1 .TH "KADMIN" "1" "January 06, 2012" "0.0.1" "MIT Kerberos"
3 kadmin \- Kerberos V5 database administration program
5 .nr rst2man-indent-level 0
9 level \\n[rst2man-indent-level]
10 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
17 .\" .rstReportMargin pre:
19 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
20 . nr rst2man-indent-level +1
21 .\" .rstReportMargin post:
25 .\" indent \\n[an-margin]
26 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
27 .nr rst2man-indent-level -1
28 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
31 .\" Man page generated from reStructeredText.
38 [ \fB\-O\fP | \fB\-N\fP ]
39 [\fB\-r\fP \fIrealm\fP]
40 [\fB\-p\fP \fIprincipal\fP]
41 [\fB\-q\fP \fIquery\fP]
42 [[\fB\-c\fP \fIcache_name\fP] | [\fB\-k\fP [\fB\-t\fP \fIkeytab\fP ]] | \fB\-n\fP]
43 [\fB\-w\fP \fIpassword\fP]
44 [\fB\-s\fP \fIadmin_server\fP [:\fIport\fP]]
48 [\fB\-r\fP \fIrealm\fP]
49 [\fB\-p\fP \fIprincipal\fP]
50 [\fB\-q\fP \fIquery\fP]
51 [\fB\-d\fP \fIdbname\fP]
52 [\fB\-e\fP "enc:salt ..."]
54 [\fB\-x\fP \fIdb_args\fP]
58 \fIkadmin\fP and \fIkadmin.local\fP are command\-line interfaces to the Kerberos V5 KADM5 administration system.
59 Both \fIkadmin\fP and \fIkadmin.local\fP provide identical functionalities;
60 the difference is that \fIkadmin.local\fP runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database.
61 Except as explicitly noted otherwise, this man page will use \fIkadmin\fP to refer to both versions.
62 \fIkadmin\fP provides for the maintenance of Kerberos principals, KADM5 policies, and service key tables (keytabs).
64 The remote version uses Kerberos authentication and an encrypted RPC, to operate securely from anywhere on the network.
65 It authenticates to the KADM5 server using the service principal \fIkadmin/admin\fP.
66 If the credentials cache contains a ticket for the \fIkadmin/admin\fP principal, and the \fI\-c\fP credentials_cache option is specified,
67 that ticket is used to authenticate to KADM5.
68 Otherwise, the \fI\-p\fP and \fI\-k\fP options are used to specify the client Kerberos principal name used to authenticate.
69 Once \fIkadmin\fP has determined the principal name, it requests a \fIkadmin/admin\fP Kerberos service ticket from the KDC,
70 and uses that service ticket to authenticate to KADM5.
72 If the database is db2, the local client \fIkadmin.local\fP is intended to run directly on the master KDC without Kerberos authentication.
73 The local version provides all of the functionality of the now obsolete kdb5_edit(8), except for database dump and load,
74 which is now provided by the \fIkdb5_util(8)\fP utility.
76 If the database is LDAP, \fIkadmin.local\fP need not be run on the KDC.
78 \fIkadmin.local\fP can be configured to log updates for incremental database propagation.
79 Incremental propagation allows slave KDC servers to receive principal and policy updates incrementally instead of receiving full dumps of the database.
80 This facility can be enabled in the \fIkdc.conf\fP file with the \fIiprop_enable\fP option.
81 See the \fIkdc.conf\fP documentation for other options for tuning incremental propagation parameters.
87 .B \fB\-r\fP \fIrealm\fP
89 Use \fIrealm\fP as the default database realm.
91 .B \fB\-p\fP \fIprincipal\fP
93 Use \fIprincipal\fP to authenticate. Otherwise, \fIkadmin\fP will append "/admin" to the primary principal name of the default ccache, the
94 value of the \fIUSER\fP environment variable, or the username as obtained with \fIgetpwuid\fP, in order of preference.
98 Use a \fIkeytab\fP to decrypt the KDC response instead of prompting for a password on the TTY. In this case, the default principal
99 will be \fIhost/hostname\fP. If there is not a \fIkeytab\fP specified with the \fB\-t\fP option, then the default \fIkeytab\fP will be used.
