.. _date_format:
Many of the kadmin commands take a duration or time as an
-argument. The date can appear in a wide variety of formats, such as::
+argument. The date can appear in a wide variety of formats, such as:
+ ::
1 month ago
2 hours ago
multiple enctype-salttype pairs. This will not function against
kadmin daemons earlier than krb5-1.2.
-Example::
+Example:
+ ::
kadmin: addprinc jennifer
WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
Principal "jennifer@ATHENA.MIT.EDU" created.
kadmin:
-Errors::
+Errors:
+ ::
KADM5_AUTH_ADD (requires "add" privilege)
KADM5_BAD_MASK (shouldn't happen)
authentication attempts without enough time between them according
to its password policy) so that it can successfully authenticate.
-Errors::
+Errors:
+ ::
KADM5_AUTH_MODIFY (requires "modify" privilege)
KADM5_UNK_PRINC (principal does not exist)
Alias: **renprinc**
-Errors::
+Errors:
+ ::
KADM5_AUTH_ADD (requires "add" privilege)
KADM5_AUTH_DELETE (requires "delete" privilege)
Alias: **delprinc**
-Errors::
+Errors:
+ ::
KADM5_AUTH_DELETE (requires "delete" privilege)
KADM5_UNK_PRINC (principal does not exist)
you know what you're doing. This option is not supported for the
LDAP database.
-Example::
+Example:
+ ::
kadmin: cpw systest
Enter password for principal systest@BLEEP.COM:
Password for systest@BLEEP.COM changed.
kadmin:
-Errors::
+Errors:
+ ::
KADM5_AUTH_MODIFY (requires the modify privilege)
KADM5_UNK_PRINC (principal does not exist)
Alias: **getprinc**
-Examples::
+Examples:
+ ::
kadmin: getprinc tlyu/admin
Principal: tlyu/admin@BLEEP.COM
tlyu/admin@BLEEP.COM 786100034 0 0
kadmin:
-Errors::
+Errors:
+ ::
KADM5_AUTH_GET (requires the get (inquire) privilege)
KADM5_UNK_PRINC (principal does not exist)
Alias: **listprincs**, **get_principals**, **get_princs**
-Example::
+Example:
+ ::
kadmin: listprincs test*
test3@SECURE-TEST.OV.COM
without the specified failure count interval elapsing. A
duration of 0 means forever.
-Example::
+Example:
+ ::
kadmin: add_policy -maxlife "2 days" -minlength 5 guests
kadmin:
-Errors::
+Errors:
+ ::
KADM5_AUTH_ADD (requires the add privilege)
KADM5_DUP (policy already exists)
Alias: **modpol**
-Errors::
+Errors:
+ ::
KADM5_AUTH_MODIFY (requires the modify privilege)
KADM5_UNK_POLICY (policy does not exist)
Alias: **delpol**
-Example::
+Example:
+ ::
kadmin: del_policy guests
Are you sure you want to delete the policy "guests"?
(yes/no): yes
kadmin:
-Errors::
+Errors:
+ ::
KADM5_AUTH_DELETE (requires the delete privilege)
KADM5_UNK_POLICY (policy does not exist)
Alias: getpol
-Examples::
+Examples:
+ ::
kadmin: get_policy admin
Policy: admin
The "Reference count" is the number of principals using that policy.
-Errors::
+Errors:
+ ::
KADM5_AUTH_GET (requires the get privilege)
KADM5_UNK_POLICY (policy does not exist)
Aliases: **listpols**, **get_policies**, **getpols**.
-Examples::
+Examples:
+ ::
kadmin: listpols
test-pol
Alias: **getprivs**
-Example::
+Example:
+ ::
kadmin: get_privs
Principal joe/admin@ATHENA.MIT.EDU
ignoring multiple keys with the same encryption type but different
salt types.
-Example::
+Example:
+ ::
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
Run in quiet mode. This causes ktremove to display less verbose
information.
-Example::
+Example:
+ ::
kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin all
Entry for principal kadmin/admin with kvno 3 removed
is disallowed. If the character is lower-case, then the operation
is permitted.
- ::
+ ::
a [Dis]allows the addition of principals or policies in the database.
d [Dis]allows the deletion of principals or policies in the database.
