Mercurial > repos > rliterman > csp2

annotate CSP2/CSP2_env/env-d9b9114564458d9d-741b3de822f2aaca6c6caa4325c4afce/share/man/man8/kdb5_util.8 @ 68:5028fdace37b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
planemo upload commit 2e9511a184a1ca667c7be0c6321a36dc4e3d116d
author jpayne
date Tue, 18 Mar 2025 16:23:26 -0400
parents
children
rev   line source
jpayne@68 1 .\" Man page generated from reStructuredText.
jpayne@68 2 .
jpayne@68 3 .TH "KDB5_UTIL" "8" " " "1.20.1" "MIT Kerberos"
jpayne@68 4 .SH NAME
jpayne@68 5 kdb5_util \- Kerberos database maintenance utility
jpayne@68 6 .
jpayne@68 7 .nr rst2man-indent-level 0
jpayne@68 8 .
jpayne@68 9 .de1 rstReportMargin
jpayne@68 10 \\$1 \\n[an-margin]
jpayne@68 11 level \\n[rst2man-indent-level]
jpayne@68 12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 13 -
jpayne@68 14 \\n[rst2man-indent0]
jpayne@68 15 \\n[rst2man-indent1]
jpayne@68 16 \\n[rst2man-indent2]
jpayne@68 17 ..
jpayne@68 18 .de1 INDENT
jpayne@68 19 .\" .rstReportMargin pre:
jpayne@68 20 . RS \\$1
jpayne@68 21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
jpayne@68 22 . nr rst2man-indent-level +1
jpayne@68 23 .\" .rstReportMargin post:
jpayne@68 24 ..
jpayne@68 25 .de UNINDENT
jpayne@68 26 . RE
jpayne@68 27 .\" indent \\n[an-margin]
jpayne@68 28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 29 .nr rst2man-indent-level -1
jpayne@68 30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
jpayne@68 31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
jpayne@68 32 ..
jpayne@68 33 .SH SYNOPSIS
jpayne@68 34 .sp
jpayne@68 35 \fBkdb5_util\fP
jpayne@68 36 [\fB\-r\fP \fIrealm\fP]
jpayne@68 37 [\fB\-d\fP \fIdbname\fP]
jpayne@68 38 [\fB\-k\fP \fImkeytype\fP]
jpayne@68 39 [\fB\-kv\fP \fImkeyVNO\fP]
jpayne@68 40 [\fB\-M\fP \fImkeyname\fP]
jpayne@68 41 [\fB\-m\fP]
jpayne@68 42 [\fB\-sf\fP \fIstashfilename\fP]
jpayne@68 43 [\fB\-P\fP \fIpassword\fP]
jpayne@68 44 [\fB\-x\fP \fIdb_args\fP]
jpayne@68 45 \fIcommand\fP [\fIcommand_options\fP]
jpayne@68 46 .SH DESCRIPTION
jpayne@68 47 .sp
jpayne@68 48 kdb5_util allows an administrator to perform maintenance procedures on
jpayne@68 49 the KDC database. Databases can be created, destroyed, and dumped to
jpayne@68 50 or loaded from ASCII files. kdb5_util can create a Kerberos master
jpayne@68 51 key stash file or perform live rollover of the master key.
jpayne@68 52 .sp
jpayne@68 53 When kdb5_util is run, it attempts to acquire the master key and open
jpayne@68 54 the database. However, execution continues regardless of whether or
jpayne@68 55 not kdb5_util successfully opens the database, because the database
jpayne@68 56 may not exist yet or the stash file may be corrupt.
jpayne@68 57 .sp
jpayne@68 58 Note that some KDC database modules may not support all kdb5_util
jpayne@68 59 commands.
jpayne@68 60 .SH COMMAND-LINE OPTIONS
jpayne@68 61 .INDENT 0.0
jpayne@68 62 .TP
jpayne@68 63 \fB\-r\fP \fIrealm\fP
jpayne@68 64 specifies the Kerberos realm of the database.