101 .B \fB\-t\fP \fIkeytab\fP
103 Use \fIkeytab\fP to decrypt the KDC response. This can only be used with the \fB\-k\fP option.
107 Requests anonymous processing. Two types of anonymous principals are supported.
108 For fully anonymous Kerberos, configure pkinit on the KDC and configure \fIpkinit_anchors\fP in the client\(aqs \fIkrb5.conf\fP.
109 Then use the \fI\-n\fP option with a principal of the form \fI@REALM\fP (an empty principal name followed by the at\-sign and a realm name).
110 If permitted by the KDC, an anonymous ticket will be returned.
111 A second form of anonymous tickets is supported; these realm\-exposed tickets hide the identity of the client but not the client\(aqs realm.
112 For this mode, use \fIkinit \-n\fP with a normal principal name.
113 If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal.
114 As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.
116 .B \fB\-c\fP \fIcredentials_cache\fP
118 Use \fIcredentials_cache\fP as the credentials cache. The \fIcredentials_cache\fP should contain a service ticket for the \fIkadmin/admin\fP service;
119 it can be acquired with the \fIkinit(1)\fP program. If this option is not specified, \fIkadmin\fP requests a new service ticket from
120 the KDC, and stores it in its own temporary ccache.
122 .B \fB\-w\fP \fIpassword\fP
124 Use \fIpassword\fP instead of prompting for one on the TTY.
127 Placing the password for a Kerberos principal with administration access into a shell script can be dangerous if
128 unauthorized users gain read access to the script.
131 .B \fB\-q\fP \fIquery\fP
133 pass query directly to kadmin, which will perform query and then exit. This can be useful for writing scripts.
135 .B \fB\-d\fP \fIdbname\fP
137 Specifies the name of the Kerberos database. This option does not apply to the LDAP database.
139 .B \fB\-s\fP \fIadmin_server\fP [:port]
141 Specifies the admin server which \fIkadmin\fP should contact.
144 \fB\-m\fP Do not authenticate using a \fIkeytab\fP. This option will cause \fIkadmin\fP to prompt for the master database password.
147 .B \fB\-e\fP enc:salt_list
149 Sets the list of encryption types and salt types to be used for any new keys created.
152 \fB\-O\fP Force use of old AUTH_GSSAPI authentication flavor.
154 \fB\-N\fP Prevent fallback to AUTH_GSSAPI authentication flavor.
157 .B \fB\-x\fP \fIdb_args\fP
159 Specifies the database specific arguments.
161 Options supported for LDAP database are:
164 .B \fB\-x\fP host=<hostname>
166 specifies the LDAP server to connect to by a LDAP URI.
168 .B \fB\-x\fP binddn=<bind_dn>
170 specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the
171 read and write rights on the realm container, principal container and the subtree that is referenced by the realm.
173 .B \fB\-x\fP bindpwd=<bind_password>
175 specifies the password for the above mentioned binddn. It is recommended not to use this option.
176 Instead, the password can be stashed using the \fIstashsrvpw\fP command of \fIkdb5_ldap_util(8)\fP
183 Many of the \fIkadmin\fP commands take a duration or time as an argument. The date can appear in a wide variety of formats, such as:
199 January 23, 1987 10:05pm
204 Dates which do not have the "ago" specifier default to being absolute dates, unless they appear in a field where a duration is expected.
205 In that case the time specifier will be interpreted as relative.
206 Specifying "ago" in a duration may result in unexpected behavior.
208 The following is a list of all of the allowable keywords.
216 january, jan, february, feb, march, mar, april, apr, may, june, jun, july, jul, august, aug, september, sep, sept, october, oct, november, nov, december, dec
222 sunday, sun, monday, mon, tuesday, tues, tue, wednesday, wednes, wed, thursday, thurs, thur, thu, friday, fri, saturday, sat
228 year, month, fortnight, week, day, hour, minute, min, second, sec
234 tomorrow, yesterday, today, now, last, this, next, first, second, third, fourth, fifth, sixth, seventh, eighth, ninth, tenth, eleventh, twelfth, ago
240 kadmin recognizes abbreviations for most of the world\(aqs time zones. A complete listing appears in kadmin Time Zones.
