jpayne@68: .\" Man page generated from reStructuredText. jpayne@68: . jpayne@68: .TH "KADMIN" "1" " " "1.20.1" "MIT Kerberos" jpayne@68: .SH NAME jpayne@68: kadmin \- Kerberos V5 database administration program jpayne@68: . jpayne@68: .nr rst2man-indent-level 0 jpayne@68: . jpayne@68: .de1 rstReportMargin jpayne@68: \\$1 \\n[an-margin] jpayne@68: level \\n[rst2man-indent-level] jpayne@68: level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: - jpayne@68: \\n[rst2man-indent0] jpayne@68: \\n[rst2man-indent1] jpayne@68: \\n[rst2man-indent2] jpayne@68: .. jpayne@68: .de1 INDENT jpayne@68: .\" .rstReportMargin pre: jpayne@68: . RS \\$1 jpayne@68: . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] jpayne@68: . nr rst2man-indent-level +1 jpayne@68: .\" .rstReportMargin post: jpayne@68: .. jpayne@68: .de UNINDENT jpayne@68: . RE jpayne@68: .\" indent \\n[an-margin] jpayne@68: .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .nr rst2man-indent-level -1 jpayne@68: .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] jpayne@68: .in \\n[rst2man-indent\\n[rst2man-indent-level]]u jpayne@68: .. jpayne@68: .SH SYNOPSIS jpayne@68: .sp jpayne@68: \fBkadmin\fP jpayne@68: [\fB\-O\fP|\fB\-N\fP] jpayne@68: [\fB\-r\fP \fIrealm\fP] jpayne@68: [\fB\-p\fP \fIprincipal\fP] jpayne@68: [\fB\-q\fP \fIquery\fP] jpayne@68: [[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP] jpayne@68: [\fB\-w\fP \fIpassword\fP] jpayne@68: [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]] jpayne@68: [command args...] jpayne@68: .sp jpayne@68: \fBkadmin.local\fP jpayne@68: [\fB\-r\fP \fIrealm\fP] jpayne@68: [\fB\-p\fP \fIprincipal\fP] jpayne@68: [\fB\-q\fP \fIquery\fP] jpayne@68: [\fB\-d\fP \fIdbname\fP] jpayne@68: [\fB\-e\fP \fIenc\fP:\fIsalt\fP ...] jpayne@68: [\fB\-m\fP] jpayne@68: [\fB\-x\fP \fIdb_args\fP] jpayne@68: [command args...] jpayne@68: .SH DESCRIPTION jpayne@68: .sp jpayne@68: kadmin and kadmin.local are command\-line interfaces to the Kerberos V5 jpayne@68: administration system. They provide nearly identical functionalities; jpayne@68: the difference is that kadmin.local directly accesses the KDC jpayne@68: database, while kadmin performs operations using kadmind(8)\&. jpayne@68: Except as explicitly noted otherwise, this man page will use "kadmin" jpayne@68: to refer to both versions. kadmin provides for the maintenance of jpayne@68: Kerberos principals, password policies, and service key tables jpayne@68: (keytabs). jpayne@68: .sp jpayne@68: The remote kadmin client uses Kerberos to authenticate to kadmind jpayne@68: using the service principal \fBkadmin/admin\fP or \fBkadmin/ADMINHOST\fP jpayne@68: (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin jpayne@68: server). If the credentials cache contains a ticket for one of these jpayne@68: principals, and the \fB\-c\fP credentials_cache option is specified, that jpayne@68: ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and jpayne@68: \fB\-k\fP options are used to specify the client Kerberos principal name jpayne@68: used to authenticate. Once kadmin has determined the principal name, jpayne@68: it requests a service ticket from the KDC, and uses that service jpayne@68: ticket to authenticate to kadmind. jpayne@68: .sp jpayne@68: Since kadmin.local directly accesses the KDC database, it usually must jpayne@68: be run directly on the primary KDC with sufficient permissions to read jpayne@68: the KDC database. If the KDC database uses the LDAP database module, jpayne@68: kadmin.local can be run on any host which can access the LDAP server. jpayne@68: .SH OPTIONS jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-r\fP \fIrealm\fP jpayne@68: Use \fIrealm\fP as the default database realm. jpayne@68: .TP jpayne@68: \fB\-p\fP \fIprincipal\fP jpayne@68: Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append jpayne@68: \fB/admin\fP to the primary principal name of the default ccache, jpayne@68: the value of the \fBUSER\fP environment variable, or the username as jpayne@68: obtained with getpwuid, in order of preference. jpayne@68: .TP jpayne@68: \fB\-k\fP jpayne@68: Use a keytab to decrypt the KDC response instead of prompting for jpayne@68: a password. In this case, the default principal will be jpayne@68: \fBhost/hostname\fP\&. If there is no keytab specified with the jpayne@68: \fB\-t\fP option, then the default keytab will be used. jpayne@68: .TP jpayne@68: \fB\-t\fP \fIkeytab\fP jpayne@68: Use \fIkeytab\fP to decrypt the KDC response. This can only be used jpayne@68: with the \fB\-k\fP option. jpayne@68: .TP jpayne@68: \fB\-n\fP jpayne@68: Requests anonymous processing. Two types of anonymous principals jpayne@68: are supported. For fully anonymous Kerberos, configure PKINIT on jpayne@68: the KDC and configure \fBpkinit_anchors\fP in the client\(aqs jpayne@68: krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal jpayne@68: of the form \fB@REALM\fP (an empty principal name followed by the jpayne@68: at\-sign and a realm name). If permitted by the KDC, an anonymous jpayne@68: ticket will be returned. A second form