires the delete privilege)
709 KADM5_UNK_POLICY (policy does not exist)
710 KADM5_POLICY_REF (reference count on policy is not zero)
712 .. _delete_policy_end:
717 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
719 **get_policy** [ **-terse** ] *policy*
720 displays the values of the named *policy*.
721 With the **-terse** flag, outputs the fields as quoted strings separated by tabs.
723 .. note:: Requires the *inquire* privilege.
733 kadmin: get_policy admin
735 Maximum password life: 180 days 00:00:00
736 Minimum password life: 00:00:00
737 Minimum password length: 6
738 Minimum number of password character classes: 2
739 Number of old keys kept: 5
742 kadmin: get_policy -terse admin
743 admin 15552000 0 6 2 5 17
746 The *Reference count* is the number of principals using that policy.
750 KADM5_AUTH_GET (requires the get privilege)
751 KADM5_UNK_POLICY (policy does not exist)
758 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
760 **list_policies** [expression]
761 Retrieves all or some policy names. Expression is a shell-style glob expression that can contain the wild-card characters ?, \*, and []'s.
762 All policy names matching the expression are printed.
763 If no expression is provided, all existing policy names are printed.
765 .. note:: Requires the *list* priviledge.
769 listpols, get_policies, getpols.
785 .. _list_policies_end:
790 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
792 **ktadd** [[*principal* | **-glob** *princ-exp*]
793 Adds a *principal* or all principals matching *princ-exp* to a keytab file.
794 It randomizes each principal's key in the process, to prevent a compromised admin account from reading out all of the keys from the database.
795 The rules for principal expression are the same as for the *kadmin* :ref:`list_principals` command.
797 .. note:: Requires the *inquire* and *changepw* privileges.
799 If you use the *-glob* option, it also requires the *list* administrative privilege.
803 **-k[eytab]** *keytab*
804 Use *keytab* as the keytab file. Otherwise, *ktadd* will use the default keytab file (*/etc/krb5.keytab*).
806 **-e** *"enc:salt..."*
807 Use the specified list of enctype-salttype pairs for setting the key of the principal.
808 The enctype-salttype pairs may be delimited with commas or whitespace.
809 The quotes are necessary for whitespace-delimited list.
810 If this option is not specified, then *supported_enctypes* from :ref:`krb5.conf` will be used.
811 This will not function against kadmin daemons earlier than krb5-1.2.
812 See :ref:`Supported_Encryption_Types_and_Salts` for all possible values.
815 Run in quiet mode. This causes *ktadd* to display less verbose information.
818 Do not randomize the keys. The keys and their version numbers stay unchanged.
819 That allows users to continue to use the passwords they know to login normally,
820 while simultaneously allowing scripts to login to the same account using a *keytab*.
821 There is no significant security risk added since *kadmin.local* must be run by root on the KDC anyway.
822 This option is only available in *kadmin.local* and cannot be specified in combination with *-e* option.
825 .. note:: An entry for each of the principal's unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types.
830 kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
831 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
832 kvno 3, encryption type DES-CBC-CRC added to keytab
833 WRFILE:/tmp/foo-new-keytab
841 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
843 **ktremove** *principal* [*kvno* | *all* | *old*]
844 Removes entries for the specified *principal* from a keytab. Requires no permissions, since this does not require database access.
847 If the string "all" is specified, all entries for that principal are removed;
848 if the string "old" is specified, all entries for that principal except those with the highest kvno are removed.
849 Otherwise, the value specified is parsed as an integer, and all entries whose *kvno* match that integer are removed.
853 **-k[eytab]** *keytab*
854 Use keytab as the keytab file. Otherwise, *ktremove* will use the default keytab file (*/etc/krb5.keytab*).
857 Run in quiet mode. This causes *ktremove* to display less verbose information.
861 kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin all
862 Entry for principal kadmin/admin with kvno 3 removed
863 from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
872 .. note:: The first three files are specific to db2 database.
874 ====================== =================================================
875 principal.db default name for Kerberos principal database
876 <dbname>.kadm5 KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information.
877 <dbname>.kadm5.lock Lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., *kadmin* will exit with an error if this file does not exist.
878 kadm5.acl File containing list of principals and their *kadmin* administrative privileges. See kadmind(8) for a description.
879 kadm5.keytab *keytab* file for *kadmin/admin* principal.
880 kadm5.dict file containing dictionary of strings explicitly disallowed as passwords.
881 ====================== =================================================
888 The *kadmin* prorgam was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.
894 kerberos(1), kpasswd(1), kadmind(8)