244 12\-hour Time Delimiters
256 .B \fBadd_principal\fP [options] \fInewprinc\fP
258 creates the principal \fInewprinc\fP, prompting twice for a password. If no policy is specified with the \fI\-policy\fP option,
259 and the policy named "default" exists, then that policy is assigned to the principal;
260 note that the assignment of the policy "default" only occurs automatically when a principal is first created,
261 so the policy "default" must already exist for the assignment to occur.
262 This assignment of "default" can be suppressed with the \fI\-clearpolicy\fP option.
267 This command requires the \fIadd\fP privilege.
283 .B \fB\-x\fP \fIdb_princ_args\fP
287 Denotes the database specific options.
289 The options for LDAP database are:
294 Specifies the LDAP object that will contain the Kerberos principal being created.
296 .B \fB\-x\fP linkdn=<dn>
298 Specifies the LDAP object to which the newly created Kerberos principal object will point to.
300 .B \fB\-x\fP containerdn=<container_dn>
302 Specifies the container object under which the Kerberos principal is to be created.
304 .B \fB\-x\fP tktpolicy=<policy>
306 Associates a ticket policy to the Kerberos principal.
314 \fIcontainerdn\fP and \fIlinkdn\fP options cannot be specified with dn option.
317 If \fIdn\fP or \fIcontainerdn\fP options are not specified while adding the principal, the principals are created under the prinicipal container configured in the realm or the realm container.
320 \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or principal container configured in the realm.
324 .B \fB\-expire\fP \fIexpdate\fP
326 expiration date of the principal
328 .B \fB\-pwexpire\fP \fIpwexpdate\fP
330 password expiration date
332 .B \fB\-maxlife\fP \fImaxlife\fP
334 maximum ticket life for the principal
336 .B \fB\-maxrenewlife\fP \fImaxrenewlife\fP
338 maximum renewable life of tickets for the principal
340 .B \fB\-kvno\fP \fIkvno\fP
342 explicitly set the key version number.
344 .B \fB\-policy\fP \fIpolicy\fP
346 policy used by this principal.
347 If no policy is supplied, then if the policy "default" exists and the \fI\-clearpolicy\fP is not also specified,
348 then the policy "default" is used;
349 otherwise, the principal will have no policy, and a warning message will be printed.
351 .B \fB\-clearpolicy\fP
353 \fI\-clearpolicy\fP prevents the policy "default" from being assigned when \fI\-policy\fP is not specified.
354 This option has no effect if the policy "default" does not exist.
356 .B {\- | +} \fBallow_postdated\fP
358 \fI\-allow_postdated\fP prohibits this principal from obtaining postdated tickets.
359 (Sets the \fIKRB5_KDB_DISALLOW_POSTDATED\fP flag.) \fI+allow_postdated\fP clears this flag.
361 .B {\- | +} \fBallow_forwardable\fP
363 \fI\-allow_forwardable\fP prohibits this principal from obtaining forwardable tickets.
364 (Sets the \fIKRB5_KDB_DISALLOW_FORWARDABLE\fP flag.)
365 \fI+allow_forwardable\fP clears this flag.
367 .B {\- | +} \fBallow_renewable\fP
369 \fI\-allow_renewable\fP prohibits this principal from obtaining renewable tickets.
370 (Sets the \fIKRB5_KDB_DISALLOW_RENEWABLE\fP flag.)
371 \fI+allow_renewable\fP clears this flag.
373 .B {\- | +} \fBallow_proxiable\fP
375 \fI\-allow_proxiable\fP prohibits this principal from obtaining proxiable tickets.
376 (Sets the \fIKRB5_KDB_DISALLOW_PROXIABLE\fP flag.)
377 \fI+allow_proxiable\fP clears this flag.
379 .B {\- | +} \fBallow_dup_skey\fP
381 \fI\-allow_dup_skey\fP disables user\-to\-user authentication for this principal by prohibiting this principal from obtaining a
382 session key for another user.
383 (Sets the \fIKRB5_KDB_DISALLOW_DUP_SKEY\fP flag.)
384 \fI+allow_dup_skey\fP clears this flag.
386 .B {\- | +} \fBrequires_preauth\fP
388 \fI+requires_preauth\fP requires this principal to preauthenticate before being allowed to kinit.