of anonymous tickets is jpayne@68: supported; these realm\-exposed tickets hide the identity of the jpayne@68: client but not the client\(aqs realm. For this mode, use \fBkinit jpayne@68: \-n\fP with a normal principal name. If supported by the KDC, the jpayne@68: principal (but not realm) will be replaced by the anonymous jpayne@68: principal. As of release 1.8, the MIT Kerberos KDC only supports jpayne@68: fully anonymous operation. jpayne@68: .TP jpayne@68: \fB\-c\fP \fIcredentials_cache\fP jpayne@68: Use \fIcredentials_cache\fP as the credentials cache. The cache jpayne@68: should contain a service ticket for the \fBkadmin/admin\fP or jpayne@68: \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified jpayne@68: hostname of the admin server) service; it can be acquired with the jpayne@68: kinit(1) program. If this option is not specified, kadmin jpayne@68: requests a new service ticket from the KDC, and stores it in its jpayne@68: own temporary ccache. jpayne@68: .TP jpayne@68: \fB\-w\fP \fIpassword\fP jpayne@68: Use \fIpassword\fP instead of prompting for one. Use this option with jpayne@68: care, as it may expose the password to other users on the system jpayne@68: via the process list. jpayne@68: .TP jpayne@68: \fB\-q\fP \fIquery\fP jpayne@68: Perform the specified query and then exit. jpayne@68: .TP jpayne@68: \fB\-d\fP \fIdbname\fP jpayne@68: Specifies the name of the KDC database. This option does not jpayne@68: apply to the LDAP database module. jpayne@68: .TP jpayne@68: \fB\-s\fP \fIadmin_server\fP[:\fIport\fP] jpayne@68: Specifies the admin server which kadmin should contact. jpayne@68: .TP jpayne@68: \fB\-m\fP jpayne@68: If using kadmin.local, prompt for the database master password jpayne@68: instead of reading it from a stash file. jpayne@68: .TP jpayne@68: \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..." jpayne@68: Sets the keysalt list to be used for any new keys created. See jpayne@68: Keysalt_lists in kdc.conf(5) for a list of possible jpayne@68: values. jpayne@68: .TP jpayne@68: \fB\-O\fP jpayne@68: Force use of old AUTH_GSSAPI authentication flavor. jpayne@68: .TP jpayne@68: \fB\-N\fP jpayne@68: Prevent fallback to AUTH_GSSAPI authentication flavor. jpayne@68: .TP jpayne@68: \fB\-x\fP \fIdb_args\fP jpayne@68: Specifies the database specific arguments. See the next section jpayne@68: for supported options. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Starting with release 1.14, if any command\-line arguments remain after jpayne@68: the options, they will be treated as a single query to be executed. jpayne@68: This mode of operation is intended for scripts and behaves differently jpayne@68: from the interactive mode in several respects: jpayne@68: .INDENT 0.0 jpayne@68: .IP \(bu 2 jpayne@68: Query arguments are split by the shell, not by kadmin. jpayne@68: .IP \(bu 2 jpayne@68: Informational and warning messages are suppressed. Error messages jpayne@68: and query output (e.g. for \fBget_principal\fP) will still be jpayne@68: displayed. jpayne@68: .IP \(bu 2 jpayne@68: Confirmation prompts are disabled (as if \fB\-force\fP was given). jpayne@68: Password prompts will still be issued as required. jpayne@68: .IP \(bu 2 jpayne@68: The exit status will be non\-zero if the query fails. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The \fB\-q\fP option does not carry these behavior differences; the query jpayne@68: will be processed as if it was entered interactively. The \fB\-q\fP jpayne@68: option cannot be used in combination with a query in the remaining jpayne@68: arguments. jpayne@68: .SH DATABASE OPTIONS jpayne@68: .sp jpayne@68: Database options can be used to override database\-specific defaults. jpayne@68: Supported options for the DB2 module are: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-x dbname=\fP*filename* jpayne@68: Specifies the base filename of the DB2 database. jpayne@68: .TP jpayne@68: \fB\-x lockiter\fP jpayne@68: Make iteration operations hold the lock for the duration of jpayne@68: the entire operation, rather than temporarily releasing the jpayne@68: lock while handling each principal. This is the default jpayne@68: behavior, but this option exists to allow command line jpayne@68: override of a [dbmodules] setting. First introduced in jpayne@68: release 1.13. jpayne@68: .TP jpayne@68: \fB\-x unlockiter\fP jpayne@68: Make iteration operations unlock the database for each jpayne@68: principal, instead of holding the lock for the duration of the jpayne@68: entire operation. First introduced in release 1.13. jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Supported options for the LDAP module are: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-x host=\fP\fIldapuri\fP jpayne@68: Specifies the LDAP server to connect to by a LDAP URI. jpayne@68: .TP jpayne@68: \fB\-x binddn=\fP\fIbind_dn\fP jpayne@68: Specifies the DN used to bind to the LDAP server. jpayne@68: .TP jpayne@68: \fB\-x bindpwd=\fP\fIpassword\fP jpayne@68: Specifies the password or SASL secret used to bind to the LDAP jpayne@68: server. Using