.. _kdb5_ldap_util_create_edir_end:
-Example::
+EXAMPLE:
+ ::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create -subtrees o=org -sscope SUB -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
.. _kdb5_ldap_util_modify_edir_end:
-Example::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify +requires_preauth -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
**-r** *realm*
Specifies the Kerberos realm of the database.
-EXAMPLE::
+EXAMPLE:
+ ::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
**-r** *realm*
Specifies the Kerberos realm of the database.
-EXAMPLE::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Lists the name of realms.
-EXAMPLE::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list
Password for "cn=admin,o=org":
Specifies Distinguished Name (DN) of the service object whose
password is to be stored in file.
-EXAMPLE::
+EXAMPLE:
+ ::
kdb5_ldap_util stashsrvpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=service-kdc,o=org":
*policy_name*
Specifies the name of the ticket policy.
-EXAMPLE::
+EXAMPLE:
+ ::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu create_policy -r ATHENA.MIT.EDU -maxtktlife "1 day" -maxrenewlife "1 week" -allow_postdated +needchange -allow_forwardable tktpolicy
Password for "cn=admin,o=org":
**-r** *realm*
Specifies the Kerberos realm of the database.
-Example::
+EXAMPLE:
+ ::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu modify_policy -r ATHENA.MIT.EDU -maxtktlife "60 minutes" -maxrenewlife "10 hours" +allow_postdated -requires_preauth tktpolicy
Password for "cn=admin,o=org":
*policy_name*
Specifies the name of the ticket policy.
-EXAMPLE::
+EXAMPLE:
+ ::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu view_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
*policy_name*
Specifies the name of the ticket policy.
-Example::
+EXAMPLE:
+ ::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu destroy_policy -r ATHENA.MIT.EDU tktpolicy
Password for "cn=admin,o=org":
**-r** *realm*
Specifies the Kerberos realm of the database.
-Example::
+EXAMPLE:
+ ::
kdb5_ldap_util -D cn=admin,o=org -H ldaps://ldap-server1.mit.edu list_policy -r ATHENA.MIT.EDU
Password for "cn=admin,o=org":
Specifies Distinguished Name (DN) of the service object whose
password is to be set.
-Example::
+EXAMPLE:
+ ::
kdb5_ldap_util setsrvpw -D cn=admin,o=org setsrvpw -fileonly -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org":
Specifies Distinguished Name (DN) of the Kerberos service to be
created.
-Example::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org create_service -kdc -randpw -f /home/andrew/conf_keyfile cn=service-kdc,o=org
Password for "cn=admin,o=org":
Specifies Distinguished Name (DN) of the Kerberos service to be
modified.
-Example::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org modify_service -realm ATHENA.MIT.EDU cn=service-kdc,o=org
Password for "cn=admin,o=org":
Specifies Distinguished Name (DN) of the Kerberos service to be
viewed.
-Example::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org view_service cn=service-kdc,o=org
Password for "cn=admin,o=org":
Specifies Distinguished Name (DN) of the Kerberos service to be
destroyed.
-EXAMPLE::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org destroy_service cn=service-kdc,o=org
Password for "cn=admin,o=org":
slapd.conf file will be used, where as in the case of eDirectory,
the default value for the base DN is Root.
-EXAMPLE::
+EXAMPLE:
+ ::
shell% kdb5_ldap_util -D cn=admin,o=org list_service
Password for "cn=admin,o=org":
file, the slave Kerberos server will have an up-to-date KDC database.
Normally, kpropd is invoked out of inetd(8). This is done by adding
-a line to the ``/etc/inetd.conf`` file which looks like this::
+a line to the ``/etc/inetd.conf`` file which looks like this:
+ ::
kprop stream tcp nowait root /usr/local/sbin/kpropd kpropd
**-v**
Display individual attributes per update. An example of the
- output generated for one entry::
+ output generated for one entry:
+ ::
Update Entry
Update serial # : 4
The realms are listed on the command line. Per-realm options that can
be specified on the command line pertain for each realm that follows
it and are superseded by subsequent definitions of the same option.
-For example::
+For example:
+ ::
krb5kdc -p 2001 -r REALM1 -p 2002 -r REALM2 -r REALM3
EXAMPLE
-------
-::
+ ::
ktutil: add_entry -password -p alice@BLEEP.COM -k 1 -e aes128-cts-hmac-sha1-96
Password for alice@BLEEP.COM:
The **-S** option allows for a different keytab than the default.
sserver is normally invoked out of inetd(8), using a line in
-``/etc/inetd.conf`` that looks like this::
+``/etc/inetd.conf`` that looks like this:
+ ::
sample stream tcp nowait root /usr/local/sbin/sserver sserver
Since ``sample`` is normally not a port defined in ``/etc/services``,
you will usually have to add a line to ``/etc/services`` which looks
-like this::
+like this:
+ ::
sample 13135/tcp
for the sample tcp port, and that the same port number is in both
files.