389 (Sets the \fIKRB5_KDB_REQUIRES_PRE_AUTH\fP flag.)
390 \fI\-requires_preauth\fP clears this flag.
392 .B {\- | +} \fBrequires_hwauth\fP
394 \fI+requires_hwauth\fP requires this principal to preauthenticate using a hardware device before being allowed to kinit.
395 (Sets the \fIKRB5_KDB_REQUIRES_HW_AUTH\fP flag.)
396 \fI\-requires_hwauth\fP clears this flag.
398 .B {\- | +} \fBok_as_delegate\fP
400 \fI+ok_as_delegate\fP sets the OK\-AS\-DELEGATE flag on tickets issued for use with this principal as the service,
401 which clients may use as a hint that credentials can and should be delegated when authenticating to the service.
402 (Sets the \fIKRB5_KDB_OK_AS_DELEGATE\fP flag.)
403 \fI\-ok_as_delegate\fP clears this flag.
405 .B {\- | +} \fBallow_svr\fP
407 \fI\-allow_svr\fP prohibits the issuance of service tickets for this principal.
408 (Sets the \fIKRB5_KDB_DISALLOW_SVR\fP flag.)
409 \fI+allow_svr\fP clears this flag.
411 .B {\- | +} \fBallow_tgs_req\fP
413 \fI\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) request for a service ticket for this principal is not permitted.
414 This option is useless for most things.
415 \fI+allow_tgs_req\fP clears this flag.
416 The default is +allow_tgs_req.
417 In effect, \fI\-allow_tgs_req sets\fP the \fIKRB5_KDB_DISALLOW_TGT_BASED\fP flag on the principal in the database.
419 .B {\- | +} \fBallow_tix\fP
421 \fI\-allow_tix\fP forbids the issuance of any tickets for this principal.
422 \fI+allow_tix\fP clears this flag.
423 The default is \fI+allow_tix\fP. In effect, \fI\-allow_tix\fP sets the \fIKRB5_KDB_DISALLOW_ALL_TIX\fP flag on the principal in the database.
425 .B {\- | +} \fBneedchange\fP
427 \fI+needchange\fP sets a flag in attributes field to force a password change;
428 \fI\-needchange\fP clears it.
429 The default is \fI\-needchange\fP.
430 In effect, \fI+needchange\fP sets the \fIKRB5_KDB_REQUIRES_PWCHANGE\fP flag on the principal in the database.
432 .B {\- | +} \fBpassword_changing_service\fP
434 \fI+password_changing_service\fP sets a flag in the attributes field marking this as a password change service principal
435 (useless for most things).
436 \fI\-password_changing_service\fP clears the flag. This flag intentionally has a long name.
437 The default is \fI\-password_changing_service\fP.
438 In effect, \fI+password_changing_service\fP sets the \fIKRB5_KDB_PWCHANGE_SERVICE\fP flag on the principal in the database.
442 sets the key of the principal to a random value
444 .B \fB\-pw\fP \fIpassword\fP
446 sets the key of the principal to the specified string and does not prompt for a password. Note: using this option in a
447 shell script can be dangerous if unauthorized users gain read access to the script.
449 .B \fB\-e\fP "enc:salt ..."
451 uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if
452 there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2.
459 kadmin: addprinc jennifer
460 WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
461 defaulting to no policy.
462 Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.
463 Re\-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.
464 Principal "jennifer@ATHENA.MIT.EDU" created.
473 KADM5_AUTH_ADD (requires "add" privilege)
474 KADM5_BAD_MASK (shouldn\(aqt happen)
475 KADM5_DUP (principal exists already)
476 KADM5_UNK_POLICY (policy does not exist)
477 KADM5_PASS_Q_* (password quality violations)
488 .B \fBmodify_principal\fP [options] \fIprincipal\fP
490 Modifies the specified principal, changing the fields as specified. The options are as above for \fIadd_principal\fP, except that
491 password changing and flags related to password changing are forbidden by this command.
