|
jpayne@68
|
1 .\" Man page generated from reStructuredText.
|
|
jpayne@68
|
2 .
|
|
jpayne@68
|
3 .TH "KADMIN" "1" " " "1.20.1" "MIT Kerberos"
|
|
jpayne@68
|
4 .SH NAME
|
|
jpayne@68
|
5 kadmin \- Kerberos V5 database administration program
|
|
jpayne@68
|
6 .
|
|
jpayne@68
|
7 .nr rst2man-indent-level 0
|
|
jpayne@68
|
8 .
|
|
jpayne@68
|
9 .de1 rstReportMargin
|
|
jpayne@68
|
10 \\$1 \\n[an-margin]
|
|
jpayne@68
|
11 level \\n[rst2man-indent-level]
|
|
jpayne@68
|
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
13 -
|
|
jpayne@68
|
14 \\n[rst2man-indent0]
|
|
jpayne@68
|
15 \\n[rst2man-indent1]
|
|
jpayne@68
|
16 \\n[rst2man-indent2]
|
|
jpayne@68
|
17 ..
|
|
jpayne@68
|
18 .de1 INDENT
|
|
jpayne@68
|
19 .\" .rstReportMargin pre:
|
|
jpayne@68
|
20 . RS \\$1
|
|
jpayne@68
|
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
|
|
jpayne@68
|
22 . nr rst2man-indent-level +1
|
|
jpayne@68
|
23 .\" .rstReportMargin post:
|
|
jpayne@68
|
24 ..
|
|
jpayne@68
|
25 .de UNINDENT
|
|
jpayne@68
|
26 . RE
|
|
jpayne@68
|
27 .\" indent \\n[an-margin]
|
|
jpayne@68
|
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
29 .nr rst2man-indent-level -1
|
|
jpayne@68
|
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
|
|
jpayne@68
|
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
|
|
jpayne@68
|
32 ..
|
|
jpayne@68
|
33 .SH SYNOPSIS
|
|
jpayne@68
|
34 .sp
|
|
jpayne@68
|
35 \fBkadmin\fP
|
|
jpayne@68
|
36 [\fB\-O\fP|\fB\-N\fP]
|
|
jpayne@68
|
37 [\fB\-r\fP \fIrealm\fP]
|
|
jpayne@68
|
38 [\fB\-p\fP \fIprincipal\fP]
|
|
jpayne@68
|
39 [\fB\-q\fP \fIquery\fP]
|
|
jpayne@68
|
40 [[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP]
|
|
jpayne@68
|
41 [\fB\-w\fP \fIpassword\fP]
|
|
jpayne@68
|
42 [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]
|
|
jpayne@68
|
43 [command args...]
|
|
jpayne@68
|
44 .sp
|
|
jpayne@68
|
45 \fBkadmin.local\fP
|
|
jpayne@68
|
46 [\fB\-r\fP \fIrealm\fP]
|
|
jpayne@68
|
47 [\fB\-p\fP \fIprincipal\fP]
|
|
jpayne@68
|
48 [\fB\-q\fP \fIquery\fP]
|
|
jpayne@68
|
49 [\fB\-d\fP \fIdbname\fP]
|
|
jpayne@68
|
50 [\fB\-e\fP \fIenc\fP:\fIsalt\fP ...]
|
|
jpayne@68
|
51 [\fB\-m\fP]
|
|
jpayne@68
|
52 [\fB\-x\fP \fIdb_args\fP]
|
|
jpayne@68
|
53 [command args...]
|
|
jpayne@68
|
54 .SH DESCRIPTION
|
|
jpayne@68
|
55 .sp
|
|
jpayne@68
|
56 kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
|
|
jpayne@68
|
57 administration system. They provide nearly identical functionalities;
|
|
jpayne@68
|
58 the difference is that kadmin.local directly accesses the KDC
|
|
jpayne@68
|
59 database, while kadmin performs operations using kadmind(8)\&.
|
|
jpayne@68
|
60 Except as explicitly noted otherwise, this man page will use "kadmin"
|
|
jpayne@68
|
61 to refer to both versions. kadmin provides for the maintenance of
|
|
jpayne@68
|
62 Kerberos principals, password policies, and service key tables
|
|
jpayne@68
|
63 (keytabs).
|
|
jpayne@68
|
64 .sp
|
|
jpayne@68
|
65 The remote kadmin client uses Kerberos to authenticate to kadmind
|
|
jpayne@68
|
66 using the service principal \fBkadmin/admin\fP or \fBkadmin/ADMINHOST\fP
|
|
jpayne@68
|
67 (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
|
|
jpayne@68
|
68 server). If the credentials cache contains a ticket for one of these
|
|
jpayne@68
|
69 principals, and the \fB\-c\fP credentials_cache option is specified, that
|
|
jpayne@68
|
70 ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and
|
|
jpayne@68
|
71 \fB\-k\fP options are used to specify the client Kerberos principal name
|
|
jpayne@68
|
72 used to authenticate. Once kadmin has determined the principal name,
|
|
jpayne@68
|
73 it requests a service ticket from the KDC, and uses that service
|
|
jpayne@68
|
74 ticket to authenticate to kadmind.
|
|
jpayne@68
|
75 .sp
|
|
jpayne@68
|
76 Since kadmin.local directly accesses the KDC database, it usually must
|
|
jpayne@68
|
77 be run directly on the primary KDC with sufficient permissions to read
|
|
jpayne@68
|
78 the KDC database. If the KDC database uses the LDAP database module,
|
|
jpayne@68
|
79 kadmin.local can be run on any host which can access the LDAP server.
|
|
jpayne@68
|
80 .SH OPTIONS
|
|
jpayne@68
|
81 .INDENT 0.0
|
|
jpayne@68
|
82 .TP
|
|
jpayne@68
|
83 \fB\-r\fP \fIrealm\fP
|
|
jpayne@68
|
84 Use \fIrealm\fP as the default database realm.
|
|
jpayne@68
|
85 .TP
|
|
jpayne@68
|
86 \fB\-p\fP \fIprincipal\fP
|
|
jpayne@68
|
87 Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append
|
|
jpayne@68
|
88 \fB/admin\fP to the primary principal name of the default ccache,
|
|
jpayne@68
|
89 the value of the \fBUSER\fP environment variable, or the username as
|
|
jpayne@68
|
90 obtained with getpwuid, in order of preference.
|
|
jpayne@68
|
91 .TP
|
|
jpayne@68
|
92 \fB\-k\fP
|
|
jpayne@68
|
93 Use a keytab to decrypt the KDC response instead of prompting for
|
|
jpayne@68
|
94 a password. In this case, the default principal will be
|
|
jpayne@68
|
95 \fBhost/hostname\fP\&. If there is no keytab specified with the
|
|
jpayne@68
|
96 \fB\-t\fP option, then the default keytab will be used.
|
|
jpayne@68
|
97 .TP
|
|
jpayne@68
|
98 \fB\-t\fP \fIkeytab\fP
|
|
jpayne@68
|
99 Use \fIkeytab\fP to decrypt the KDC response. This can only be used
|
|
jpayne@68
|
100 with the \fB\-k\fP option.
|
|
jpayne@68
|
101 .TP
|
|
jpayne@68
|
102 \fB\-n\fP
|
|
jpayne@68
|
103 Requests anonymous processing. Two types of anonymous principals
|
|
jpayne@68
|
104 are supported. For fully anonymous Kerberos, configure PKINIT on
|
|
jpayne@68
|
105 the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
|
|
jpayne@68
|
106 krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal
|
|
jpayne@68
|
107 of the form \fB@REALM\fP (an empty principal name followed by the
|
|
jpayne@68
|
108 at\-sign and a realm name). If permitted by the KDC, an anonymous
|
|
jpayne@68
|
109 ticket will be returned. A second form of anonymous tickets is
|
|
jpayne@68
|
110 supported; these realm\-exposed tickets hide the identity of the
|
|
jpayne@68
|
111 client but not the client\(aqs realm. For this mode, use \fBkinit
|
|
jpayne@68
|
112 \-n\fP with a normal principal name. If supported by the KDC, the
|
|
jpayne@68
|
113 principal (but not realm) will be replaced by the anonymous
|
|
jpayne@68
|
114 principal. As of release 1.8, the MIT Kerberos KDC only supports
|
|
jpayne@68
|
115 fully anonymous operation.
|
|
jpayne@68
|
116 .TP
|
|
jpayne@68
|
117 \fB\-c\fP \fIcredentials_cache\fP
|
|
jpayne@68
|
118 Use \fIcredentials_cache\fP as the credentials cache. The cache
|
|
jpayne@68
|
119 should contain a service ticket for the \fBkadmin/admin\fP or
|
|
jpayne@68
|
120 \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified
|
|
jpayne@68
|
121 hostname of the admin server) service; it can be acquired with the
|
|
jpayne@68
|
122 kinit(1) program. If this option is not specified, kadmin
|
|
jpayne@68
|
123 requests a new service ticket from the KDC, and stores it in its
|
|
jpayne@68
|
124 own temporary ccache.
|
|
jpayne@68
|
125 .TP
|
|
jpayne@68
|
126 \fB\-w\fP \fIpassword\fP
|
|
jpayne@68
|
127 Use \fIpassword\fP instead of prompting for one. Use this option with
|
|
jpayne@68
|
128 care, as it may expose the password to other users on the system
|
|
jpayne@68
|
129 via the process list.