-When you run sclient you should see something like this::
+When you run sclient you should see something like this:
+ ::
sendauth succeeded, reply is:
reply len 32, contents:
COMMON ERROR MESSAGES
---------------------
-1) kinit returns the error::
+1) kinit returns the error:
+ ::
kinit: Client not found in Kerberos database while getting initial credentials
This means that you didn't create an entry for your username in the
Kerberos database.
-2) sclient returns the error::
+2) sclient returns the error:
+ ::
unknown service sample/tcp; check /etc/services
This means that you don't have an entry in /etc/services for the
sample tcp port.
-3) sclient returns the error::
+3) sclient returns the error:
+ ::
connect: Connection refused
This probably means you didn't edit /etc/inetd.conf correctly, or
you didn't restart inetd after editing inetd.conf.
-4) sclient returns the error::
+4) sclient returns the error:
+ ::
sclient: Server not found in Kerberos database while using sendauth
:ref:`kadmin(1)`, and a keytab file needs to be generated to make
the key for that service principal available for sclient.
-5) sclient returns the error::
+5) sclient returns the error:
+ ::
sendauth rejected, error reply is:
" No such file or directory"
to, a generic [kdcdefaults] specification. The search order
is:
-1. realm-specific subsection of [realms], ::
+1. realm-specific subsection of [realms],
+ ::
[realms]
EXAMPLE.COM = {
pkinit_anchors = FILE\:/usr/local/example.com.crt
}
-2. generic value in the [kdcdefaults] section. ::
+2. generic value in the [kdcdefaults] section.
+ ::
[kdcdefaults]
pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
Sample kdc.conf File
--------------------
-Here's an example of a kdc.conf file::
+Here's an example of a kdc.conf file:
+ ::
[kdcdefaults]
kdc_ports = 88
The krb5.conf file is set up in the style of a Windows INI file.
Sections are headed by the section name, in square brackets. Each
-section may contain zero or more relations, of the form::
+section may contain zero or more relations, of the form:
+ ::
foo = bar
-or::
+or
+ ::
fubar = {
foo = bar
configuration file nor any other configuration file will be checked
for any other values for this tag.
-For example, if you have the following lines::
+For example, if you have the following lines:
+ ::
foo = bar*
foo = baz
then the second value of ``foo`` (``baz``) would never be read.
The krb5.conf file can include other files using either of the
-following directives at the beginning of a line::
+following directives at the beginning of a line:
+ ::
include FILENAME
includedir DIRNAME
The krb5.conf file can specify that configuration should be obtained
from a loadable module, rather than the file itself, using the
following directive at the beginning of a line before any section
-headers::
+headers:
+ ::
module MODULEPATH:RESIDUAL
default realm, this rule is not applicable and the conversion
will fail.
- For example::
+ For example:
+ ::
[realms]
ATHENA.MIT.EDU = {
If no translation entry applies, the host's realm is considered to be
the hostname's domain portion converted to upper case. For example,
-the following [domain_realm] section::
+the following [domain_realm] section:
+ ::
[domain_realm]
crash.mit.edu = TEST.ATHENA.MIT.EDU
the console and to the system log under the facility LOG_DAEMON with
default severity of LOG_INFO; and the logging messages from the
administrative server will be appended to the file
-``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``.::
+``/var/adm/kadmin.log`` and sent to the device ``/dev/tty04``.
+ ::
[logging]
kdc = CONSOLE
use the ``ES.NET`` realm as an intermediate realm. ``ANL`` has a sub
realm of ``TEST.ANL.GOV`` which will authenticate with ``NERSC.GOV``
but not ``PNL.GOV``. The [capaths] section for ``ANL.GOV`` systems
-would look like this::
+would look like this:
+ ::
[capaths]
ANL.GOV = {
}
The [capaths] section of the configuration file used on ``NERSC.GOV``
-systems would look like this::
+systems would look like this:
+ ::
[capaths]
NERSC.GOV = {
or an option that is used by some Kerberos V5 application[s]. The
value of the tag defines the default behaviors for that application.