492 In addition, the option \fI\-clearpolicy\fP will clear the current policy of a principal.
497 This command requires the \fImodify\fP privilege.
513 .B \fB\-x\fP \fIdb_princ_args\fP
515 Denotes the database specific options.
517 The options for LDAP database are:
520 .B \fB\-x\fP tktpolicy=<policy>
522 Associates a ticket policy to the Kerberos principal.
524 .B \fB\-x\fP linkdn=<dn>
526 Associates a Kerberos principal with a LDAP object. This option is honored only if the Kerberos principal is not
527 already associated with a LDAP object.
532 Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between
533 them according to its password policy) so that it can successfully authenticate.
540 KADM5_AUTH_MODIFY (requires "modify" privilege)
541 KADM5_UNK_PRINC (principal does not exist)
542 KADM5_UNK_POLICY (policy does not exist)
543 KADM5_BAD_MASK (shouldn\(aqt happen)
554 .B \fBdelete_principal\fP [ \fI\-force\fP ] \fIprincipal\fP
556 Deletes the specified \fIprincipal\fP from the database. This command prompts for deletion, unless the \fI\-force\fP option is given.
561 This command requires the \fIdelete\fP privilege.
578 KADM5_AUTH_DELETE (requires "delete" privilege)
579 KADM5_UNK_PRINC (principal does not exist)
590 .B \fBchange_password\fP [options] \fIprincipal\fP
592 Changes the password of \fIprincipal\fP. Prompts for a new password if neither \fI\-randkey\fP or \fI\-pw\fP is specified.
597 Requires the \fIchangepw\fP privilege, or that the principal that is running the program to be the same as the one changed.
610 The following options are available:
615 Sets the key of the principal to a random value
617 .B \fB\-pw\fP \fIpassword\fP
619 Set the password to the specified string. Not recommended.
621 .B \fB\-e\fP "enc:salt ..."
623 Uses the specified list of enctype\-salttype pairs for setting the key of the principal. The quotes are necessary if
624 there are multiple enctype\-salttype pairs. This will not function against \fIkadmin\fP daemons earlier than krb5\-1.2.
625 See \fISupported_Encryption_Types_and_Salts\fP for possible values.
629 Keeps the previous kvno\(aqs keys around. This flag is usually not necessary except perhaps for TGS keys. Don\(aqt use this
630 flag unless you know what you\(aqre doing. This option is not supported for the LDAP database.
638 Enter password for principal systest@BLEEP.COM:
639 Re\-enter password for principal systest@BLEEP.COM:
640 Password for systest@BLEEP.COM changed.
649 KADM5_AUTH_MODIFY (requires the modify privilege)
650 KADM5_UNK_PRINC (principal does not exist)
651 KADM5_PASS_Q_* (password policy violation errors)
652 KADM5_PADD_REUSE (password is in principal\(aqs password
654 KADM5_PASS_TOOSOON (current password minimum life not
666 .B \fBpurgekeys\fP [\fI\-keepkvno oldest_kvno_to_keep\fP ] \fIprincipal\fP
668 Purges previously retained old keys (e.g., from \fIchange_password \-keepold\fP) from \fIprincipal\fP.
669 If \fB\-keepkvno\fP is specified, then only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP.
678 .B \fBget_principal\fP [\fI\-terse\fP] \fIprincipal\fP
680 Gets the attributes of principal.
681 With the \fB\-terse\fP option, outputs fields as quoted tab\-separated strings.
686 Requires the \fIinquire\fP privilege, or that the principal that is running the the program to be the same as the one being listed.
703 kadmin: getprinc tlyu/admin
704 Principal: tlyu/admin@BLEEP.COM
705 Expiration date: [never]
706 Last password change: Mon Aug 12 14:16:47 EDT 1996
707 Password expiration date: [none]
708 Maximum ticket life: 0 days 10:00:00
709 Maximum renewable life: 7 days 00:00:00
710 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
711 Last successful authentication: [never]
712 Last failed authentication: [never]
713 Failed password attempts: 0
715 Key: vno 1, DES cbc mode with CRC\-32, no salt
716 Key: vno 1, DES cbc mode with CRC\-32, Version 4
721 kadmin: getprinc \-terse systest
722 systest@BLEEP.COM 3 86400 604800 1
723 785926535 753241234 785900000
724 tlyu/admin@BLEEP.COM 786100034 0 0
733 KADM5_AUTH_GET (requires the get (inquire) privilege)
734 KADM5_UNK_PRINC (principal does not exist)
745 .B \fBlist_principals\fP [expression]
747 Retrieves all or some principal names.
748 Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs.