|
|
jpayne@68
|
130 .TP
|
|
jpayne@68
|
131 \fB\-q\fP \fIquery\fP
|
|
jpayne@68
|
132 Perform the specified query and then exit.
|
|
jpayne@68
|
133 .TP
|
|
jpayne@68
|
134 \fB\-d\fP \fIdbname\fP
|
|
jpayne@68
|
135 Specifies the name of the KDC database. This option does not
|
|
jpayne@68
|
136 apply to the LDAP database module.
|
|
jpayne@68
|
137 .TP
|
|
jpayne@68
|
138 \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
|
|
jpayne@68
|
139 Specifies the admin server which kadmin should contact.
|
|
jpayne@68
|
140 .TP
|
|
jpayne@68
|
141 \fB\-m\fP
|
|
jpayne@68
|
142 If using kadmin.local, prompt for the database master password
|
|
jpayne@68
|
143 instead of reading it from a stash file.
|
|
jpayne@68
|
144 .TP
|
|
jpayne@68
|
145 \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
|
|
jpayne@68
|
146 Sets the keysalt list to be used for any new keys created. See
|
|
jpayne@68
|
147 Keysalt_lists in kdc.conf(5) for a list of possible
|
|
jpayne@68
|
148 values.
|
|
jpayne@68
|
149 .TP
|
|
jpayne@68
|
150 \fB\-O\fP
|
|
jpayne@68
|
151 Force use of old AUTH_GSSAPI authentication flavor.
|
|
jpayne@68
|
152 .TP
|
|
jpayne@68
|
153 \fB\-N\fP
|
|
jpayne@68
|
154 Prevent fallback to AUTH_GSSAPI authentication flavor.
|
|
jpayne@68
|
155 .TP
|
|
jpayne@68
|
156 \fB\-x\fP \fIdb_args\fP
|
|
jpayne@68
|
157 Specifies the database specific arguments. See the next section
|
|
jpayne@68
|
158 for supported options.
|
|
jpayne@68
|
159 .UNINDENT
|
|
jpayne@68
|
160 .sp
|
|
jpayne@68
|
161 Starting with release 1.14, if any command\-line arguments remain after
|
|
jpayne@68
|
162 the options, they will be treated as a single query to be executed.
|
|
jpayne@68
|
163 This mode of operation is intended for scripts and behaves differently
|
|
jpayne@68
|
164 from the interactive mode in several respects:
|
|
jpayne@68
|
165 .INDENT 0.0
|
|
jpayne@68
|
166 .IP \(bu 2
|
|
jpayne@68
|
167 Query arguments are split by the shell, not by kadmin.
|
|
jpayne@68
|
168 .IP \(bu 2
|
|
jpayne@68
|
169 Informational and warning messages are suppressed. Error messages
|
|
jpayne@68
|
170 and query output (e.g. for \fBget_principal\fP) will still be
|
|
jpayne@68
|
171 displayed.
|
|
jpayne@68
|
172 .IP \(bu 2
|
|
jpayne@68
|
173 Confirmation prompts are disabled (as if \fB\-force\fP was given).
|
|
jpayne@68
|
174 Password prompts will still be issued as required.
|
|
jpayne@68
|
175 .IP \(bu 2
|
|
jpayne@68
|
176 The exit status will be non\-zero if the query fails.
|
|
jpayne@68
|
177 .UNINDENT
|
|
jpayne@68
|
178 .sp
|
|
jpayne@68
|
179 The \fB\-q\fP option does not carry these behavior differences; the query
|
|
jpayne@68
|
180 will be processed as if it was entered interactively. The \fB\-q\fP
|
|
jpayne@68
|
181 option cannot be used in combination with a query in the remaining
|
|
jpayne@68
|
182 arguments.
|
|
jpayne@68
|
183 .SH DATABASE OPTIONS
|
|
jpayne@68
|
184 .sp
|
|
jpayne@68
|
185 Database options can be used to override database\-specific defaults.
|
|
jpayne@68
|
186 Supported options for the DB2 module are:
|
|
jpayne@68
|
187 .INDENT 0.0
|
|
jpayne@68
|
188 .INDENT 3.5
|
|
jpayne@68
|
189 .INDENT 0.0
|
|
jpayne@68
|
190 .TP
|
|
jpayne@68
|
191 \fB\-x dbname=\fP*filename*
|
|
jpayne@68
|
192 Specifies the base filename of the DB2 database.
|
|
jpayne@68
|
193 .TP
|
|
jpayne@68
|
194 \fB\-x lockiter\fP
|
|
jpayne@68
|
195 Make iteration operations hold the lock for the duration of
|
|
jpayne@68
|
196 the entire operation, rather than temporarily releasing the
|
|
jpayne@68
|
197 lock while handling each principal. This is the default
|
|
jpayne@68
|
198 behavior, but this option exists to allow command line
|
|
jpayne@68
|
199 override of a [dbmodules] setting. First introduced in
|
|
jpayne@68
|
200 release 1.13.
|
|
jpayne@68
|
201 .TP
|
|
jpayne@68
|
202 \fB\-x unlockiter\fP
|
|
jpayne@68
|
203 Make iteration operations unlock the database for each
|
|
jpayne@68
|
204 principal, instead of holding the lock for the duration of the
|
|
jpayne@68
|
205 entire operation. First introduced in release 1.13.
|
|
jpayne@68
|
206 .UNINDENT
|
|
jpayne@68
|
207 .UNINDENT
|
|
jpayne@68
|
208 .UNINDENT
|
|
jpayne@68
|
209 .sp
|
|
jpayne@68
|
210 Supported options for the LDAP module are:
|
|
jpayne@68
|
211 .INDENT 0.0
|
|
jpayne@68
|
212 .INDENT 3.5
|
|
jpayne@68
|
213 .INDENT 0.0
|
|
jpayne@68
|
214 .TP
|
|
jpayne@68
|
215 \fB\-x host=\fP\fIldapuri\fP
|
|
jpayne@68
|
216 Specifies the LDAP server to connect to by a LDAP URI.
|
|
jpayne@68
|
217 .TP
|
|
jpayne@68
|
218 \fB\-x binddn=\fP\fIbind_dn\fP
|
|
jpayne@68
|
219 Specifies the DN used to bind to the LDAP server.
|
|
jpayne@68
|
220 .TP
|
|
jpayne@68
|
221 \fB\-x bindpwd=\fP\fIpassword\fP
|
|
jpayne@68
|
222 Specifies the password or SASL secret used to bind to the LDAP
|
|
jpayne@68
|
223 server. Using this option may expose the password to other
|
|
jpayne@68
|
224 users on the system via the process list; to avoid this,
|
|
jpayne@68
|
225 instead stash the password using the \fBstashsrvpw\fP command of
|
|
jpayne@68
|
226 kdb5_ldap_util(8)\&.
|
|
jpayne@68
|
227 .TP
|
|
jpayne@68
|
228 \fB\-x sasl_mech=\fP\fImechanism\fP
|
|
jpayne@68
|
229 Specifies the SASL mechanism used to bind to the LDAP server.
|
|
jpayne@68
|
230 The bind DN is ignored if a SASL mechanism is used. New in
|
|
jpayne@68
|
231 release 1.13.
|
|
jpayne@68
|
232 .TP
|
|
jpayne@68
|
233 \fB\-x sasl_authcid=\fP\fIname\fP
|
|
jpayne@68
|
234 Specifies the authentication name used when binding to the
|
|
jpayne@68
|
235 LDAP server with a SASL mechanism, if the mechanism requires
|
|
jpayne@68
|
236 one. New in release 1.13.
|
|
jpayne@68
|
237 .TP
|
|
jpayne@68
|
238 \fB\-x sasl_authzid=\fP\fIname\fP
|
|
jpayne@68
|
239 Specifies the authorization name used when binding to the LDAP
|
|
jpayne@68
|
240 server with a SASL mechanism. New in release 1.13.
|
|
jpayne@68
|
241 .TP
|
|
jpayne@68
|
242 \fB\-x sasl_realm=\fP\fIrealm\fP
|
|
jpayne@68
|
243 Specifies the realm used when binding to the LDAP server with
|
|
jpayne@68
|
244 a SASL mechanism, if the mechanism uses one. New in release
|
|
jpayne@68
|
245 1.13.
|
|
jpayne@68
|
246 .TP
|
|
jpayne@68
|
247 \fB\-x debug=\fP\fIlevel\fP
|
|
jpayne@68
|
248 sets the OpenLDAP client library debug level. \fIlevel\fP is an
|
|
jpayne@68
|
249 integer to be interpreted by the library. Debugging messages
|
|
jpayne@68
|
250 are printed to standard error. New in release 1.12.
|
|
jpayne@68
|
251 .UNINDENT
|
|
jpayne@68
|
252 .UNINDENT
|
|
jpayne@68
|
253 .UNINDENT
|
|
jpayne@68
|
254 .SH COMMANDS
|
|
jpayne@68
|
255 .sp
|
|
jpayne@68
|
256 When using the remote client, available commands may be restricted
|
|
jpayne@68
|
257 according to the privileges specified in the kadm5.acl(5) file
|
|
jpayne@68
|
258 on the admin server.