jpayne@68 65 .TP
jpayne@68 66 \fB\-d\fP \fIdbname\fP
jpayne@68 67 specifies the name under which the principal database is stored;
jpayne@68 68 by default the database is that listed in kdc.conf(5)\&. The
jpayne@68 69 password policy database and lock files are also derived from this
jpayne@68 70 value.
jpayne@68 71 .TP
jpayne@68 72 \fB\-k\fP \fImkeytype\fP
jpayne@68 73 specifies the key type of the master key in the database. The
jpayne@68 74 default is given by the \fBmaster_key_type\fP variable in
jpayne@68 75 kdc.conf(5)\&.
jpayne@68 76 .TP
jpayne@68 77 \fB\-kv\fP \fImkeyVNO\fP
jpayne@68 78 Specifies the version number of the master key in the database;
jpayne@68 79 the default is 1. Note that 0 is not allowed.
jpayne@68 80 .TP
jpayne@68 81 \fB\-M\fP \fImkeyname\fP
jpayne@68 82 principal name for the master key in the database. If not
jpayne@68 83 specified, the name is determined by the \fBmaster_key_name\fP
jpayne@68 84 variable in kdc.conf(5)\&.
jpayne@68 85 .TP
jpayne@68 86 \fB\-m\fP
jpayne@68 87 specifies that the master database password should be read from
jpayne@68 88 the keyboard rather than fetched from a file on disk.
jpayne@68 89 .TP
jpayne@68 90 \fB\-sf\fP \fIstash_file\fP
jpayne@68 91 specifies the stash filename of the master database password. If
jpayne@68 92 not specified, the filename is determined by the
jpayne@68 93 \fBkey_stash_file\fP variable in kdc.conf(5)\&.
jpayne@68 94 .TP
jpayne@68 95 \fB\-P\fP \fIpassword\fP
jpayne@68 96 specifies the master database password. Using this option may
jpayne@68 97 expose the password to other users on the system via the process
jpayne@68 98 list.
jpayne@68 99 .TP
jpayne@68 100 \fB\-x\fP \fIdb_args\fP
jpayne@68 101 specifies database\-specific options. See kadmin(1) for
jpayne@68 102 supported options.
jpayne@68 103 .UNINDENT
jpayne@68 104 .SH COMMANDS
jpayne@68 105 .SS create
jpayne@68 106 .INDENT 0.0
jpayne@68 107 .INDENT 3.5
jpayne@68 108 \fBcreate\fP [\fB\-s\fP]
jpayne@68 109 .UNINDENT
jpayne@68 110 .UNINDENT
jpayne@68 111 .sp
jpayne@68 112 Creates a new database. If the \fB\-s\fP option is specified, the stash
jpayne@68 113 file is also created. This command fails if the database already
jpayne@68 114 exists. If the command is successful, the database is opened just as
jpayne@68 115 if it had already existed when the program was first run.
jpayne@68 116 .SS destroy
jpayne@68 117 .INDENT 0.0
jpayne@68 118 .INDENT 3.5
jpayne@68 119 \fBdestroy\fP [\fB\-f\fP]
jpayne@68 120 .UNINDENT
jpayne@68 121 .UNINDENT
jpayne@68 122 .sp
jpayne@68 123 Destroys the database, first overwriting the disk sectors and then
jpayne@68 124 unlinking the files, after prompting the user for confirmation. With
jpayne@68 125 the \fB\-f\fP argument, does not prompt the user.
jpayne@68 126 .SS stash
jpayne@68 127 .INDENT 0.0
jpayne@68 128 .INDENT 3.5
jpayne@68 129 \fBstash\fP [\fB\-f\fP \fIkeyfile\fP]
jpayne@68 130 .UNINDENT
jpayne@68 131 .UNINDENT
jpayne@68 132 .sp
jpayne@68 133 Stores the master principal\(aqs keys in a stash file. The \fB\-f\fP
jpayne@68 134 argument can be used to override the \fIkeyfile\fP specified in
jpayne@68 135 kdc.conf(5)\&.