749 All principal names matching the expression are printed.
750 If no expression is provided, all principal names are printed.
751 If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression.
756 Requires the \fIlist\fP privilege.
765 listprincs get_principals get_princs
773 kadmin: listprincs test*
774 test3@SECURE\-TEST.OV.COM
775 test2@SECURE\-TEST.OV.COM
776 test1@SECURE\-TEST.OV.COM
777 testuser@SECURE\-TEST.OV.COM
789 .B \fBget_strings\fP \fIprincipal\fP
791 Displays string attributes on \fIprincipal\fP.
792 String attributes are used to supply per\-principal configuration to some KDC plugin modules.
809 .B \fBset_string\fP \fIprincipal\fP \fIkey\fP \fIvalue\fP
811 Sets a string attribute on \fIprincipal\fP.
828 .B \fBdel_string\fP \fIprincipal\fP \fIkey\fP
830 Deletes a string attribute from \fIprincipal\fP.
847 .B \fBadd_policy\fP [options] \fIpolicy\fP
849 Adds the named \fIpolicy\fP to the policy database.
854 Requires the \fIadd\fP privilege.
867 The following options are available:
870 .B \fB\-maxlife\fP \fItime\fP
872 sets the maximum lifetime of a password
874 .B \fB\-minlife\fP \fItime\fP
876 sets the minimum lifetime of a password
878 .B \fB\-minlength\fP \fIlength\fP
880 sets the minimum length of a password
882 .B \fB\-minclasses\fP \fInumber\fP
884 sets the minimum number of character classes allowed in a password
886 .B \fB\-history\fP \fInumber\fP
888 sets the number of past keys kept for a principal. This option is not supported for LDAP database
890 .B \fB\-maxfailure\fP \fImaxnumber\fP
892 sets the maximum number of authentication failures before the principal is locked.
893 Authentication failures are only tracked for principals which require preauthentication.
895 .B \fB\-failurecountinterval\fP \fIfailuretime\fP
897 sets the allowable time between authentication failures.
898 If an authentication failure happens after \fIfailuretime\fP has elapsed since the previous failure,
899 the number of authentication failures is reset to 1.
901 .B \fB\-lockoutduration\fP \fIlockouttime\fP
903 sets the duration for which the principal is locked from authenticating if too many authentication failures occur without
904 the specified failure count interval elapsing. A duration of 0 means forever.
911 kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
920 KADM5_AUTH_ADD (requires the add privilege)
921 KADM5_DUP (policy already exists)
932 .B \fBmodify_policy\fP [options] \fIpolicy\fP
934 modifies the named \fIpolicy\fP. Options are as above for \fIadd_policy\fP.
939 Requires the \fImodify\fP privilege.
956 KADM5_AUTH_MODIFY (requires the modify privilege)
957 KADM5_UNK_POLICY (policy does not exist)
968 .B \fBdelete_policy\fP [ \fI\-force\fP ] \fIpolicy\fP
970 deletes the named \fIpolicy\fP. Prompts for confirmation before deletion.
971 The command will fail if the policy is in use by any principals.
976 Requires the \fIdelete\fP privilege.
993 kadmin: del_policy guests
994 Are you sure you want to delete the policy "guests"?
1004 KADM5_AUTH_DELETE (requires the delete privilege)
1005 KADM5_UNK_POLICY (policy does not exist)
1006 KADM5_POLICY_REF (reference count on policy is not zero)
1017 .B \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
1019 displays the values of the named \fIpolicy\fP.
1020 With the \fB\-terse\fP flag, outputs the fields as quoted strings separated by tabs.
1025 Requires the \fIinquire\fP privilege.
1042 kadmin: get_policy admin
1044 Maximum password life: 180 days 00:00:00
1045 Minimum password life: 00:00:00
1046 Minimum password length: 6
1047 Minimum number of password character classes: 2
1048 Number of old keys kept: 5
1051 kadmin: get_policy \-terse admin
1052 admin 15552000 0 6 2 5 17
1057 The \fIReference count\fP is the number of principals using that policy.
1063 KADM5_AUTH_GET (requires the get privilege)
1064 KADM5_UNK_POLICY (policy does not exist)
1075 .B \fBlist_policies\fP [expression]
1077 Retrieves all or some policy names. Expression is a shell\-style glob expression that can contain the wild\-card characters ?, *, and []\(aqs.