|
|
jpayne@68
|
259 .SS add_principal
|
|
jpayne@68
|
260 .INDENT 0.0
|
|
jpayne@68
|
261 .INDENT 3.5
|
|
jpayne@68
|
262 \fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
|
|
jpayne@68
|
263 .UNINDENT
|
|
jpayne@68
|
264 .UNINDENT
|
|
jpayne@68
|
265 .sp
|
|
jpayne@68
|
266 Creates the principal \fInewprinc\fP, prompting twice for a password. If
|
|
jpayne@68
|
267 no password policy is specified with the \fB\-policy\fP option, and the
|
|
jpayne@68
|
268 policy named \fBdefault\fP is assigned to the principal if it exists.
|
|
jpayne@68
|
269 However, creating a policy named \fBdefault\fP will not automatically
|
|
jpayne@68
|
270 assign this policy to previously existing principals. This policy
|
|
jpayne@68
|
271 assignment can be suppressed with the \fB\-clearpolicy\fP option.
|
|
jpayne@68
|
272 .sp
|
|
jpayne@68
|
273 This command requires the \fBadd\fP privilege.
|
|
jpayne@68
|
274 .sp
|
|
jpayne@68
|
275 Aliases: \fBaddprinc\fP, \fBank\fP
|
|
jpayne@68
|
276 .sp
|
|
jpayne@68
|
277 Options:
|
|
jpayne@68
|
278 .INDENT 0.0
|
|
jpayne@68
|
279 .TP
|
|
jpayne@68
|
280 \fB\-expire\fP \fIexpdate\fP
|
|
jpayne@68
|
281 (getdate string) The expiration date of the principal.
|
|
jpayne@68
|
282 .TP
|
|
jpayne@68
|
283 \fB\-pwexpire\fP \fIpwexpdate\fP
|
|
jpayne@68
|
284 (getdate string) The password expiration date.
|
|
jpayne@68
|
285 .TP
|
|
jpayne@68
|
286 \fB\-maxlife\fP \fImaxlife\fP
|
|
jpayne@68
|
287 (duration or getdate string) The maximum ticket life
|
|
jpayne@68
|
288 for the principal.
|
|
jpayne@68
|
289 .TP
|
|
jpayne@68
|
290 \fB\-maxrenewlife\fP \fImaxrenewlife\fP
|
|
jpayne@68
|
291 (duration or getdate string) The maximum renewable
|
|
jpayne@68
|
292 life of tickets for the principal.
|
|
jpayne@68
|
293 .TP
|
|
jpayne@68
|
294 \fB\-kvno\fP \fIkvno\fP
|
|
jpayne@68
|
295 The initial key version number.
|
|
jpayne@68
|
296 .TP
|
|
jpayne@68
|
297 \fB\-policy\fP \fIpolicy\fP
|
|
jpayne@68
|
298 The password policy used by this principal. If not specified, the
|
|
jpayne@68
|
299 policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
|
|
jpayne@68
|
300 is specified).
|
|
jpayne@68
|
301 .TP
|
|
jpayne@68
|
302 \fB\-clearpolicy\fP
|
|
jpayne@68
|
303 Prevents any policy from being assigned when \fB\-policy\fP is not
|
|
jpayne@68
|
304 specified.
|
|
jpayne@68
|
305 .TP
|
|
jpayne@68
|
306 {\-|+}\fBallow_postdated\fP
|
|
jpayne@68
|
307 \fB\-allow_postdated\fP prohibits this principal from obtaining
|
|
jpayne@68
|
308 postdated tickets. \fB+allow_postdated\fP clears this flag.
|
|
jpayne@68
|
309 .TP
|
|
jpayne@68
|
310 {\-|+}\fBallow_forwardable\fP
|
|
jpayne@68
|
311 \fB\-allow_forwardable\fP prohibits this principal from obtaining
|
|
jpayne@68
|
312 forwardable tickets. \fB+allow_forwardable\fP clears this flag.
|
|
jpayne@68
|
313 .TP
|
|
jpayne@68
|
314 {\-|+}\fBallow_renewable\fP
|
|
jpayne@68
|
315 \fB\-allow_renewable\fP prohibits this principal from obtaining
|
|
jpayne@68
|
316 renewable tickets. \fB+allow_renewable\fP clears this flag.
|
|
jpayne@68
|
317 .TP
|
|
jpayne@68
|
318 {\-|+}\fBallow_proxiable\fP
|
|
jpayne@68
|
319 \fB\-allow_proxiable\fP prohibits this principal from obtaining
|
|
jpayne@68
|
320 proxiable tickets. \fB+allow_proxiable\fP clears this flag.
|
|
jpayne@68
|
321 .TP
|
|
jpayne@68
|
322 {\-|+}\fBallow_dup_skey\fP
|
|
jpayne@68
|
323 \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
|
|
jpayne@68
|
324 principal by prohibiting others from obtaining a service ticket
|
|
jpayne@68
|
325 encrypted in this principal\(aqs TGT session key.
|
|
jpayne@68
|
326 \fB+allow_dup_skey\fP clears this flag.
|
|
jpayne@68
|
327 .TP
|
|
jpayne@68
|
328 {\-|+}\fBrequires_preauth\fP
|
|
jpayne@68
|
329 \fB+requires_preauth\fP requires this principal to preauthenticate
|
|
jpayne@68
|
330 before being allowed to kinit. \fB\-requires_preauth\fP clears this
|
|
jpayne@68
|
331 flag. When \fB+requires_preauth\fP is set on a service principal,
|
|
jpayne@68
|
332 the KDC will only issue service tickets for that service principal
|
|
jpayne@68
|
333 if the client\(aqs initial authentication was performed using
|
|
jpayne@68
|
334 preauthentication.
|
|
jpayne@68
|
335 .TP
|
|
jpayne@68
|
336 {\-|+}\fBrequires_hwauth\fP
|
|
jpayne@68
|
337 \fB+requires_hwauth\fP requires this principal to preauthenticate
|
|
jpayne@68
|
338 using a hardware device before being allowed to kinit.
|
|
jpayne@68
|
339 \fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is
|
|
jpayne@68
|
340 set on a service principal, the KDC will only issue service tickets
|
|
jpayne@68
|
341 for that service principal if the client\(aqs initial authentication was
|
|
jpayne@68
|
342 performed using a hardware device to preauthenticate.
|
|
jpayne@68
|
343 .TP
|
|
jpayne@68
|
344 {\-|+}\fBok_as_delegate\fP
|
|
jpayne@68
|
345 \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
|
|
jpayne@68
|
346 issued with this principal as the service. Clients may use this
|
|
jpayne@68
|
347 flag as a hint that credentials should be delegated when
|
|
jpayne@68
|
348 authenticating to the service. \fB\-ok_as_delegate\fP clears this
|
|
jpayne@68
|
349 flag.
|
|
jpayne@68
|
350 .TP
|
|
jpayne@68
|
351 {\-|+}\fBallow_svr\fP
|
|
jpayne@68
|
352 \fB\-allow_svr\fP prohibits the issuance of service tickets for this
|
|
jpayne@68
|
353 principal. In release 1.17 and later, user\-to\-user service
|
|
jpayne@68
|
354 tickets are still allowed unless the \fB\-allow_dup_skey\fP flag is
|
|
jpayne@68
|
355 also set. \fB+allow_svr\fP clears this flag.
|
|
jpayne@68
|
356 .TP
|
|
jpayne@68
|
357 {\-|+}\fBallow_tgs_req\fP
|
|
jpayne@68
|
358 \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
|
|
jpayne@68
|
359 request for a service ticket for this principal is not permitted.
|
|
jpayne@68
|
360 \fB+allow_tgs_req\fP clears this flag.
|
|
jpayne@68
|
361 .TP
|
|
jpayne@68
|
362 {\-|+}\fBallow_tix\fP
|
|
jpayne@68
|
363 \fB\-allow_tix\fP forbids the issuance of any tickets for this
|
|
jpayne@68
|
364 principal. \fB+allow_tix\fP clears this flag.
|
|
jpayne@68
|
365 .TP
|
|
jpayne@68
|
366 {\-|+}\fBneedchange\fP
|
|
jpayne@68
|
367 \fB+needchange\fP forces a password change on the next initial
|
|
jpayne@68
|
368 authentication to this principal. \fB\-needchange\fP clears this
|
|
jpayne@68
|
369 flag.
|
|
jpayne@68
|
370 .TP
|
|
jpayne@68
|
371 {\-|+}\fBpassword_changing_service\fP
|
|
jpayne@68
|
372 \fB+password_changing_service\fP marks this principal as a password
|
|
jpayne@68
|
373 change service principal.
|
|
jpayne@68
|
374 .TP
|
|
jpayne@68
|
375 {\-|+}\fBok_to_auth_as_delegate\fP
|
|
jpayne@68
|
376 \fB+ok_to_auth_as_delegate\fP allows this principal to acquire
|
|
jpayne@68
|
377 forwardable tickets to itself from arbitrary users, for use with
|
|
jpayne@68
|
378 constrained delegation.
|
|
jpayne@68
|
379 .TP
|
|
jpayne@68
|
380 {\-|+}\fBno_auth_data_required\fP
|
|
jpayne@68
|
381 \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from
|
|
jpayne@68
|
382 being added to service tickets for the principal.