jpayne@68 136 .SS dump
jpayne@68 137 .INDENT 0.0
jpayne@68 138 .INDENT 3.5
jpayne@68 139 \fBdump\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP]
jpayne@68 140 [\fB\-verbose\fP] [\fB\-mkey_convert\fP] [\fB\-new_mkey_file\fP
jpayne@68 141 \fImkey_file\fP] [\fB\-rev\fP] [\fB\-recurse\fP] [\fIfilename\fP
jpayne@68 142 [\fIprincipals\fP\&...]]
jpayne@68 143 .UNINDENT
jpayne@68 144 .UNINDENT
jpayne@68 145 .sp
jpayne@68 146 Dumps the current Kerberos and KADM5 database into an ASCII file. By
jpayne@68 147 default, the database is dumped in current format, "kdb5_util
jpayne@68 148 load_dump version 7". If filename is not specified, or is the string
jpayne@68 149 "\-", the dump is sent to standard output. Options:
jpayne@68 150 .INDENT 0.0
jpayne@68 151 .TP
jpayne@68 152 \fB\-b7\fP
jpayne@68 153 causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
jpayne@68 154 load_dump version 4"). This was the dump format produced on
jpayne@68 155 releases prior to 1.2.2.
jpayne@68 156 .TP
jpayne@68 157 \fB\-r13\fP
jpayne@68 158 causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
jpayne@68 159 load_dump version 5"). This was the dump format produced on
jpayne@68 160 releases prior to 1.8.
jpayne@68 161 .TP
jpayne@68 162 \fB\-r18\fP
jpayne@68 163 causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
jpayne@68 164 load_dump version 6"). This was the dump format produced on
jpayne@68 165 releases prior to 1.11.
jpayne@68 166 .TP
jpayne@68 167 \fB\-verbose\fP
jpayne@68 168 causes the name of each principal and policy to be printed as it
jpayne@68 169 is dumped.
jpayne@68 170 .TP
jpayne@68 171 \fB\-mkey_convert\fP
jpayne@68 172 prompts for a new master key. This new master key will be used to
jpayne@68 173 re\-encrypt principal key data in the dumpfile. The principal keys
jpayne@68 174 themselves will not be changed.
jpayne@68 175 .TP
jpayne@68 176 \fB\-new_mkey_file\fP \fImkey_file\fP
jpayne@68 177 the filename of a stash file. The master key in this stash file
jpayne@68 178 will be used to re\-encrypt the key data in the dumpfile. The key
jpayne@68 179 data in the database will not be changed.
jpayne@68 180 .TP
jpayne@68 181 \fB\-rev\fP
jpayne@68 182 dumps in reverse order. This may recover principals that do not
jpayne@68 183 dump normally, in cases where database corruption has occurred.
jpayne@68 184 .TP
jpayne@68 185 \fB\-recurse\fP
jpayne@68 186 causes the dump to walk the database recursively (btree only).
jpayne@68 187 This may recover principals that do not dump normally, in cases
jpayne@68 188 where database corruption has occurred. In cases of such
jpayne@68 189 corruption, this option will probably retrieve more principals
jpayne@68 190 than the \fB\-rev\fP option will.
jpayne@68 191 .sp
jpayne@68 192 Changed in version 1.15: Release 1.15 restored the functionality of the \fB\-recurse\fP
jpayne@68 193 option.
jpayne@68 194
jpayne@68 195 .sp
jpayne@68 196 Changed in version 1.5: The \fB\-recurse\fP option ceased working until release 1.15,
jpayne@68 197 doing a normal dump instead of a recursive traversal.