this option may expose the password to other jpayne@68: users on the system via the process list; to avoid this, jpayne@68: instead stash the password using the \fBstashsrvpw\fP command of jpayne@68: kdb5_ldap_util(8)\&. jpayne@68: .TP jpayne@68: \fB\-x sasl_mech=\fP\fImechanism\fP jpayne@68: Specifies the SASL mechanism used to bind to the LDAP server. jpayne@68: The bind DN is ignored if a SASL mechanism is used. New in jpayne@68: release 1.13. jpayne@68: .TP jpayne@68: \fB\-x sasl_authcid=\fP\fIname\fP jpayne@68: Specifies the authentication name used when binding to the jpayne@68: LDAP server with a SASL mechanism, if the mechanism requires jpayne@68: one. New in release 1.13. jpayne@68: .TP jpayne@68: \fB\-x sasl_authzid=\fP\fIname\fP jpayne@68: Specifies the authorization name used when binding to the LDAP jpayne@68: server with a SASL mechanism. New in release 1.13. jpayne@68: .TP jpayne@68: \fB\-x sasl_realm=\fP\fIrealm\fP jpayne@68: Specifies the realm used when binding to the LDAP server with jpayne@68: a SASL mechanism, if the mechanism uses one. New in release jpayne@68: 1.13. jpayne@68: .TP jpayne@68: \fB\-x debug=\fP\fIlevel\fP jpayne@68: sets the OpenLDAP client library debug level. \fIlevel\fP is an jpayne@68: integer to be interpreted by the library. Debugging messages jpayne@68: are printed to standard error. New in release 1.12. jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SH COMMANDS jpayne@68: .sp jpayne@68: When using the remote client, available commands may be restricted jpayne@68: according to the privileges specified in the kadm5.acl(5) file jpayne@68: on the admin server. jpayne@68: .SS add_principal jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Creates the principal \fInewprinc\fP, prompting twice for a password. If jpayne@68: no password policy is specified with the \fB\-policy\fP option, and the jpayne@68: policy named \fBdefault\fP is assigned to the principal if it exists. jpayne@68: However, creating a policy named \fBdefault\fP will not automatically jpayne@68: assign this policy to previously existing principals. This policy jpayne@68: assignment can be suppressed with the \fB\-clearpolicy\fP option. jpayne@68: .sp jpayne@68: This command requires the \fBadd\fP privilege. jpayne@68: .sp jpayne@68: Aliases: \fBaddprinc\fP, \fBank\fP jpayne@68: .sp jpayne@68: Options: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-expire\fP \fIexpdate\fP jpayne@68: (getdate string) The expiration date of the principal. jpayne@68: .TP jpayne@68: \fB\-pwexpire\fP \fIpwexpdate\fP jpayne@68: (getdate string) The password expiration date. jpayne@68: .TP jpayne@68: \fB\-maxlife\fP \fImaxlife\fP jpayne@68: (duration or getdate string) The maximum ticket life jpayne@68: for the principal. jpayne@68: .TP jpayne@68: \fB\-maxrenewlife\fP \fImaxrenewlife\fP jpayne@68: (duration or getdate string) The maximum renewable jpayne@68: life of tickets for the principal. jpayne@68: .TP jpayne@68: \fB\-kvno\fP \fIkvno\fP jpayne@68: The initial key version number. jpayne@68: .TP jpayne@68: \fB\-policy\fP \fIpolicy\fP jpayne@68: The password policy used by this principal. If not specified, the jpayne@68: policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP jpayne@68: is specified). jpayne@68: .TP jpayne@68: \fB\-clearpolicy\fP jpayne@68: Prevents any policy from being assigned when \fB\-policy\fP is not jpayne@68: specified. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_postdated\fP jpayne@68: \fB\-allow_postdated\fP prohibits this principal from obtaining jpayne@68: postdated tickets. \fB+allow_postdated\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_forwardable\fP jpayne@68: \fB\-allow_forwardable\fP prohibits this principal from obtaining jpayne@68: forwardable tickets. \fB+allow_forwardable\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_renewable\fP jpayne@68: \fB\-allow_renewable\fP prohibits this principal from obtaining jpayne@68: renewable tickets. \fB+allow_renewable\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_proxiable\fP jpayne@68: \fB\-allow_proxiable\fP prohibits this principal from obtaining jpayne@68: proxiable tickets. \fB+allow_proxiable\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_dup_skey\fP jpayne@68: \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this jpayne@68: principal by prohibiting others from obtaining a service ticket jpayne@68: encrypted in this principal\(aqs TGT session key. jpayne@68: \fB+allow_dup_skey\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBrequires_preauth\fP jpayne@68: \fB+requires_preauth\fP requires this principal to preauthenticate jpayne@68: before being allowed to kinit. \fB\-requires_preauth\fP clears this jpayne@68: flag. When \fB+requires_preauth\fP is set on a service principal, jpayne@68: the KDC will only issue service tickets for that service principal jpayne@68: if the client\(aqs initial authentication was performed using jpayne@68: preauthentication. jpayne@68: .TP jpayne@68: {\-|+}\fBrequires_hwauth\fP jpayne@68: \fB+requires_hwauth\fP requires this principal to preauthenticate jpayne@68: using a hardware device before being allowed to kinit. jpayne@68: \fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is jpayne@68: set on a service principal, the KDC will only issue service tickets jpayne@68: for that service principal if the client\(aqs initial authentication was jpayne@68: performed using a hardware device to preauthenticate. jpayne@68: .TP jpayne@68: {\-|+}\fBok_as_delegate\fP jpayne@68: \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets jpayne@68: issued with this principal as the service. Clients may use this jpayne@68: flag as a hint that credentials should be delegated when jpayne@68: authenticating to the service. \fB\-ok_as_delegate\fP clears this jpayne@68: flag. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_svr\fP jpayne@68: \fB\-allow_svr\fP prohibits the issuance of service tickets for this jpayne@68: principal. In release 1.17 and later, user\-to\-user service jpayne@68: tickets are still allowed unless the \fB\-allow_dup_skey\fP flag is jpayne@68: also set. \fB+allow_svr\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_tgs_req\fP jpayne@68: \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS) jpayne@68: request for a service ticket for this principal is not permitted. jpayne@68: \fB+allow_tgs_req\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBallow_tix\fP jpayne@68: \fB\-allow_tix\fP forbids the issuance of any tickets for this jpayne@68: principal. \fB+allow_tix\fP clears this flag. jpayne@68: .TP jpayne@68: {\-|+}\fBneedchange\fP jpayne@68: \fB+needchange\fP forces a password change on the next initial jpayne@68: authentication to this principal. \fB\-needchange\fP clears this jpayne@68: flag. jpayne@68: .TP jpayne@68: {\-|+}\fBpassword_changing_service\fP jpayne@68: \fB+password_changing_service\fP marks this principal as a password jpayne@68: change service principal. jpayne@68: .TP jpayne@68: {\-|+}\fBok_to_auth_as_delegate\fP jpayne@68: \fB+ok_to_auth_as_delegate\fP allows this principal to acquire jpayne@68: forwardable tickets to itself from arbitrary users, for use with jpayne@68: constrained delegation. jpayne@68: .TP jpayne@68: {\-|+}\fBno_auth_data_required\fP jpayne@68: \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from jpayne@68: being added to service tickets for the principal. jpayne@68: .TP jpayne@68: {\-|+}\fBlockdown_keys\fP jpayne@68: \fB+lockdown_keys\fP prevents keys for this principal from leaving jpayne@68: the KDC via kadmind. The chpass and extract operations are denied jpayne@68: for a principal with this attribute. The chrand operation is jpayne@68: allowed, but will not return the new keys. The delete and rename jpayne@68: operations are also denied if this attribute is set, in order to jpayne@68: prevent a malicious administrator from replacing principals like jpayne@68: krbtgt/* or kadmin/* with new principals without the attribute. jpayne@68: This attribute can be set via the network protocol, but can only jpayne@68: be removed using kadmin.local. jpayne@68: .TP jpayne@68: \fB\-randkey\fP jpayne@68: Sets the key of the principal to a random value. jpayne@68: .TP jpayne@68: \fB\-nokey\fP jpayne@68: Causes the principal to be created with no key. New in release jpayne@68: 1.12. jpayne@68: .TP jpayne@68: \fB\-pw\fP \fIpassword\fP jpayne@68: Sets the password of the principal to the specified string and jpayne@68: does not prompt for a password. Note: using this option in a jpayne@68: shell script may expose the password to other users on the system jpayne@68: via the process list. jpayne@68: .TP jpayne@68: \fB\-e\fP \fIenc\fP:\fIsalt\fP,... jpayne@68: Uses the specified keysalt list for setting the keys of the jpayne@68: principal. See Keysalt_lists in kdc.conf(5) for a jpayne@68: list of possible values. jpayne@68: .TP jpayne@68: \fB\-x\fP \fIdb_princ_args\fP jpayne@68: Indicates database\-specific options. The options for the LDAP jpayne@68: database module are: jpayne@68: .INDENT 7.0 jpayne@68: .TP jpayne@68: \fB\-x dn=\fP\fIdn\fP jpayne@68: Specifies the LDAP object that will contain the Kerberos jpayne@68: principal being created. jpayne@68: .TP jpayne@68: \fB\-x linkdn=\fP\fIdn\fP jpayne@68: Specifies the LDAP object to which the newly created Kerberos jpayne@68: principal object will point. jpayne@68: .TP jpayne@68: \fB\-x containerdn=\fP\fIcontainer_dn\fP jpayne@68: Specifies the container object under which the Kerberos jpayne@68: principal is to be created. jpayne@68: .TP jpayne@68: \fB\-x tktpolicy=\fP\fIpolicy\fP jpayne@68: Associates a ticket policy to the Kerberos principal. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: \fBNOTE:\fP jpayne@68: .INDENT 7.0 jpayne@68: .INDENT 3.5 jpayne@68: .INDENT 0.0 jpayne@68: .IP \(bu 2 jpayne@68: The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be jpayne@68: specified with the \fBdn\fP option. jpayne@68: .IP \(bu 2 jpayne@68: If the \fIdn\fP or \fIcontainerdn\fP options are not specified while jpayne@68: adding the principal, the principals are created under the jpayne@68: principal container configured in the realm or the realm jpayne@68: container. jpayne@68: .IP \(bu 2 jpayne@68: \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or jpayne@68: principal container configured in the realm. jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: addprinc jennifer jpayne@68: No policy specified for "jennifer@ATHENA.MIT.EDU"; jpayne@68: defaulting to no policy. jpayne@68: Enter password for principal jennifer@ATHENA.MIT.EDU: jpayne@68: Re\-enter password for principal jennifer@ATHENA.MIT.EDU: jpayne@68: Principal "jennifer@ATHENA.MIT.EDU" created. jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS modify_principal jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Modifies the specified principal, changing the fields as specified. jpayne@68: The options to \fBadd_principal\fP also apply to this command, except jpayne@68: for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options. In addition, the jpayne@68: option \fB\-clearpolicy\fP will clear the current policy of a principal. jpayne@68: .sp jpayne@68: This command requires the \fImodify\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBmodprinc\fP jpayne@68: .sp jpayne@68: Options (in addition to the \fBaddprinc\fP options): jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-unlock\fP jpayne@68: Unlocks a locked principal (one which has received too many failed jpayne@68: authentication attempts without enough time between them according jpayne@68: to its password policy) so that it can successfully authenticate. jpayne@68: .UNINDENT jpayne@68: .SS rename_principal jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Renames the specified \fIold_principal\fP to \fInew_principal\fP\&. This jpayne@68: command prompts for confirmation, unless the \fB\-force\fP option is jpayne@68: given. jpayne@68: .sp jpayne@68: This command requires the \fBadd\fP and \fBdelete\fP privileges. jpayne@68: .sp jpayne@68: Alias: \fBrenprinc\fP jpayne@68: .SS delete_principal jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Deletes the specified \fIprincipal\fP from the database. This command jpayne@68: prompts for deletion, unless the \fB\-force\fP option is given. jpayne@68: .sp jpayne@68: This command requires the \fBdelete\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBdelprinc\fP jpayne@68: .SS change_password jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Changes the password of \fIprincipal\fP\&. Prompts for a new password if jpayne@68: neither \fB\-randkey\fP or \fB\-pw\fP is specified. jpayne@68: .sp jpayne@68: This command requires the \fBchangepw\fP privilege, or that the jpayne@68: principal running the program is the same as the principal being jpayne@68: changed. jpayne@68: .sp jpayne@68: Alias: \fBcpw\fP jpayne@68: .sp jpayne@68: The following options are available: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-randkey\fP jpayne@68: Sets the key of the principal to a random value. jpayne@68: .TP jpayne@68: \fB\-pw\fP \fIpassword\fP jpayne@68: Set the password to the specified string. Using this option in a jpayne@68: script may expose the password to other users on the system via jpayne@68: the process list. jpayne@68: .TP jpayne@68: \fB\-e\fP \fIenc\fP:\fIsalt\fP,... jpayne@68: Uses the specified keysalt list for setting the keys of the jpayne@68: principal. See Keysalt_lists in kdc.conf(5) for a jpayne@68: list of possible values. jpayne@68: .TP jpayne@68: \fB\-keepold\fP jpayne@68: Keeps the existing keys in the database. This flag is usually not jpayne@68: necessary except perhaps for \fBkrbtgt\fP principals. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: cpw systest jpayne@68: Enter password for principal systest@BLEEP.COM: jpayne@68: Re\-enter password for principal systest@BLEEP.COM: jpayne@68: Password for systest@BLEEP.COM changed. jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS purgekeys jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBpurgekeys\fP [\fB\-all\fP|\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Purges previously retained old keys (e.g., from \fBchange_password jpayne@68: \-keepold\fP) from \fIprincipal\fP\&. If \fB\-keepkvno\fP is specified, then jpayne@68: only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&. If jpayne@68: \fB\-all\fP is specified, then all keys are purged. The \fB\-all\fP option jpayne@68: is new in release 1.12. jpayne@68: .sp jpayne@68: This command requires the \fBmodify\fP privilege. jpayne@68: .SS get_principal jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Gets the attributes of principal. With the \fB\-terse\fP option, outputs jpayne@68: fields as quoted tab\-separated strings. jpayne@68: .sp jpayne@68: This command requires the \fBinquire\fP privilege, or that the principal jpayne@68: running the the program to be the same as the one being listed. jpayne@68: .sp jpayne@68: Alias: \fBgetprinc\fP jpayne@68: .sp jpayne@68: Examples: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: getprinc tlyu/admin jpayne@68: Principal: tlyu/admin@BLEEP.COM jpayne@68: Expiration date: [never] jpayne@68: Last password change: Mon Aug 12 14:16:47 EDT 1996 jpayne@68: Password expiration date: [never] jpayne@68: Maximum ticket life: 0 days 10:00:00 jpayne@68: Maximum renewable life: 7 days 00:00:00 jpayne@68: Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) jpayne@68: Last successful authentication: [never] jpayne@68: Last failed authentication: [never] jpayne@68: Failed password attempts: 0 jpayne@68: Number of keys: 1 jpayne@68: Key: vno 1, aes256\-cts\-hmac\-sha384\-192 jpayne@68: MKey: vno 1 jpayne@68: Attributes: jpayne@68: Policy: [none] jpayne@68: jpayne@68: kadmin: getprinc \-terse systest jpayne@68: systest@BLEEP.COM 3 86400 604800 1 jpayne@68: 785926535 753241234 785900000 jpayne@68: tlyu/admin@BLEEP.COM 786100034 0 0 jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS list_principals jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBlist_principals\fP [\fIexpression\fP] jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Retrieves all or some principal names. \fIexpression\fP is a shell\-style jpayne@68: glob expression that can contain the wild\-card characters \fB?\fP, jpayne@68: \fB*\fP, and \fB[]\fP\&. All principal names matching the expression are jpayne@68: printed. If no expression is provided, all principal names are jpayne@68: printed. If the expression does not contain an \fB@\fP character, an jpayne@68: \fB@\fP character followed by the local realm is appended to the jpayne@68: expression. jpayne@68: .sp jpayne@68: This command requires the \fBlist\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBlistprincs\fP, \fBget_principals\fP, \fBgetprincs\fP jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: listprincs test* jpayne@68: test3@SECURE\-TEST.OV.COM jpayne@68: test2@SECURE\-TEST.OV.COM jpayne@68: test1@SECURE\-TEST.OV.COM jpayne@68: testuser@SECURE\-TEST.OV.COM jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS get_strings jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBget_strings\fP \fIprincipal\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Displays string attributes on \fIprincipal\fP\&. jpayne@68: .sp jpayne@68: This command requires the \fBinquire\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBgetstrs\fP jpayne@68: .SS set_string jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBset_string\fP \fIprincipal\fP \fIname\fP \fIvalue\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Sets a string attribute on \fIprincipal\fP\&. String attributes are used to jpayne@68: supply per\-principal configuration to the KDC and some KDC plugin jpayne@68: modules. The following string attribute names are recognized by the jpayne@68: KDC: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fBrequire_auth\fP jpayne@68: Specifies an authentication indicator which is required to jpayne@68: authenticate to the principal as a service. Multiple indicators jpayne@68: can be specified, separated by spaces; in this case any of the jpayne@68: specified indicators will be accepted. (New in release 1.14.) jpayne@68: .TP jpayne@68: \fBsession_enctypes\fP jpayne@68: Specifies the encryption types supported for session keys when the jpayne@68: principal is authenticated to as a server. See jpayne@68: Encryption_types in kdc.conf(5) for a list of the jpayne@68: accepted values. jpayne@68: .TP jpayne@68: \fBotp\fP jpayne@68: Enables One Time Passwords (OTP) preauthentication for a client jpayne@68: \fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array jpayne@68: of objects, each having optional \fBtype\fP and \fBusername\fP fields. jpayne@68: .TP jpayne@68: \fBpkinit_cert_match\fP jpayne@68: Specifies a matching expression that defines the certificate jpayne@68: attributes required for the client certificate used by the jpayne@68: principal during PKINIT authentication. The matching expression jpayne@68: is in the same format as those used by the \fBpkinit_cert_match\fP jpayne@68: option in krb5.conf(5)\&. (New in release 1.16.) jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: This command requires the \fBmodify\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBsetstr\fP jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: set_string host/foo.mit.edu session_enctypes aes128\-cts jpayne@68: set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS del_string jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBdel_string\fP \fIprincipal\fP \fIkey\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Deletes a string attribute from \fIprincipal\fP\&. jpayne@68: .sp jpayne@68: This command requires the \fBdelete\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBdelstr\fP jpayne@68: .SS add_policy jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Adds a password policy named \fIpolicy\fP to the database. jpayne@68: .sp jpayne@68: This command requires the \fBadd\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBaddpol\fP jpayne@68: .sp jpayne@68: The following options are available: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-maxlife\fP \fItime\fP jpayne@68: (duration or getdate string) Sets the maximum jpayne@68: lifetime of a password. jpayne@68: .TP jpayne@68: \fB\-minlife\fP \fItime\fP jpayne@68: (duration or getdate string) Sets the minimum jpayne@68: lifetime of a password. jpayne@68: .TP jpayne@68: \fB\-minlength\fP \fIlength\fP jpayne@68: Sets the minimum length of a password. jpayne@68: .TP jpayne@68: \fB\-minclasses\fP \fInumber\fP jpayne@68: Sets the minimum number of character classes required in a jpayne@68: password. The five character classes are lower case, upper case, jpayne@68: numbers, punctuation, and whitespace/unprintable characters. jpayne@68: .TP jpayne@68: \fB\-history\fP \fInumber\fP jpayne@68: Sets the number of past keys kept for a principal. This option is jpayne@68: not supported with the LDAP KDC database module. jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-maxfailure\fP \fImaxnumber\fP jpayne@68: Sets the number of authentication failures before the principal is jpayne@68: locked. Authentication failures are only tracked for principals jpayne@68: which require preauthentication. The counter of failed attempts jpayne@68: resets to 0 after a successful attempt to authenticate. A jpayne@68: \fImaxnumber\fP value of 0 (the default) disables lockout. jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-failurecountinterval\fP \fIfailuretime\fP jpayne@68: (duration or getdate string) Sets the allowable time jpayne@68: between authentication failures. If an authentication failure jpayne@68: happens after \fIfailuretime\fP has elapsed since the previous jpayne@68: failure, the number of authentication failures is reset to 1. A jpayne@68: \fIfailuretime\fP value of 0 (the default) means forever. jpayne@68: .UNINDENT jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-lockoutduration\fP \fIlockouttime\fP jpayne@68: (duration or getdate string) Sets the duration for jpayne@68: which the principal is locked from authenticating if too many jpayne@68: authentication failures occur without the specified failure count jpayne@68: interval elapsing. A duration of 0 (the default) means the jpayne@68: principal remains locked out until it is administratively unlocked jpayne@68: with \fBmodprinc \-unlock\fP\&. jpayne@68: .TP jpayne@68: \fB\-allowedkeysalts\fP jpayne@68: Specifies the key/salt tuples supported for long\-term keys when jpayne@68: setting or changing a principal\(aqs password/keys. See jpayne@68: Keysalt_lists in kdc.conf(5) for a list of the jpayne@68: accepted values, but note that key/salt tuples must be separated jpayne@68: with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use jpayne@68: a value of \(aq\-\(aq. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS modify_policy jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Modifies the password policy named \fIpolicy\fP\&. Options are as described jpayne@68: for \fBadd_policy\fP\&. jpayne@68: .sp jpayne@68: This command requires the \fBmodify\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBmodpol\fP jpayne@68: .SS delete_policy jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Deletes the password policy named \fIpolicy\fP\&. Prompts for confirmation jpayne@68: before deletion. The command will fail if the policy is in use by any jpayne@68: principals. jpayne@68: .sp jpayne@68: This command requires the \fBdelete\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBdelpol\fP jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: del_policy guests jpayne@68: Are you sure you want to delete the policy "guests"? jpayne@68: (yes/no): yes jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS get_policy jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Displays the values of the password policy named \fIpolicy\fP\&. With the jpayne@68: \fB\-terse\fP flag, outputs the fields as quoted strings separated by jpayne@68: tabs. jpayne@68: .sp jpayne@68: This command requires the \fBinquire\fP privilege. jpayne@68: .sp jpayne@68: Alias: \fBgetpol\fP jpayne@68: .sp jpayne@68: Examples: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: get_policy admin jpayne@68: Policy: admin jpayne@68: Maximum password life: 180 days 00:00:00 jpayne@68: Minimum password life: 00:00:00 jpayne@68: Minimum password length: 6 jpayne@68: Minimum number of password character classes: 2 jpayne@68: Number of old keys kept: 5 jpayne@68: Reference count: 17 jpayne@68: jpayne@68: kadmin: get_policy \-terse admin jpayne@68: admin 15552000 0 6 2 5 17 jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: The "Reference count" is the number of principals using that policy. jpayne@68: With the LDAP KDC database module, the reference count field is not jpayne@68: meaningful. jpayne@68: .SS list_policies jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBlist_policies\fP [\fIexpression\fP] jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Retrieves all or some policy names. \fIexpression\fP is a shell\-style jpayne@68: glob expression that can contain the wild\-card characters \fB?