|
|
jpayne@68
|
383 .TP
|
|
jpayne@68
|
384 {\-|+}\fBlockdown_keys\fP
|
|
jpayne@68
|
385 \fB+lockdown_keys\fP prevents keys for this principal from leaving
|
|
jpayne@68
|
386 the KDC via kadmind. The chpass and extract operations are denied
|
|
jpayne@68
|
387 for a principal with this attribute. The chrand operation is
|
|
jpayne@68
|
388 allowed, but will not return the new keys. The delete and rename
|
|
jpayne@68
|
389 operations are also denied if this attribute is set, in order to
|
|
jpayne@68
|
390 prevent a malicious administrator from replacing principals like
|
|
jpayne@68
|
391 krbtgt/* or kadmin/* with new principals without the attribute.
|
|
jpayne@68
|
392 This attribute can be set via the network protocol, but can only
|
|
jpayne@68
|
393 be removed using kadmin.local.
|
|
jpayne@68
|
394 .TP
|
|
jpayne@68
|
395 \fB\-randkey\fP
|
|
jpayne@68
|
396 Sets the key of the principal to a random value.
|
|
jpayne@68
|
397 .TP
|
|
jpayne@68
|
398 \fB\-nokey\fP
|
|
jpayne@68
|
399 Causes the principal to be created with no key. New in release
|
|
jpayne@68
|
400 1.12.
|
|
jpayne@68
|
401 .TP
|
|
jpayne@68
|
402 \fB\-pw\fP \fIpassword\fP
|
|
jpayne@68
|
403 Sets the password of the principal to the specified string and
|
|
jpayne@68
|
404 does not prompt for a password. Note: using this option in a
|
|
jpayne@68
|
405 shell script may expose the password to other users on the system
|
|
jpayne@68
|
406 via the process list.
|
|
jpayne@68
|
407 .TP
|
|
jpayne@68
|
408 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
|
|
jpayne@68
|
409 Uses the specified keysalt list for setting the keys of the
|
|
jpayne@68
|
410 principal. See Keysalt_lists in kdc.conf(5) for a
|
|
jpayne@68
|
411 list of possible values.
|
|
jpayne@68
|
412 .TP
|
|
jpayne@68
|
413 \fB\-x\fP \fIdb_princ_args\fP
|
|
jpayne@68
|
414 Indicates database\-specific options. The options for the LDAP
|
|
jpayne@68
|
415 database module are:
|
|
jpayne@68
|
416 .INDENT 7.0
|
|
jpayne@68
|
417 .TP
|
|
jpayne@68
|
418 \fB\-x dn=\fP\fIdn\fP
|
|
jpayne@68
|
419 Specifies the LDAP object that will contain the Kerberos
|
|
jpayne@68
|
420 principal being created.
|
|
jpayne@68
|
421 .TP
|
|
jpayne@68
|
422 \fB\-x linkdn=\fP\fIdn\fP
|
|
jpayne@68
|
423 Specifies the LDAP object to which the newly created Kerberos
|
|
jpayne@68
|
424 principal object will point.
|
|
jpayne@68
|
425 .TP
|
|
jpayne@68
|
426 \fB\-x containerdn=\fP\fIcontainer_dn\fP
|
|
jpayne@68
|
427 Specifies the container object under which the Kerberos
|
|
jpayne@68
|
428 principal is to be created.
|
|
jpayne@68
|
429 .TP
|
|
jpayne@68
|
430 \fB\-x tktpolicy=\fP\fIpolicy\fP
|
|
jpayne@68
|
431 Associates a ticket policy to the Kerberos principal.
|
|
jpayne@68
|
432 .UNINDENT
|
|
jpayne@68
|
433 .sp
|
|
jpayne@68
|
434 \fBNOTE:\fP
|
|
jpayne@68
|
435 .INDENT 7.0
|
|
jpayne@68
|
436 .INDENT 3.5
|
|
jpayne@68
|
437 .INDENT 0.0
|
|
jpayne@68
|
438 .IP \(bu 2
|
|
jpayne@68
|
439 The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
|
|
jpayne@68
|
440 specified with the \fBdn\fP option.
|
|
jpayne@68
|
441 .IP \(bu 2
|
|
jpayne@68
|
442 If the \fIdn\fP or \fIcontainerdn\fP options are not specified while
|
|
jpayne@68
|
443 adding the principal, the principals are created under the
|
|
jpayne@68
|
444 principal container configured in the realm or the realm
|
|
jpayne@68
|
445 container.
|
|
jpayne@68
|
446 .IP \(bu 2
|
|
jpayne@68
|
447 \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
|
|
jpayne@68
|
448 principal container configured in the realm.
|
|
jpayne@68
|
449 .UNINDENT
|
|
jpayne@68
|
450 .UNINDENT
|
|
jpayne@68
|
451 .UNINDENT
|
|
jpayne@68
|
452 .UNINDENT
|
|
jpayne@68
|
453 .sp
|
|
jpayne@68
|
454 Example:
|
|
jpayne@68
|
455 .INDENT 0.0
|
|
jpayne@68
|
456 .INDENT 3.5
|
|
jpayne@68
|
457 .sp
|
|
jpayne@68
|
458 .nf
|
|
jpayne@68
|
459 .ft C
|
|
jpayne@68
|
460 kadmin: addprinc jennifer
|
|
jpayne@68
|
461 No policy specified for "jennifer@ATHENA.MIT.EDU";
|
|
jpayne@68
|
462 defaulting to no policy.
|
|
jpayne@68
|
463 Enter password for principal jennifer@ATHENA.MIT.EDU:
|
|
jpayne@68
|
464 Re\-enter password for principal jennifer@ATHENA.MIT.EDU:
|
|
jpayne@68
|
465 Principal "jennifer@ATHENA.MIT.EDU" created.
|
|
jpayne@68
|
466 kadmin:
|
|
jpayne@68
|
467 .ft P
|
|
jpayne@68
|
468 .fi
|
|
jpayne@68
|
469 .UNINDENT
|
|
jpayne@68
|
470 .UNINDENT
|
|
jpayne@68
|
471 .SS modify_principal
|
|
jpayne@68
|
472 .INDENT 0.0
|
|
jpayne@68
|
473 .INDENT 3.5
|
|
jpayne@68
|
474 \fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
|
|
jpayne@68
|
475 .UNINDENT
|
|
jpayne@68
|
476 .UNINDENT
|
|
jpayne@68
|
477 .sp
|
|
jpayne@68
|
478 Modifies the specified principal, changing the fields as specified.
|
|
jpayne@68
|
479 The options to \fBadd_principal\fP also apply to this command, except
|
|
jpayne@68
|
480 for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options. In addition, the
|
|
jpayne@68
|
481 option \fB\-clearpolicy\fP will clear the current policy of a principal.
|
|
jpayne@68
|
482 .sp
|
|
jpayne@68
|
483 This command requires the \fImodify\fP privilege.
|
|
jpayne@68
|
484 .sp
|
|
jpayne@68
|
485 Alias: \fBmodprinc\fP
|
|
jpayne@68
|
486 .sp
|
|
jpayne@68
|
487 Options (in addition to the \fBaddprinc\fP options):
|
|
jpayne@68
|
488 .INDENT 0.0
|
|
jpayne@68
|
489 .TP
|
|
jpayne@68
|
490 \fB\-unlock\fP
|
|
jpayne@68
|
491 Unlocks a locked principal (one which has received too many failed
|
|
jpayne@68
|
492 authentication attempts without enough time between them according
|
|
jpayne@68
|
493 to its password policy) so that it can successfully authenticate.
|
|
jpayne@68
|
494 .UNINDENT
|
|
jpayne@68
|
495 .SS rename_principal
|
|
jpayne@68
|
496 .INDENT 0.0
|
|
jpayne@68
|
497 .INDENT 3.5
|
|
jpayne@68
|
498 \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP
|
|
jpayne@68
|
499 .UNINDENT
|
|
jpayne@68
|
500 .UNINDENT
|
|
jpayne@68
|
501 .sp
|
|
jpayne@68
|
502 Renames the specified \fIold_principal\fP to \fInew_principal\fP\&. This
|
|
jpayne@68
|
503 command prompts for confirmation, unless the \fB\-force\fP option is
|
|
jpayne@68
|
504 given.
|
|
jpayne@68
|
505 .sp
|
|
jpayne@68
|
506 This command requires the \fBadd\fP and \fBdelete\fP privileges.
|
|
jpayne@68
|
507 .sp
|
|
jpayne@68
|
508 Alias: \fBrenprinc\fP
|
|
jpayne@68
|
509 .SS delete_principal
|
|
jpayne@68
|
510 .INDENT 0.0
|
|
jpayne@68
|
511 .INDENT 3.5
|
|
jpayne@68
|
512 \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP
|
|
jpayne@68
|
513 .UNINDENT
|
|
jpayne@68
|
514 .UNINDENT
|
|
jpayne@68
|
515 .sp
|
|
jpayne@68
|
516 Deletes the specified \fIprincipal\fP from the database. This command
|
|
jpayne@68
|
517 prompts for deletion, unless the \fB\-force\fP option is given.