jpayne@68 198
jpayne@68 199 .UNINDENT
jpayne@68 200 .SS load
jpayne@68 201 .INDENT 0.0
jpayne@68 202 .INDENT 3.5
jpayne@68 203 \fBload\fP [\fB\-b7\fP|\fB\-r13\fP|\fB\-r18\fP] [\fB\-hash\fP]
jpayne@68 204 [\fB\-verbose\fP] [\fB\-update\fP] \fIfilename\fP
jpayne@68 205 .UNINDENT
jpayne@68 206 .UNINDENT
jpayne@68 207 .sp
jpayne@68 208 Loads a database dump from the named file into the named database. If
jpayne@68 209 no option is given to determine the format of the dump file, the
jpayne@68 210 format is detected automatically and handled as appropriate. Unless
jpayne@68 211 the \fB\-update\fP option is given, \fBload\fP creates a new database
jpayne@68 212 containing only the data in the dump file, overwriting the contents of
jpayne@68 213 any previously existing database. Note that when using the LDAP KDC
jpayne@68 214 database module, the \fB\-update\fP flag is required.
jpayne@68 215 .sp
jpayne@68 216 Options:
jpayne@68 217 .INDENT 0.0
jpayne@68 218 .TP
jpayne@68 219 \fB\-b7\fP
jpayne@68 220 requires the database to be in the Kerberos 5 Beta 7 format
jpayne@68 221 ("kdb5_util load_dump version 4"). This was the dump format
jpayne@68 222 produced on releases prior to 1.2.2.
jpayne@68 223 .TP
jpayne@68 224 \fB\-r13\fP
jpayne@68 225 requires the database to be in Kerberos 5 1.3 format ("kdb5_util
jpayne@68 226 load_dump version 5"). This was the dump format produced on
jpayne@68 227 releases prior to 1.8.
jpayne@68 228 .TP
jpayne@68 229 \fB\-r18\fP
jpayne@68 230 requires the database to be in Kerberos 5 1.8 format ("kdb5_util
jpayne@68 231 load_dump version 6"). This was the dump format produced on
jpayne@68 232 releases prior to 1.11.
jpayne@68 233 .TP
jpayne@68 234 \fB\-hash\fP
jpayne@68 235 stores the database in hash format, if using the DB2 database
jpayne@68 236 type. If this option is not specified, the database will be
jpayne@68 237 stored in btree format. This option is not recommended, as
jpayne@68 238 databases stored in hash format are known to corrupt data and lose
jpayne@68 239 principals.
jpayne@68 240 .TP
jpayne@68 241 \fB\-verbose\fP
jpayne@68 242 causes the name of each principal and policy to be printed as it
jpayne@68 243 is dumped.
jpayne@68 244 .TP
jpayne@68 245 \fB\-update\fP
jpayne@68 246 records from the dump file are added to or updated in the existing
jpayne@68 247 database. Otherwise, a new database is created containing only
jpayne@68 248 what is in the dump file and the old one destroyed upon successful
jpayne@68 249 completion.
jpayne@68 250 .UNINDENT
jpayne@68 251 .SS ark
jpayne@68 252 .INDENT 0.0
jpayne@68 253 .INDENT 3.5
jpayne@68 254 \fBark\fP [\fB\-e\fP \fIenc\fP:\fIsalt\fP,...] \fIprincipal\fP
jpayne@68 255 .UNINDENT
jpayne@68 256 .UNINDENT
jpayne@68 257 .sp
jpayne@68 258 Adds new random keys to \fIprincipal\fP at the next available key version
jpayne@68 259 number. Keys for the current highest key version number will be
jpayne@68 260 preserved. The \fB\-e\fP option specifies the list of encryption and
jpayne@68 261 salt types to be used for the new keys.