\fP, jpayne@68: \fB*\fP, and \fB[]\fP\&. All policy names matching the expression are jpayne@68: printed. If no expression is provided, all existing policy names are jpayne@68: printed. jpayne@68: .sp jpayne@68: This command requires the \fBlist\fP privilege. jpayne@68: .sp jpayne@68: Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&. jpayne@68: .sp jpayne@68: Examples: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: listpols jpayne@68: test\-pol jpayne@68: dict\-only jpayne@68: once\-a\-min jpayne@68: test\-pol\-nopw jpayne@68: jpayne@68: kadmin: listpols t* jpayne@68: test\-pol jpayne@68: test\-pol\-nopw jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS ktadd jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .nf jpayne@68: \fBktadd\fP [options] \fIprincipal\fP jpayne@68: \fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP jpayne@68: .fi jpayne@68: .sp jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a jpayne@68: keytab file. Each principal\(aqs keys are randomized in the process. jpayne@68: The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP jpayne@68: command. jpayne@68: .sp jpayne@68: This command requires the \fBinquire\fP and \fBchangepw\fP privileges. jpayne@68: With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege. jpayne@68: .sp jpayne@68: The options are: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-k[eytab]\fP \fIkeytab\fP jpayne@68: Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is jpayne@68: used. jpayne@68: .TP jpayne@68: \fB\-e\fP \fIenc\fP:\fIsalt\fP,... jpayne@68: Uses the specified keysalt list for setting the new keys of the jpayne@68: principal. See Keysalt_lists in kdc.conf(5) for a jpayne@68: list of possible values. jpayne@68: .TP jpayne@68: \fB\-q\fP jpayne@68: Display less verbose information. jpayne@68: .TP jpayne@68: \fB\-norandkey\fP jpayne@68: Do not randomize the keys. The keys and their version numbers stay jpayne@68: unchanged. This option cannot be specified in combination with the jpayne@68: \fB\-e\fP option. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: An entry for each of the principal\(aqs unique encryption types is added, jpayne@68: ignoring multiple keys with the same encryption type but different jpayne@68: salt types. jpayne@68: .sp jpayne@68: Alias: \fBxst\fP jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu jpayne@68: Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, jpayne@68: encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab jpayne@68: FILE:/tmp/foo\-new\-keytab jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS ktremove jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: \fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP] jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Removes entries for the specified \fIprincipal\fP from a keytab. Requires jpayne@68: no permissions, since this does not require database access. jpayne@68: .sp jpayne@68: If the string "all" is specified, all entries for that principal are jpayne@68: removed; if the string "old" is specified, all entries for that jpayne@68: principal except those with the highest kvno are removed. Otherwise, jpayne@68: the value specified is parsed as an integer, and all entries whose jpayne@68: kvno match that integer are removed. jpayne@68: .sp jpayne@68: The options are: jpayne@68: .INDENT 0.0 jpayne@68: .TP jpayne@68: \fB\-k[eytab]\fP \fIkeytab\fP jpayne@68: Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is jpayne@68: used. jpayne@68: .TP jpayne@68: \fB\-q\fP jpayne@68: Display less verbose information. jpayne@68: .UNINDENT jpayne@68: .sp jpayne@68: Alias: \fBktrem\fP jpayne@68: .sp jpayne@68: Example: jpayne@68: .INDENT 0.0 jpayne@68: .INDENT 3.5 jpayne@68: .sp jpayne@68: .nf jpayne@68: .ft C jpayne@68: kadmin: ktremove kadmin/admin all jpayne@68: Entry for principal kadmin/admin with kvno 3 removed from keytab jpayne@68: FILE:/etc/krb5.keytab jpayne@68: kadmin: jpayne@68: .ft P jpayne@68: .fi jpayne@68: .UNINDENT jpayne@68: .UNINDENT jpayne@68: .SS lock jpayne@68: .sp jpayne@68: Lock database exclusively. Use with extreme caution! This command jpayne@68: only works with the DB2 KDC database module. jpayne@68: .SS unlock jpayne@68: .sp jpayne@68: Release the exclusive database lock. jpayne@68: .SS list_requests jpayne@68: .sp jpayne@68: Lists available for kadmin requests. jpayne@68: .sp jpayne@68: Aliases: \fBlr\fP, \fB?\fP jpayne@68: .SS quit jpayne@68: .sp jpayne@68: Exit program. If the database was locked, the lock is released. jpayne@68: .sp jpayne@68: Aliases: \fBexit\fP, \fBq\fP jpayne@68: .SH HISTORY jpayne@68: .sp jpayne@68: The kadmin program was originally written by Tom Yu at MIT, as an jpayne@68: interface to the OpenVision Kerberos administration program. jpayne@68: .SH ENVIRONMENT jpayne@68: .sp jpayne@68: See kerberos(7) for a description of Kerberos environment jpayne@68: variables. jpayne@68: .SH SEE ALSO jpayne@68: .sp jpayne@68: kpasswd(1), kadmind(8), kerberos(7) jpayne@68: .SH AUTHOR jpayne@68: MIT jpayne@68: .SH COPYRIGHT jpayne@68: 1985-2022, MIT jpayne@68: .\" Generated by docutils manpage writer. jpayne@68: .