|
|
jpayne@68
|
518 .sp
|
|
jpayne@68
|
519 This command requires the \fBdelete\fP privilege.
|
|
jpayne@68
|
520 .sp
|
|
jpayne@68
|
521 Alias: \fBdelprinc\fP
|
|
jpayne@68
|
522 .SS change_password
|
|
jpayne@68
|
523 .INDENT 0.0
|
|
jpayne@68
|
524 .INDENT 3.5
|
|
jpayne@68
|
525 \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
|
|
jpayne@68
|
526 .UNINDENT
|
|
jpayne@68
|
527 .UNINDENT
|
|
jpayne@68
|
528 .sp
|
|
jpayne@68
|
529 Changes the password of \fIprincipal\fP\&. Prompts for a new password if
|
|
jpayne@68
|
530 neither \fB\-randkey\fP or \fB\-pw\fP is specified.
|
|
jpayne@68
|
531 .sp
|
|
jpayne@68
|
532 This command requires the \fBchangepw\fP privilege, or that the
|
|
jpayne@68
|
533 principal running the program is the same as the principal being
|
|
jpayne@68
|
534 changed.
|
|
jpayne@68
|
535 .sp
|
|
jpayne@68
|
536 Alias: \fBcpw\fP
|
|
jpayne@68
|
537 .sp
|
|
jpayne@68
|
538 The following options are available:
|
|
jpayne@68
|
539 .INDENT 0.0
|
|
jpayne@68
|
540 .TP
|
|
jpayne@68
|
541 \fB\-randkey\fP
|
|
jpayne@68
|
542 Sets the key of the principal to a random value.
|
|
jpayne@68
|
543 .TP
|
|
jpayne@68
|
544 \fB\-pw\fP \fIpassword\fP
|
|
jpayne@68
|
545 Set the password to the specified string. Using this option in a
|
|
jpayne@68
|
546 script may expose the password to other users on the system via
|
|
jpayne@68
|
547 the process list.
|
|
jpayne@68
|
548 .TP
|
|
jpayne@68
|
549 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
|
|
jpayne@68
|
550 Uses the specified keysalt list for setting the keys of the
|
|
jpayne@68
|
551 principal. See Keysalt_lists in kdc.conf(5) for a
|
|
jpayne@68
|
552 list of possible values.
|
|
jpayne@68
|
553 .TP
|
|
jpayne@68
|
554 \fB\-keepold\fP
|
|
jpayne@68
|
555 Keeps the existing keys in the database. This flag is usually not
|
|
jpayne@68
|
556 necessary except perhaps for \fBkrbtgt\fP principals.
|
|
jpayne@68
|
557 .UNINDENT
|
|
jpayne@68
|
558 .sp
|
|
jpayne@68
|
559 Example:
|
|
jpayne@68
|
560 .INDENT 0.0
|
|
jpayne@68
|
561 .INDENT 3.5
|
|
jpayne@68
|
562 .sp
|
|
jpayne@68
|
563 .nf
|
|
jpayne@68
|
564 .ft C
|
|
jpayne@68
|
565 kadmin: cpw systest
|
|
jpayne@68
|
566 Enter password for principal systest@BLEEP.COM:
|
|
jpayne@68
|
567 Re\-enter password for principal systest@BLEEP.COM:
|
|
jpayne@68
|
568 Password for systest@BLEEP.COM changed.
|
|
jpayne@68
|
569 kadmin:
|
|
jpayne@68
|
570 .ft P
|
|
jpayne@68
|
571 .fi
|
|
jpayne@68
|
572 .UNINDENT
|
|
jpayne@68
|
573 .UNINDENT
|
|
jpayne@68
|
574 .SS purgekeys
|
|
jpayne@68
|
575 .INDENT 0.0
|
|
jpayne@68
|
576 .INDENT 3.5
|
|
jpayne@68
|
577 \fBpurgekeys\fP [\fB\-all\fP|\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
|
|
jpayne@68
|
578 .UNINDENT
|
|
jpayne@68
|
579 .UNINDENT
|
|
jpayne@68
|
580 .sp
|
|
jpayne@68
|
581 Purges previously retained old keys (e.g., from \fBchange_password
|
|
jpayne@68
|
582 \-keepold\fP) from \fIprincipal\fP\&. If \fB\-keepkvno\fP is specified, then
|
|
jpayne@68
|
583 only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&. If
|
|
jpayne@68
|
584 \fB\-all\fP is specified, then all keys are purged. The \fB\-all\fP option
|
|
jpayne@68
|
585 is new in release 1.12.
|
|
jpayne@68
|
586 .sp
|
|
jpayne@68
|
587 This command requires the \fBmodify\fP privilege.
|
|
jpayne@68
|
588 .SS get_principal
|
|
jpayne@68
|
589 .INDENT 0.0
|
|
jpayne@68
|
590 .INDENT 3.5
|
|
jpayne@68
|
591 \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP
|
|
jpayne@68
|
592 .UNINDENT
|
|
jpayne@68
|
593 .UNINDENT
|
|
jpayne@68
|
594 .sp
|
|
jpayne@68
|
595 Gets the attributes of principal. With the \fB\-terse\fP option, outputs
|
|
jpayne@68
|
596 fields as quoted tab\-separated strings.
|
|
jpayne@68
|
597 .sp
|
|
jpayne@68
|
598 This command requires the \fBinquire\fP privilege, or that the principal
|
|
jpayne@68
|
599 running the the program to be the same as the one being listed.
|
|
jpayne@68
|
600 .sp
|
|
jpayne@68
|
601 Alias: \fBgetprinc\fP
|
|
jpayne@68
|
602 .sp
|
|
jpayne@68
|
603 Examples:
|
|
jpayne@68
|
604 .INDENT 0.0
|
|
jpayne@68
|
605 .INDENT 3.5
|
|
jpayne@68
|
606 .sp
|
|
jpayne@68
|
607 .nf
|
|
jpayne@68
|
608 .ft C
|
|
jpayne@68
|
609 kadmin: getprinc tlyu/admin
|
|
jpayne@68
|
610 Principal: tlyu/admin@BLEEP.COM
|
|
jpayne@68
|
611 Expiration date: [never]
|
|
jpayne@68
|
612 Last password change: Mon Aug 12 14:16:47 EDT 1996
|
|
jpayne@68
|
613 Password expiration date: [never]
|
|
jpayne@68
|
614 Maximum ticket life: 0 days 10:00:00
|
|
jpayne@68
|
615 Maximum renewable life: 7 days 00:00:00
|
|
jpayne@68
|
616 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
|
|
jpayne@68
|
617 Last successful authentication: [never]
|
|
jpayne@68
|
618 Last failed authentication: [never]
|
|
jpayne@68
|
619 Failed password attempts: 0
|
|
jpayne@68
|
620 Number of keys: 1
|
|
jpayne@68
|
621 Key: vno 1, aes256\-cts\-hmac\-sha384\-192
|
|
jpayne@68
|
622 MKey: vno 1
|
|
jpayne@68
|
623 Attributes:
|
|
jpayne@68
|
624 Policy: [none]
|
|
jpayne@68
|
625
|
|
jpayne@68
|
626 kadmin: getprinc \-terse systest
|
|
jpayne@68
|
627 systest@BLEEP.COM 3 86400 604800 1
|
|
jpayne@68
|
628 785926535 753241234 785900000
|
|
jpayne@68
|
629 tlyu/admin@BLEEP.COM 786100034 0 0
|
|
jpayne@68
|
630 kadmin:
|
|
jpayne@68
|
631 .ft P
|
|
jpayne@68
|
632 .fi
|
|
jpayne@68
|
633 .UNINDENT
|
|
jpayne@68
|
634 .UNINDENT
|
|
jpayne@68
|
635 .SS list_principals
|
|
jpayne@68
|
636 .INDENT 0.0
|
|
jpayne@68
|
637 .INDENT 3.5
|
|
jpayne@68
|
638 \fBlist_principals\fP [\fIexpression\fP]
|
|
jpayne@68
|
639 .UNINDENT
|
|
jpayne@68
|
640 .UNINDENT
|
|
jpayne@68
|
641 .sp
|
|
jpayne@68
|
642 Retrieves all or some principal names. \fIexpression\fP is a shell\-style
|
|
jpayne@68
|
643 glob expression that can contain the wild\-card characters \fB?\fP,
|
|
jpayne@68
|
644 \fB*\fP, and \fB[]\fP\&. All principal names matching the expression are
|
|
jpayne@68
|
645 printed. If no expression is provided, all principal names are
|
|
jpayne@68
|
646 printed. If the expression does not contain an \fB@\fP character, an
|
|
jpayne@68
|
647 \fB@\fP character followed by the local realm is appended to the
|
|
jpayne@68
|
648 expression.