jpayne@68 262 .SS add_mkey
jpayne@68 263 .INDENT 0.0
jpayne@68 264 .INDENT 3.5
jpayne@68 265 \fBadd_mkey\fP [\fB\-e\fP \fIetype\fP] [\fB\-s\fP]
jpayne@68 266 .UNINDENT
jpayne@68 267 .UNINDENT
jpayne@68 268 .sp
jpayne@68 269 Adds a new master key to the master key principal, but does not mark
jpayne@68 270 it as active. Existing master keys will remain. The \fB\-e\fP option
jpayne@68 271 specifies the encryption type of the new master key; see
jpayne@68 272 Encryption_types in kdc.conf(5) for a list of possible
jpayne@68 273 values. The \fB\-s\fP option stashes the new master key in the stash
jpayne@68 274 file, which will be created if it doesn\(aqt already exist.
jpayne@68 275 .sp
jpayne@68 276 After a new master key is added, it should be propagated to replica
jpayne@68 277 servers via a manual or periodic invocation of kprop(8)\&. Then,
jpayne@68 278 the stash files on the replica servers should be updated with the
jpayne@68 279 kdb5_util \fBstash\fP command. Once those steps are complete, the key
jpayne@68 280 is ready to be marked active with the kdb5_util \fBuse_mkey\fP command.
jpayne@68 281 .SS use_mkey
jpayne@68 282 .INDENT 0.0
jpayne@68 283 .INDENT 3.5
jpayne@68 284 \fBuse_mkey\fP \fImkeyVNO\fP [\fItime\fP]
jpayne@68 285 .UNINDENT
jpayne@68 286 .UNINDENT
jpayne@68 287 .sp
jpayne@68 288 Sets the activation time of the master key specified by \fImkeyVNO\fP\&.
jpayne@68 289 Once a master key becomes active, it will be used to encrypt newly
jpayne@68 290 created principal keys. If no \fItime\fP argument is given, the current
jpayne@68 291 time is used, causing the specified master key version to become
jpayne@68 292 active immediately. The format for \fItime\fP is getdate string.
jpayne@68 293 .sp
jpayne@68 294 After a new master key becomes active, the kdb5_util
jpayne@68 295 \fBupdate_princ_encryption\fP command can be used to update all
jpayne@68 296 principal keys to be encrypted in the new master key.
jpayne@68 297 .SS list_mkeys
jpayne@68 298 .INDENT 0.0
jpayne@68 299 .INDENT 3.5
jpayne@68 300 \fBlist_mkeys\fP
jpayne@68 301 .UNINDENT
jpayne@68 302 .UNINDENT
jpayne@68 303 .sp
jpayne@68 304 List all master keys, from most recent to earliest, in the master key
jpayne@68 305 principal. The output will show the kvno, enctype, and salt type for
jpayne@68 306 each mkey, similar to the output of kadmin(1) \fBgetprinc\fP\&. A
jpayne@68 307 \fB*\fP following an mkey denotes the currently active master key.
jpayne@68 308 .SS purge_mkeys
jpayne@68 309 .INDENT 0.0
jpayne@68 310 .INDENT 3.5
jpayne@68 311 \fBpurge_mkeys\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP]
jpayne@68 312 .UNINDENT
jpayne@68 313 .UNINDENT
jpayne@68 314 .sp
jpayne@68 315 Delete master keys from the master key principal that are not used to
jpayne@68 316 protect any principals. This command can be used to remove old master
jpayne@68 317 keys all principal keys are protected by a newer master key.
jpayne@68 318 .INDENT 0.0
jpayne@68 319 .TP
jpayne@68 320 \fB\-f\fP
jpayne@68 321 does not prompt for confirmation.
jpayne@68 322 .TP
jpayne@68 323 \fB\-n\fP
jpayne@68 324 performs a dry run, showing master keys that would be purged, but
jpayne@68 325 not actually purging any keys.
jpayne@68 326 .TP
jpayne@68 327 \fB\-v\fP
jpayne@68 328 gives more verbose output.