-For example::
+For example:
+ ::
[appdefaults]
telnet = {
does not add to, a generic [libdefaults] specification. The
search order is:
-1. realm-specific subsection of [libdefaults] ::
+1. realm-specific subsection of [libdefaults] :
+ ::
[libdefaults]
EXAMPLE.COM = {
pkinit_anchors = FILE\:/usr/local/example.com.crt
}
-2. realm-specific value in the [realms] section, ::
+2. realm-specific value in the [realms] section,
+ ::
[realms]
OTHERREALM.ORG = {
pkinit_anchors = FILE\:/usr/local/otherrealm.org.crt
}
-3. generic value in the [libdefaults] section. ::
+3. generic value in the [libdefaults] section.
+ ::
[libdefaults]
pkinit_anchors = DIR\:/usr/local/generic_trusted_cas/
* digitalSignature
* keyEncipherment
- Examples::
+ Examples:
+ ::
pkinit_cert_match = ||<SUBJECT>.*DoE.*<SAN>.*@EXAMPLE.COM
pkinit_cert_match = &&<EKU>msScLogin,clientAuth<ISSUER>.*DoE.*
Sample krb5.conf file
---------------------
-Here is an example of a generic krb5.conf file::
+Here is an example of a generic krb5.conf file:
+ ::
[libdefaults]
default_realm = ATHENA.MIT.EDU
``alice@KRBTEST.COM`` if the server principal is within that realm,
the principal ``alice/root@EXAMPLE.COM`` if the server host is within
a servers subdomain, and the principal ``alice/mail@EXAMPLE.COM`` when
-accessing the IMAP service on ``mail.example.com``::
+accessing the IMAP service on ``mail.example.com``:
+ ::
alice@KRBTEST.COM realm=KRBTEST.COM
alice/root@EXAMPLE.COM host=*.servers.example.com
--------
Suppose the user ``alice`` had a .k5login file in her home directory
-containing the following line::
+containing the following line:
+ ::
bob@FOOBAR.ORG
Let us further suppose that ``alice`` is a system administrator.
Alice and the other system administrators would have their principals
-in root's .k5login file on each host::
+in root's .k5login file on each host:
+ ::
alice@BLEEP.COM
**-l** *lifetime*
requests a ticket with the lifetime lifetime. The
value for lifetime must be followed immediately by one
- of the following delimiters::
+ of the following delimiters:
+ ::
s seconds
m minutes
**-f**
Shows the flags present in the credentials, using the following
- abbreviations::
+ abbreviations:
+ ::
F Forwardable
f forwarded
PORTS
-----
-kpasswd looks first for::
+kpasswd looks first for
+ ::
kpasswd_server = host:port
contains the name of a principal that is authorized to access the
account.
-For example::
+For example:
+ ::
jqpublic@USC.EDU
jqpublic/secure@USC.EDU
defined the source cache name is set to ``krb5cc_<source uid>``.
The target cache name is automatically set to ``krb5cc_<target
uid>.(gen_sym())``, where gen_sym generates a new number such that
- the resulting cache does not already exist. For example::
+ the resulting cache does not already exist. For example:
+ ::
krb5cc_1984.2
**-e** *command* [*args* ...]
ksu proceeds exactly the same as if it was invoked without the
**-e** option, except instead of executing the target shell, ksu
- executes the specified command Example of usage::
+ executes the specified command. Example of usage:
+ ::
ksu bob -e ls -lag
list of commands that the principal is authorized to execute. A
principal name followed by a ``*`` means that the user is
authorized to execute any command. Thus, in the following
- example::
+ example:
+ ::
jqpublic@USC.EDU ls mail /local/kerberos/klist
jqpublic/secure@USC.EDU *
thus all options intended for ksu must precede **-a**.
The **-a** option can be used to simulate the **-e** option if
- used as follows::
+ used as follows:
+ ::
-a -c [command [arguments]].
called to obtain the names of "legal shells". Note that the
target user's shell is obtained from the passwd file.
-Sample configuration::
+Sample configuration:
+ ::
KSU_OPTS = -DGET_TGT_VIA_PASSWD -DPRINC_LOOK_AHEAD -DCMD_PATH='"/bin /usr/ucb /local/bin"
projects / krb5.git / commitdiff