|
|
jpayne@68
|
649 .sp
|
|
jpayne@68
|
650 This command requires the \fBlist\fP privilege.
|
|
jpayne@68
|
651 .sp
|
|
jpayne@68
|
652 Alias: \fBlistprincs\fP, \fBget_principals\fP, \fBgetprincs\fP
|
|
jpayne@68
|
653 .sp
|
|
jpayne@68
|
654 Example:
|
|
jpayne@68
|
655 .INDENT 0.0
|
|
jpayne@68
|
656 .INDENT 3.5
|
|
jpayne@68
|
657 .sp
|
|
jpayne@68
|
658 .nf
|
|
jpayne@68
|
659 .ft C
|
|
jpayne@68
|
660 kadmin: listprincs test*
|
|
jpayne@68
|
661 test3@SECURE\-TEST.OV.COM
|
|
jpayne@68
|
662 test2@SECURE\-TEST.OV.COM
|
|
jpayne@68
|
663 test1@SECURE\-TEST.OV.COM
|
|
jpayne@68
|
664 testuser@SECURE\-TEST.OV.COM
|
|
jpayne@68
|
665 kadmin:
|
|
jpayne@68
|
666 .ft P
|
|
jpayne@68
|
667 .fi
|
|
jpayne@68
|
668 .UNINDENT
|
|
jpayne@68
|
669 .UNINDENT
|
|
jpayne@68
|
670 .SS get_strings
|
|
jpayne@68
|
671 .INDENT 0.0
|
|
jpayne@68
|
672 .INDENT 3.5
|
|
jpayne@68
|
673 \fBget_strings\fP \fIprincipal\fP
|
|
jpayne@68
|
674 .UNINDENT
|
|
jpayne@68
|
675 .UNINDENT
|
|
jpayne@68
|
676 .sp
|
|
jpayne@68
|
677 Displays string attributes on \fIprincipal\fP\&.
|
|
jpayne@68
|
678 .sp
|
|
jpayne@68
|
679 This command requires the \fBinquire\fP privilege.
|
|
jpayne@68
|
680 .sp
|
|
jpayne@68
|
681 Alias: \fBgetstrs\fP
|
|
jpayne@68
|
682 .SS set_string
|
|
jpayne@68
|
683 .INDENT 0.0
|
|
jpayne@68
|
684 .INDENT 3.5
|
|
jpayne@68
|
685 \fBset_string\fP \fIprincipal\fP \fIname\fP \fIvalue\fP
|
|
jpayne@68
|
686 .UNINDENT
|
|
jpayne@68
|
687 .UNINDENT
|
|
jpayne@68
|
688 .sp
|
|
jpayne@68
|
689 Sets a string attribute on \fIprincipal\fP\&. String attributes are used to
|
|
jpayne@68
|
690 supply per\-principal configuration to the KDC and some KDC plugin
|
|
jpayne@68
|
691 modules. The following string attribute names are recognized by the
|
|
jpayne@68
|
692 KDC:
|
|
jpayne@68
|
693 .INDENT 0.0
|
|
jpayne@68
|
694 .TP
|
|
jpayne@68
|
695 \fBrequire_auth\fP
|
|
jpayne@68
|
696 Specifies an authentication indicator which is required to
|
|
jpayne@68
|
697 authenticate to the principal as a service. Multiple indicators
|
|
jpayne@68
|
698 can be specified, separated by spaces; in this case any of the
|
|
jpayne@68
|
699 specified indicators will be accepted. (New in release 1.14.)
|
|
jpayne@68
|
700 .TP
|
|
jpayne@68
|
701 \fBsession_enctypes\fP
|
|
jpayne@68
|
702 Specifies the encryption types supported for session keys when the
|
|
jpayne@68
|
703 principal is authenticated to as a server. See
|
|
jpayne@68
|
704 Encryption_types in kdc.conf(5) for a list of the
|
|
jpayne@68
|
705 accepted values.
|
|
jpayne@68
|
706 .TP
|
|
jpayne@68
|
707 \fBotp\fP
|
|
jpayne@68
|
708 Enables One Time Passwords (OTP) preauthentication for a client
|
|
jpayne@68
|
709 \fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array
|
|
jpayne@68
|
710 of objects, each having optional \fBtype\fP and \fBusername\fP fields.
|
|
jpayne@68
|
711 .TP
|
|
jpayne@68
|
712 \fBpkinit_cert_match\fP
|
|
jpayne@68
|
713 Specifies a matching expression that defines the certificate
|
|
jpayne@68
|
714 attributes required for the client certificate used by the
|
|
jpayne@68
|
715 principal during PKINIT authentication. The matching expression
|
|
jpayne@68
|
716 is in the same format as those used by the \fBpkinit_cert_match\fP
|
|
jpayne@68
|
717 option in krb5.conf(5)\&. (New in release 1.16.)
|
|
jpayne@68
|
718 .UNINDENT
|
|
jpayne@68
|
719 .sp
|
|
jpayne@68
|
720 This command requires the \fBmodify\fP privilege.
|
|
jpayne@68
|
721 .sp
|
|
jpayne@68
|
722 Alias: \fBsetstr\fP
|
|
jpayne@68
|
723 .sp
|
|
jpayne@68
|
724 Example:
|
|
jpayne@68
|
725 .INDENT 0.0
|
|
jpayne@68
|
726 .INDENT 3.5
|
|
jpayne@68
|
727 .sp
|
|
jpayne@68
|
728 .nf
|
|
jpayne@68
|
729 .ft C
|
|
jpayne@68
|
730 set_string host/foo.mit.edu session_enctypes aes128\-cts
|
|
jpayne@68
|
731 set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
|
|
jpayne@68
|
732 .ft P
|
|
jpayne@68
|
733 .fi
|
|
jpayne@68
|
734 .UNINDENT
|
|
jpayne@68
|
735 .UNINDENT
|
|
jpayne@68
|
736 .SS del_string
|
|
jpayne@68
|
737 .INDENT 0.0
|
|
jpayne@68
|
738 .INDENT 3.5
|
|
jpayne@68
|
739 \fBdel_string\fP \fIprincipal\fP \fIkey\fP
|
|
jpayne@68
|
740 .UNINDENT
|
|
jpayne@68
|
741 .UNINDENT
|
|
jpayne@68
|
742 .sp
|
|
jpayne@68
|
743 Deletes a string attribute from \fIprincipal\fP\&.
|
|
jpayne@68
|
744 .sp
|
|
jpayne@68
|
745 This command requires the \fBdelete\fP privilege.
|
|
jpayne@68
|
746 .sp
|
|
jpayne@68
|
747 Alias: \fBdelstr\fP
|
|
jpayne@68
|
748 .SS add_policy
|
|
jpayne@68
|
749 .INDENT 0.0
|
|
jpayne@68
|
750 .INDENT 3.5
|
|
jpayne@68
|
751 \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
|
|
jpayne@68
|
752 .UNINDENT
|
|
jpayne@68
|
753 .UNINDENT
|
|
jpayne@68
|
754 .sp
|
|
jpayne@68
|
755 Adds a password policy named \fIpolicy\fP to the database.
|
|
jpayne@68
|
756 .sp
|
|
jpayne@68
|
757 This command requires the \fBadd\fP privilege.
|
|
jpayne@68
|
758 .sp
|
|
jpayne@68
|
759 Alias: \fBaddpol\fP
|
|
jpayne@68
|
760 .sp
|
|
jpayne@68
|
761 The following options are available:
|
|
jpayne@68
|
762 .INDENT 0.0
|
|
jpayne@68
|
763 .TP
|
|
jpayne@68
|
764 \fB\-maxlife\fP \fItime\fP
|
|
jpayne@68
|
765 (duration or getdate string) Sets the maximum
|
|
jpayne@68
|
766 lifetime of a password.
|
|
jpayne@68
|
767 .TP
|
|
jpayne@68
|
768 \fB\-minlife\fP \fItime\fP
|
|
jpayne@68
|
769 (duration or getdate string) Sets the minimum
|
|
jpayne@68
|
770 lifetime of a password.
|
|
jpayne@68
|
771 .TP
|
|
jpayne@68
|
772 \fB\-minlength\fP \fIlength\fP
|
|
jpayne@68
|
773 Sets the minimum length of a password.
|
|
jpayne@68
|
774 .TP
|
|
jpayne@68
|
775 \fB\-minclasses\fP \fInumber\fP
|
|
jpayne@68
|
776 Sets the minimum number of character classes required in a
|
|
jpayne@68
|
777 password. The five character classes are lower case, upper case,
|
|
jpayne@68
|
778 numbers, punctuation, and whitespace/unprintable characters.
|
|
jpayne@68
|
779 .TP
|
|
jpayne@68
|
780 \fB\-history\fP \fInumber\fP
|
|
jpayne@68
|
781 Sets the number of past keys kept for a principal. This option is
|
|
jpayne@68
|
782 not supported with the LDAP KDC database module.
|
|
jpayne@68
|
783 .UNINDENT
|
|
jpayne@68
|
784 .INDENT 0.0
|
|
jpayne@68
|
785 .TP
|
|
jpayne@68
|
786 \fB\-maxfailure\fP \fImaxnumber\fP
|
|
jpayne@68
|
787 Sets the number of authentication failures before the principal is
|
|
jpayne@68
|
788 locked. Authentication failures are only tracked for principals
|
|
jpayne@68
|
789 which require preauthentication. The counter of failed attempts
|
|
jpayne@68
|
790 resets to 0 after a successful attempt to authenticate. A
|
|
jpayne@68
|
791 \fImaxnumber\fP value of 0 (the default) disables lockout.