jpayne@68 329 .UNINDENT
jpayne@68 330 .SS update_princ_encryption
jpayne@68 331 .INDENT 0.0
jpayne@68 332 .INDENT 3.5
jpayne@68 333 \fBupdate_princ_encryption\fP [\fB\-f\fP] [\fB\-n\fP] [\fB\-v\fP]
jpayne@68 334 [\fIprinc\-pattern\fP]
jpayne@68 335 .UNINDENT
jpayne@68 336 .UNINDENT
jpayne@68 337 .sp
jpayne@68 338 Update all principal records (or only those matching the
jpayne@68 339 \fIprinc\-pattern\fP glob pattern) to re\-encrypt the key data using the
jpayne@68 340 active database master key, if they are encrypted using a different
jpayne@68 341 version, and give a count at the end of the number of principals
jpayne@68 342 updated. If the \fB\-f\fP option is not given, ask for confirmation
jpayne@68 343 before starting to make changes. The \fB\-v\fP option causes each
jpayne@68 344 principal processed to be listed, with an indication as to whether it
jpayne@68 345 needed updating or not. The \fB\-n\fP option performs a dry run, only
jpayne@68 346 showing the actions which would have been taken.
jpayne@68 347 .SS tabdump
jpayne@68 348 .INDENT 0.0
jpayne@68 349 .INDENT 3.5
jpayne@68 350 \fBtabdump\fP [\fB\-H\fP] [\fB\-c\fP] [\fB\-e\fP] [\fB\-n\fP] [\fB\-o\fP \fIoutfile\fP]
jpayne@68 351 \fIdumptype\fP
jpayne@68 352 .UNINDENT
jpayne@68 353 .UNINDENT
jpayne@68 354 .sp
jpayne@68 355 Dump selected fields of the database in a tabular format suitable for
jpayne@68 356 reporting (e.g., using traditional Unix text processing tools) or
jpayne@68 357 importing into relational databases. The data format is tab\-separated
jpayne@68 358 (default), or optionally comma\-separated (CSV), with a fixed number of
jpayne@68 359 columns. The output begins with a header line containing field names,
jpayne@68 360 unless suppression is requested using the \fB\-H\fP option.
jpayne@68 361 .sp
jpayne@68 362 The \fIdumptype\fP parameter specifies the name of an output table (see
jpayne@68 363 below).
jpayne@68 364 .sp
jpayne@68 365 Options:
jpayne@68 366 .INDENT 0.0
jpayne@68 367 .TP
jpayne@68 368 \fB\-H\fP
jpayne@68 369 suppress writing the field names in a header line
jpayne@68 370 .TP
jpayne@68 371 \fB\-c\fP
jpayne@68 372 use comma separated values (CSV) format, with minimal quoting,
jpayne@68 373 instead of the default tab\-separated (unquoted, unescaped) format
jpayne@68 374 .TP
jpayne@68 375 \fB\-e\fP
jpayne@68 376 write empty hexadecimal string fields as empty fields instead of
jpayne@68 377 as "\-1".
jpayne@68 378 .TP
jpayne@68 379 \fB\-n\fP
jpayne@68 380 produce numeric output for fields that normally have symbolic
jpayne@68 381 output, such as enctypes and flag names. Also requests output of
jpayne@68 382 time stamps as decimal POSIX time_t values.