1078 All policy names matching the expression are printed.
1079 If no expression is provided, all existing policy names are printed.
1084 Requires the \fIlist\fP privilege.
1093 listpols, get_policies, getpols.
1121 .B \fBktadd\fP [[\fIprincipal\fP | \fB\-glob\fP \fIprinc\-exp\fP]
1123 Adds a \fIprincipal\fP or all principals matching \fIprinc\-exp\fP to a keytab file.
1124 It randomizes each principal\(aqs key in the process, to prevent a compromised admin account from reading out all of the keys from the database.
1125 The rules for principal expression are the same as for the \fIkadmin\fP \fI\%list_principals\fP command.
1130 Requires the \fIinquire\fP and \fIchangepw\fP privileges.
1132 If you use the \fI\-glob\fP option, it also requires the \fIlist\fP administrative privilege.
1140 .B \fB\-k[eytab]\fP \fIkeytab\fP
1142 Use \fIkeytab\fP as the keytab file. Otherwise, \fIktadd\fP will use the default keytab file (\fI/etc/krb5.keytab\fP).
1144 .B \fB\-e\fP \fI"enc:salt..."\fP
1146 Use the specified list of enctype\-salttype pairs for setting the key of the principal.
1147 The enctype\-salttype pairs may be delimited with commas or whitespace.
1148 The quotes are necessary for whitespace\-delimited list.
1149 If this option is not specified, then \fIsupported_enctypes\fP from \fIkrb5.conf\fP will be used.
1150 See \fISupported_Encryption_Types_and_Salts\fP for all possible values.
1154 Run in quiet mode. This causes \fIktadd\fP to display less verbose information.
1156 .B \fB\-norandkey\fP
1158 Do not randomize the keys. The keys and their version numbers stay unchanged.
1159 That allows users to continue to use the passwords they know to login normally,
1160 while simultaneously allowing scripts to login to the same account using a \fIkeytab\fP.
1161 There is no significant security risk added since \fIkadmin.local\fP must be run by root on the KDC anyway.
1162 This option is only available in \fIkadmin.local\fP and cannot be specified in combination with \fI\-e\fP option.
1166 An entry for each of the principal\(aqs unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types.
1173 kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
1174 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
1175 kvno 3, encryption type DES\-CBC\-CRC added to keytab
1176 WRFILE:/tmp/foo\-new\-keytab
1188 .B \fBktremove\fP \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP]
1190 Removes entries for the specified \fIprincipal\fP from a keytab. Requires no permissions, since this does not require database access.
1192 If the string "all" is specified, all entries for that principal are removed;
1193 if the string "old" is specified, all entries for that principal except those with the highest kvno are removed.
1194 Otherwise, the value specified is parsed as an integer, and all entries whose \fIkvno\fP match that integer are removed.
1199 .B \fB\-k[eytab]\fP \fIkeytab\fP
1201 Use keytab as the keytab file. Otherwise, \fIktremove\fP will use the default keytab file (\fI/etc/krb5.keytab\fP).
1205 Run in quiet mode. This causes \fIktremove\fP to display less verbose information.
1212 kadmin: ktremove \-k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin all
1213 Entry for principal kadmin/admin with kvno 3 removed
1214 from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
1224 The first three files are specific to db2 database.
1233 default name for Kerberos principal database
1239 KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information.
1245 Lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., \fIkadmin\fP will exit with an error if this file does not exist.
1251 File containing list of principals and their \fIkadmin\fP administrative privileges. See kadmind(8) for a description.
1257 \fIkeytab\fP file for \fIkadmin/admin\fP principal.
1263 file containing dictionary of strings explicitly disallowed as passwords.
1269 The \fIkadmin\fP program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.
1272 kerberos(1), kpasswd(1), kadmind(8)
1277 .\" Generated by docutils manpage writer.