|
|
jpayne@68
|
792 .UNINDENT
|
|
jpayne@68
|
793 .INDENT 0.0
|
|
jpayne@68
|
794 .TP
|
|
jpayne@68
|
795 \fB\-failurecountinterval\fP \fIfailuretime\fP
|
|
jpayne@68
|
796 (duration or getdate string) Sets the allowable time
|
|
jpayne@68
|
797 between authentication failures. If an authentication failure
|
|
jpayne@68
|
798 happens after \fIfailuretime\fP has elapsed since the previous
|
|
jpayne@68
|
799 failure, the number of authentication failures is reset to 1. A
|
|
jpayne@68
|
800 \fIfailuretime\fP value of 0 (the default) means forever.
|
|
jpayne@68
|
801 .UNINDENT
|
|
jpayne@68
|
802 .INDENT 0.0
|
|
jpayne@68
|
803 .TP
|
|
jpayne@68
|
804 \fB\-lockoutduration\fP \fIlockouttime\fP
|
|
jpayne@68
|
805 (duration or getdate string) Sets the duration for
|
|
jpayne@68
|
806 which the principal is locked from authenticating if too many
|
|
jpayne@68
|
807 authentication failures occur without the specified failure count
|
|
jpayne@68
|
808 interval elapsing. A duration of 0 (the default) means the
|
|
jpayne@68
|
809 principal remains locked out until it is administratively unlocked
|
|
jpayne@68
|
810 with \fBmodprinc \-unlock\fP\&.
|
|
jpayne@68
|
811 .TP
|
|
jpayne@68
|
812 \fB\-allowedkeysalts\fP
|
|
jpayne@68
|
813 Specifies the key/salt tuples supported for long\-term keys when
|
|
jpayne@68
|
814 setting or changing a principal\(aqs password/keys. See
|
|
jpayne@68
|
815 Keysalt_lists in kdc.conf(5) for a list of the
|
|
jpayne@68
|
816 accepted values, but note that key/salt tuples must be separated
|
|
jpayne@68
|
817 with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use
|
|
jpayne@68
|
818 a value of \(aq\-\(aq.
|
|
jpayne@68
|
819 .UNINDENT
|
|
jpayne@68
|
820 .sp
|
|
jpayne@68
|
821 Example:
|
|
jpayne@68
|
822 .INDENT 0.0
|
|
jpayne@68
|
823 .INDENT 3.5
|
|
jpayne@68
|
824 .sp
|
|
jpayne@68
|
825 .nf
|
|
jpayne@68
|
826 .ft C
|
|
jpayne@68
|
827 kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
|
|
jpayne@68
|
828 kadmin:
|
|
jpayne@68
|
829 .ft P
|
|
jpayne@68
|
830 .fi
|
|
jpayne@68
|
831 .UNINDENT
|
|
jpayne@68
|
832 .UNINDENT
|
|
jpayne@68
|
833 .SS modify_policy
|
|
jpayne@68
|
834 .INDENT 0.0
|
|
jpayne@68
|
835 .INDENT 3.5
|
|
jpayne@68
|
836 \fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
|
|
jpayne@68
|
837 .UNINDENT
|
|
jpayne@68
|
838 .UNINDENT
|
|
jpayne@68
|
839 .sp
|
|
jpayne@68
|
840 Modifies the password policy named \fIpolicy\fP\&. Options are as described
|
|
jpayne@68
|
841 for \fBadd_policy\fP\&.
|
|
jpayne@68
|
842 .sp
|
|
jpayne@68
|
843 This command requires the \fBmodify\fP privilege.
|
|
jpayne@68
|
844 .sp
|
|
jpayne@68
|
845 Alias: \fBmodpol\fP
|
|
jpayne@68
|
846 .SS delete_policy
|
|
jpayne@68
|
847 .INDENT 0.0
|
|
jpayne@68
|
848 .INDENT 3.5
|
|
jpayne@68
|
849 \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP
|
|
jpayne@68
|
850 .UNINDENT
|
|
jpayne@68
|
851 .UNINDENT
|
|
jpayne@68
|
852 .sp
|
|
jpayne@68
|
853 Deletes the password policy named \fIpolicy\fP\&. Prompts for confirmation
|
|
jpayne@68
|
854 before deletion. The command will fail if the policy is in use by any
|
|
jpayne@68
|
855 principals.
|
|
jpayne@68
|
856 .sp
|
|
jpayne@68
|
857 This command requires the \fBdelete\fP privilege.
|
|
jpayne@68
|
858 .sp
|
|
jpayne@68
|
859 Alias: \fBdelpol\fP
|
|
jpayne@68
|
860 .sp
|
|
jpayne@68
|
861 Example:
|
|
jpayne@68
|
862 .INDENT 0.0
|
|
jpayne@68
|
863 .INDENT 3.5
|
|
jpayne@68
|
864 .sp
|
|
jpayne@68
|
865 .nf
|
|
jpayne@68
|
866 .ft C
|
|
jpayne@68
|
867 kadmin: del_policy guests
|
|
jpayne@68
|
868 Are you sure you want to delete the policy "guests"?
|
|
jpayne@68
|
869 (yes/no): yes
|
|
jpayne@68
|
870 kadmin:
|
|
jpayne@68
|
871 .ft P
|
|
jpayne@68
|
872 .fi
|
|
jpayne@68
|
873 .UNINDENT
|
|
jpayne@68
|
874 .UNINDENT
|
|
jpayne@68
|
875 .SS get_policy
|
|
jpayne@68
|
876 .INDENT 0.0
|
|
jpayne@68
|
877 .INDENT 3.5
|
|
jpayne@68
|
878 \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
|
|
jpayne@68
|
879 .UNINDENT
|
|
jpayne@68
|
880 .UNINDENT
|
|
jpayne@68
|
881 .sp
|
|
jpayne@68
|
882 Displays the values of the password policy named \fIpolicy\fP\&. With the
|
|
jpayne@68
|
883 \fB\-terse\fP flag, outputs the fields as quoted strings separated by
|
|
jpayne@68
|
884 tabs.
|
|
jpayne@68
|
885 .sp
|
|
jpayne@68
|
886 This command requires the \fBinquire\fP privilege.
|
|
jpayne@68
|
887 .sp
|
|
jpayne@68
|
888 Alias: \fBgetpol\fP
|
|
jpayne@68
|
889 .sp
|
|
jpayne@68
|
890 Examples:
|
|
jpayne@68
|
891 .INDENT 0.0
|
|
jpayne@68
|
892 .INDENT 3.5
|
|
jpayne@68
|
893 .sp
|
|
jpayne@68
|
894 .nf
|
|
jpayne@68
|
895 .ft C
|
|
jpayne@68
|
896 kadmin: get_policy admin
|
|
jpayne@68
|
897 Policy: admin
|
|
jpayne@68
|
898 Maximum password life: 180 days 00:00:00
|
|
jpayne@68
|
899 Minimum password life: 00:00:00
|
|
jpayne@68
|
900 Minimum password length: 6
|
|
jpayne@68
|
901 Minimum number of password character classes: 2
|
|
jpayne@68
|
902 Number of old keys kept: 5
|
|
jpayne@68
|
903 Reference count: 17
|
|
jpayne@68
|
904
|
|
jpayne@68
|
905 kadmin: get_policy \-terse admin
|
|
jpayne@68
|
906 admin 15552000 0 6 2 5 17
|
|
jpayne@68
|
907 kadmin:
|
|
jpayne@68
|
908 .ft P
|
|
jpayne@68
|
909 .fi
|
|
jpayne@68
|
910 .UNINDENT
|
|
jpayne@68
|
911 .UNINDENT
|
|
jpayne@68
|
912 .sp
|
|
jpayne@68
|
913 The "Reference count" is the number of principals using that policy.
|
|
jpayne@68
|
914 With the LDAP KDC database module, the reference count field is not
|
|
jpayne@68
|
915 meaningful.
|
|
jpayne@68
|
916 .SS list_policies
|
|
jpayne@68
|
917 .INDENT 0.0
|
|
jpayne@68
|
918 .INDENT 3.5
|
|
jpayne@68
|
919 \fBlist_policies\fP [\fIexpression\fP]
|
|
jpayne@68
|
920 .UNINDENT
|
|
jpayne@68
|
921 .UNINDENT
|
|
jpayne@68
|
922 .sp
|
|
jpayne@68
|
923 Retrieves all or some policy names. \fIexpression\fP is a shell\-style
|
|
jpayne@68
|
924 glob expression that can contain the wild\-card characters \fB?\fP,
|
|
jpayne@68
|
925 \fB*\fP, and \fB[]\fP\&. All policy names matching the expression are
|
|
jpayne@68
|
926 printed. If no expression is provided, all existing policy names are
|
|
jpayne@68
|
927 printed.
|
|
jpayne@68
|
928 .sp
|
|
jpayne@68
|
929 This command requires the \fBlist\fP privilege.
|
|
jpayne@68
|
930 .sp
|
|
jpayne@68
|
931 Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&.