jpayne@68 383 .TP
jpayne@68 384 \fB\-o\fP \fIoutfile\fP
jpayne@68 385 write the dump to the specified output file instead of to standard
jpayne@68 386 output
jpayne@68 387 .UNINDENT
jpayne@68 388 .sp
jpayne@68 389 Dump types:
jpayne@68 390 .INDENT 0.0
jpayne@68 391 .TP
jpayne@68 392 \fBkeydata\fP
jpayne@68 393 principal encryption key information, including actual key data
jpayne@68 394 (which is still encrypted in the master key)
jpayne@68 395 .INDENT 7.0
jpayne@68 396 .TP
jpayne@68 397 \fBname\fP
jpayne@68 398 principal name
jpayne@68 399 .TP
jpayne@68 400 \fBkeyindex\fP
jpayne@68 401 index of this key in the principal\(aqs key list
jpayne@68 402 .TP
jpayne@68 403 \fBkvno\fP
jpayne@68 404 key version number
jpayne@68 405 .TP
jpayne@68 406 \fBenctype\fP
jpayne@68 407 encryption type
jpayne@68 408 .TP
jpayne@68 409 \fBkey\fP
jpayne@68 410 key data as a hexadecimal string
jpayne@68 411 .TP
jpayne@68 412 \fBsalttype\fP
jpayne@68 413 salt type
jpayne@68 414 .TP
jpayne@68 415 \fBsalt\fP
jpayne@68 416 salt data as a hexadecimal string
jpayne@68 417 .UNINDENT
jpayne@68 418 .TP
jpayne@68 419 \fBkeyinfo\fP
jpayne@68 420 principal encryption key information (as in \fBkeydata\fP above),
jpayne@68 421 excluding actual key data
jpayne@68 422 .TP
jpayne@68 423 \fBprinc_flags\fP
jpayne@68 424 principal boolean attributes. Flag names print as hexadecimal
jpayne@68 425 numbers if the \fB\-n\fP option is specified, and all flag positions
jpayne@68 426 are printed regardless of whether or not they are set. If \fB\-n\fP
jpayne@68 427 is not specified, print all known flag names for each principal,
jpayne@68 428 but only print hexadecimal flag names if the corresponding flag is
jpayne@68 429 set.
jpayne@68 430 .INDENT 7.0
jpayne@68 431 .TP
jpayne@68 432 \fBname\fP
jpayne@68 433 principal name
jpayne@68 434 .TP
jpayne@68 435 \fBflag\fP
jpayne@68 436 flag name
jpayne@68 437 .TP
jpayne@68 438 \fBvalue\fP
jpayne@68 439 boolean value (0 for clear, or 1 for set)
jpayne@68 440 .UNINDENT
jpayne@68 441 .TP
jpayne@68 442 \fBprinc_lockout\fP
jpayne@68 443 state information used for tracking repeated password failures
jpayne@68 444 .INDENT 7.0
jpayne@68 445 .TP
jpayne@68 446 \fBname\fP
jpayne@68 447 principal name
jpayne@68 448 .TP
jpayne@68 449 \fBlast_success\fP
jpayne@68 450 time stamp of most recent successful authentication
jpayne@68 451 .TP
jpayne@68 452 \fBlast_failed\fP
jpayne@68 453 time stamp of most recent failed authentication
jpayne@68 454 .TP
jpayne@68 455 \fBfail_count\fP
jpayne@68 456 count of failed attempts
jpayne@68 457 .UNINDENT
jpayne@68 458 .TP
jpayne@68 459 \fBprinc_meta\fP
jpayne@68 460 principal metadata
jpayne@68 461 .INDENT 7.0
jpayne@68 462 .TP
jpayne@68 463 \fBname\fP
jpayne@68 464 principal name
jpayne@68 465 .TP
jpayne@68 466 \fBmodby\fP
jpayne@68 467 name of last principal to modify this principal
jpayne@68 468 .TP
jpayne@68 469 \fBmodtime\fP
jpayne@68 470 timestamp of last modification
jpayne@68 471 .TP
jpayne@68 472 \fBlastpwd\fP
jpayne@68 473 timestamp of last password change
jpayne@68 474 .TP
jpayne@68 475 \fBpolicy\fP
jpayne@68 476 policy object name
jpayne@68 477 .TP
jpayne@68 478 \fBmkvno\fP
jpayne@68 479 key version number of the master key that encrypts this
jpayne@68 480 principal\(aqs key data
jpayne@68 481 .TP
jpayne@68 482 \fBhist_kvno\fP
jpayne@68 483 key version number of the history key that encrypts the key
jpayne@68 484 history data for this principal
jpayne@68 485 .UNINDENT
jpayne@68 486 .TP
jpayne@68 487 \fBprinc_stringattrs\fP
jpayne@68 488 string attributes (key/value pairs)
jpayne@68 489 .INDENT 7.0
jpayne@68 490 .TP
jpayne@68 491 \fBname\fP
jpayne@68 492 principal name
jpayne@68 493 .TP
jpayne@68 494 \fBkey\fP
jpayne@68 495 attribute name
jpayne@68 496 .TP
jpayne@68 497 \fBvalue\fP
jpayne@68 498 attribute value
jpayne@68 499 .UNINDENT
jpayne@68 500 .TP
jpayne@68 501 \fBprinc_tktpolicy\fP
jpayne@68 502 per\-principal ticket policy data, including maximum ticket
jpayne@68 503 lifetimes
jpayne@68 504 .INDENT 7.0
jpayne@68 505 .TP
jpayne@68 506 \fBname\fP
jpayne@68 507 principal name
jpayne@68 508 .TP
jpayne@68 509 \fBexpiration\fP
jpayne@68 510 principal expiration date
jpayne@68 511 .TP
jpayne@68 512 \fBpw_expiration\fP
jpayne@68 513 password expiration date
jpayne@68 514 .TP
jpayne@68 515 \fBmax_life\fP
jpayne@68 516 maximum ticket lifetime
jpayne@68 517 .TP
jpayne@68 518 \fBmax_renew_life\fP
jpayne@68 519 maximum renewable ticket lifetime
jpayne@68 520 .UNINDENT
jpayne@68 521 .UNINDENT
jpayne@68 522 .sp
jpayne@68 523 Examples:
jpayne@68 524 .INDENT 0.0
jpayne@68 525 .INDENT 3.5
jpayne@68 526 .sp
jpayne@68 527 .nf
jpayne@68 528 .ft C
jpayne@68 529 $ kdb5_util tabdump \-o keyinfo.txt keyinfo
jpayne@68 530 $ cat keyinfo.txt
jpayne@68 531 name keyindex kvno enctype salttype salt
jpayne@68 532 K/M@EXAMPLE.COM 0 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
jpayne@68 533 foo@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
jpayne@68 534 bar@EXAMPLE.COM 0 1 aes128\-cts\-hmac\-sha1\-96 normal \-1
jpayne@68 535 $ sqlite3
jpayne@68 536 sqlite> .mode tabs
jpayne@68 537 sqlite> .import keyinfo.txt keyinfo
jpayne@68 538 sqlite> select * from keyinfo where enctype like \(aqaes256\-%\(aq;
jpayne@68 539 K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
jpayne@68 540 sqlite> .quit
jpayne@68 541 $ awk \-F\(aq\et\(aq \(aq$4 ~ /aes256\-/ { print }\(aq keyinfo.txt
jpayne@68 542 K/M@EXAMPLE.COM 1 1 aes256\-cts\-hmac\-sha384\-192 normal \-1
jpayne@68 543 .ft P
jpayne@68 544 .fi
jpayne@68 545 .UNINDENT
jpayne@68 546 .UNINDENT
jpayne@68 547 .SH ENVIRONMENT
jpayne@68 548 .sp
jpayne@68 549 See kerberos(7) for a description of Kerberos environment
jpayne@68 550 variables.
jpayne@68 551 .SH SEE ALSO
jpayne@68 552 .sp
jpayne@68 553 kadmin(1), kerberos(7)
jpayne@68 554 .SH AUTHOR
jpayne@68 555 MIT
jpayne@68 556 .SH COPYRIGHT
jpayne@68 557 1985-2022, MIT
jpayne@68 558 .\" Generated by docutils manpage writer.
jpayne@68 559 .