|
|
jpayne@68
|
932 .sp
|
|
jpayne@68
|
933 Examples:
|
|
jpayne@68
|
934 .INDENT 0.0
|
|
jpayne@68
|
935 .INDENT 3.5
|
|
jpayne@68
|
936 .sp
|
|
jpayne@68
|
937 .nf
|
|
jpayne@68
|
938 .ft C
|
|
jpayne@68
|
939 kadmin: listpols
|
|
jpayne@68
|
940 test\-pol
|
|
jpayne@68
|
941 dict\-only
|
|
jpayne@68
|
942 once\-a\-min
|
|
jpayne@68
|
943 test\-pol\-nopw
|
|
jpayne@68
|
944
|
|
jpayne@68
|
945 kadmin: listpols t*
|
|
jpayne@68
|
946 test\-pol
|
|
jpayne@68
|
947 test\-pol\-nopw
|
|
jpayne@68
|
948 kadmin:
|
|
jpayne@68
|
949 .ft P
|
|
jpayne@68
|
950 .fi
|
|
jpayne@68
|
951 .UNINDENT
|
|
jpayne@68
|
952 .UNINDENT
|
|
jpayne@68
|
953 .SS ktadd
|
|
jpayne@68
|
954 .INDENT 0.0
|
|
jpayne@68
|
955 .INDENT 3.5
|
|
jpayne@68
|
956 .nf
|
|
jpayne@68
|
957 \fBktadd\fP [options] \fIprincipal\fP
|
|
jpayne@68
|
958 \fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP
|
|
jpayne@68
|
959 .fi
|
|
jpayne@68
|
960 .sp
|
|
jpayne@68
|
961 .UNINDENT
|
|
jpayne@68
|
962 .UNINDENT
|
|
jpayne@68
|
963 .sp
|
|
jpayne@68
|
964 Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a
|
|
jpayne@68
|
965 keytab file. Each principal\(aqs keys are randomized in the process.
|
|
jpayne@68
|
966 The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP
|
|
jpayne@68
|
967 command.
|
|
jpayne@68
|
968 .sp
|
|
jpayne@68
|
969 This command requires the \fBinquire\fP and \fBchangepw\fP privileges.
|
|
jpayne@68
|
970 With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
|
|
jpayne@68
|
971 .sp
|
|
jpayne@68
|
972 The options are:
|
|
jpayne@68
|
973 .INDENT 0.0
|
|
jpayne@68
|
974 .TP
|
|
jpayne@68
|
975 \fB\-k[eytab]\fP \fIkeytab\fP
|
|
jpayne@68
|
976 Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
|
|
jpayne@68
|
977 used.
|
|
jpayne@68
|
978 .TP
|
|
jpayne@68
|
979 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
|
|
jpayne@68
|
980 Uses the specified keysalt list for setting the new keys of the
|
|
jpayne@68
|
981 principal. See Keysalt_lists in kdc.conf(5) for a
|
|
jpayne@68
|
982 list of possible values.
|
|
jpayne@68
|
983 .TP
|
|
jpayne@68
|
984 \fB\-q\fP
|
|
jpayne@68
|
985 Display less verbose information.
|
|
jpayne@68
|
986 .TP
|
|
jpayne@68
|
987 \fB\-norandkey\fP
|
|
jpayne@68
|
988 Do not randomize the keys. The keys and their version numbers stay
|
|
jpayne@68
|
989 unchanged. This option cannot be specified in combination with the
|
|
jpayne@68
|
990 \fB\-e\fP option.
|
|
jpayne@68
|
991 .UNINDENT
|
|
jpayne@68
|
992 .sp
|
|
jpayne@68
|
993 An entry for each of the principal\(aqs unique encryption types is added,
|
|
jpayne@68
|
994 ignoring multiple keys with the same encryption type but different
|
|
jpayne@68
|
995 salt types.
|
|
jpayne@68
|
996 .sp
|
|
jpayne@68
|
997 Alias: \fBxst\fP
|
|
jpayne@68
|
998 .sp
|
|
jpayne@68
|
999 Example:
|
|
jpayne@68
|
1000 .INDENT 0.0
|
|
jpayne@68
|
1001 .INDENT 3.5
|
|
jpayne@68
|
1002 .sp
|
|
jpayne@68
|
1003 .nf
|
|
jpayne@68
|
1004 .ft C
|
|
jpayne@68
|
1005 kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
|
|
jpayne@68
|
1006 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
|
|
jpayne@68
|
1007 encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab
|
|
jpayne@68
|
1008 FILE:/tmp/foo\-new\-keytab
|
|
jpayne@68
|
1009 kadmin:
|
|
jpayne@68
|
1010 .ft P
|
|
jpayne@68
|
1011 .fi
|
|
jpayne@68
|
1012 .UNINDENT
|
|
jpayne@68
|
1013 .UNINDENT
|
|
jpayne@68
|
1014 .SS ktremove
|
|
jpayne@68
|
1015 .INDENT 0.0
|
|
jpayne@68
|
1016 .INDENT 3.5
|
|
jpayne@68
|
1017 \fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP]
|
|
jpayne@68
|
1018 .UNINDENT
|
|
jpayne@68
|
1019 .UNINDENT
|
|
jpayne@68
|
1020 .sp
|
|
jpayne@68
|
1021 Removes entries for the specified \fIprincipal\fP from a keytab. Requires
|
|
jpayne@68
|
1022 no permissions, since this does not require database access.
|
|
jpayne@68
|
1023 .sp
|
|
jpayne@68
|
1024 If the string "all" is specified, all entries for that principal are
|
|
jpayne@68
|
1025 removed; if the string "old" is specified, all entries for that
|
|
jpayne@68
|
1026 principal except those with the highest kvno are removed. Otherwise,
|
|
jpayne@68
|
1027 the value specified is parsed as an integer, and all entries whose
|
|
jpayne@68
|
1028 kvno match that integer are removed.
|
|
jpayne@68
|
1029 .sp
|
|
jpayne@68
|
1030 The options are:
|
|
jpayne@68
|
1031 .INDENT 0.0
|
|
jpayne@68
|
1032 .TP
|
|
jpayne@68
|
1033 \fB\-k[eytab]\fP \fIkeytab\fP
|
|
jpayne@68
|
1034 Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
|
|
jpayne@68
|
1035 used.
|
|
jpayne@68
|
1036 .TP
|
|
jpayne@68
|
1037 \fB\-q\fP
|
|
jpayne@68
|
1038 Display less verbose information.
|
|
jpayne@68
|
1039 .UNINDENT
|
|
jpayne@68
|
1040 .sp
|
|
jpayne@68
|
1041 Alias: \fBktrem\fP
|
|
jpayne@68
|
1042 .sp
|
|
jpayne@68
|
1043 Example:
|
|
jpayne@68
|
1044 .INDENT 0.0
|
|
jpayne@68
|
1045 .INDENT 3.5
|
|
jpayne@68
|
1046 .sp
|
|
jpayne@68
|
1047 .nf
|
|
jpayne@68
|
1048 .ft C
|
|
jpayne@68
|
1049 kadmin: ktremove kadmin/admin all
|
|
jpayne@68
|
1050 Entry for principal kadmin/admin with kvno 3 removed from keytab
|
|
jpayne@68
|
1051 FILE:/etc/krb5.keytab
|
|
jpayne@68
|
1052 kadmin:
|
|
jpayne@68
|
1053 .ft P
|
|
jpayne@68
|
1054 .fi
|
|
jpayne@68
|
1055 .UNINDENT
|
|
jpayne@68
|
1056 .UNINDENT
|
|
jpayne@68
|
1057 .SS lock
|
|
jpayne@68
|
1058 .sp
|
|
jpayne@68
|
1059 Lock database exclusively. Use with extreme caution! This command
|
|
jpayne@68
|
1060 only works with the DB2 KDC database module.
|
|
jpayne@68
|
1061 .SS unlock
|
|
jpayne@68
|
1062 .sp
|
|
jpayne@68
|
1063 Release the exclusive database lock.
|
|
jpayne@68
|
1064 .SS list_requests
|
|
jpayne@68
|
1065 .sp
|
|
jpayne@68
|
1066 Lists available for kadmin requests.
|
|
jpayne@68
|
1067 .sp
|
|
jpayne@68
|
1068 Aliases: \fBlr\fP, \fB?\fP
|
|
jpayne@68
|
1069 .SS quit
|
|
jpayne@68
|
1070 .sp
|
|
jpayne@68
|
1071 Exit program. If the database was locked, the lock is released.
|
|
jpayne@68
|
1072 .sp
|
|
jpayne@68
|
1073 Aliases: \fBexit\fP, \fBq\fP
|
|
jpayne@68
|
1074 .SH HISTORY
|
|
jpayne@68
|
1075 .sp
|
|
jpayne@68
|
1076 The kadmin program was originally written by Tom Yu at MIT, as an
|
|
jpayne@68
|
1077 interface to the OpenVision Kerberos administration program.
|
|
jpayne@68
|
1078 .SH ENVIRONMENT
|
|
jpayne@68
|
1079 .sp
|
|
jpayne@68
|
1080 See kerberos(7) for a description of Kerberos environment
|
|
jpayne@68
|
1081 variables.
|
|
jpayne@68
|
1082 .SH SEE ALSO
|
|
jpayne@68
|
1083 .sp
|
|
jpayne@68
|
1084 kpasswd(1), kadmind(8), kerberos(7)
|
|
jpayne@68
|
1085 .SH AUTHOR
|
|
jpayne@68
|
1086 MIT
|
|
jpayne@68
|
1087 .SH COPYRIGHT
|
|
jpayne@68
|
1088 1985-2022, MIT
|
|
jpayne@68
|
1089 .\" Generated by docutils manpage writer.
|
|
jpayne@68
|
1090 .
|
