1 .\" $NetBSD: kadmin.8,v 1.4 2015/04/28 09:48:30 prlw1 Exp $
3 .\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
4 .\" (Royal Institute of Technology, Stockholm, Sweden).
5 .\" All rights reserved.
7 .\" Redistribution and use in source and binary forms, with or without
8 .\" modification, are permitted provided that the following conditions
11 .\" 1. Redistributions of source code must retain the above copyright
12 .\" notice, this list of conditions and the following disclaimer.
14 .\" 2. Redistributions in binary form must reproduce the above copyright
15 .\" notice, this list of conditions and the following disclaimer in the
16 .\" documentation and/or other materials provided with the distribution.
18 .\" 3. Neither the name of the Institute nor the names of its contributors
19 .\" may be used to endorse or promote products derived from this software
20 .\" without specific prior written permission.
22 .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 .\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
41 .Nd Kerberos administration utility
45 .Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
46 .Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
47 .Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
48 .Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
49 .Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
50 .Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
51 .Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
52 .Op Fl l | Fl Fl local
54 .Op Fl v | Fl Fl version
60 program is used to make modifications to the Kerberos database, either remotely via the
62 daemon, or locally (with the
68 .It Fl p Ar string , Fl Fl principal= Ns Ar string
69 principal to authenticate as
70 .It Fl K Ar string , Fl Fl keytab= Ns Ar string
71 keytab for authentication principal
72 .It Fl c Ar file , Fl Fl config-file= Ns Ar file
73 location of config file
74 .It Fl k Ar file , Fl Fl key-file= Ns Ar file
75 location of master key file
76 .It Fl r Ar realm , Fl Fl realm= Ns Ar realm
78 .It Fl a Ar host , Fl Fl admin-server= Ns Ar host
80 .It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
82 .It Fl l , Fl Fl local
88 is given on the command line,
90 will prompt for commands to process. Some of the commands that take
91 one or more principals as argument
98 will accept a glob style wildcard, and perform the operation on all
102 .\" not using a list here, since groff apparently gets confused
103 .\" with nested Xo/Xc
106 .Op Fl r | Fl Fl random-key
107 .Op Fl Fl random-password
108 .Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
109 .Op Fl Fl key= Ns Ar string
110 .Op Fl Fl max-ticket-life= Ns Ar lifetime
111 .Op Fl Fl max-renewable-life= Ns Ar lifetime
112 .Op Fl Fl attributes= Ns Ar attributes
113 .Op Fl Fl expiration-time= Ns Ar time
114 .Op Fl Fl pw-expiration-time= Ns Ar time
116 .Bd -ragged -offset indent
117 Adds a new principal to the database. The options not passed on the
118 command line will be prompted for.
122 .Op Fl r | Fl Fl random-key
123 .Ar principal enctypes...
125 .Bd -ragged -offset indent
126 Adds a new encryption type to the principal, only random keys are
132 .Bd -ragged -offset indent
137 .Ar principal enctypes...
138 .Bd -ragged -offset indent
139 Removes some enctypes from a principal; this can be useful if the
140 service belonging to the principal is known to not handle certain
145 .Oo Fl k Ar string \*(Ba Xo
146 .Fl Fl keytab= Ns Ar string
150 .Bd -ragged -offset indent
151 Creates a keytab with the keys of the specified principals.
155 .Op Fl l | Fl Fl long
156 .Op Fl s | Fl Fl short
157 .Op Fl t | Fl Fl terse
158 .Op Fl o Ar string | Fl Fl column-info= Ns Ar string
160 .Bd -ragged -offset indent
161 Lists the matching principals, short prints the result as a table,
162 while long format produces a more verbose output. Which columns to
163 print can be selected with the
165 option. The argument is a comma separated list of column names
166 optionally appended with an equal sign
168 and a column header. Which columns are printed by default differ
169 slightly between short and long output.
171 The default terse output format is similar to
172 .Fl s o Ar principal= ,
173 just printing the names of matched principals.
175 Possible column names include:
177 .Li princ_expire_time ,
179 .Li last_pwd_change ,
189 .Li fail_auth_count ,
196 .Oo Fl a Ar attributes \*(Ba Xo
197 .Fl Fl attributes= Ns Ar attributes
200 .Op Fl Fl max-ticket-life= Ns Ar lifetime
201 .Op Fl Fl max-renewable-life= Ns Ar lifetime
202 .Op Fl Fl expiration-time= Ns Ar time
203 .Op Fl Fl pw-expiration-time= Ns Ar time
204 .Op Fl Fl kvno= Ns Ar number
206 .Bd -ragged -offset indent
207 Modifies certain attributes of a principal. If run without command
208 line options, you will be prompted. With command line options, it will
209 only change the ones specified.
211 Possible attributes are:
214 .Li pwchange-service ,
216 .Li requires-pw-change ,
217 .Li requires-hw-auth ,
218 .Li requires-pre-auth ,
219 .Li disallow-all-tix ,
220 .Li disallow-dup-skey ,
221 .Li disallow-proxiable ,
222 .Li disallow-renewable ,
223 .Li disallow-tgt-based ,
224 .Li disallow-forwardable ,
225 .Li disallow-postdated
227 Attributes may be negated with a "-", e.g.,
229 kadmin -l modify -a -disallow-proxiable user
233 .Op Fl r | Fl Fl random-key
234 .Op Fl Fl random-password
235 .Oo Fl p Ar string \*(Ba Xo
236 .Fl Fl password= Ns Ar string
239 .Op Fl Fl key= Ns Ar string
241 .Bd -ragged -offset indent
242 Changes the password of an existing principal.
248 .Bd -ragged -offset indent
249 Run the password quality check function locally.
250 You can run this on the host that is configured to run the kadmind
251 process to verify that your configuration file is correct.
252 The verification is done locally, if kadmin is run in remote mode,
253 no rpc call is done to the server.
257 .Bd -ragged -offset indent
258 Lists the operations you are allowed to perform. These include
261 .Li change-password ,
272 .Bd -ragged -offset indent
273 Renames a principal. This is normally transparent, but since keys are
274 salted with the principal name, they will have a non-standard salt,
275 and clients which are unable to cope with this will fail. Kerberos 4
282 .Bd -ragged -offset indent
283 Check database for strange configurations on important principals. If
284 no realm is given, the default realm is used.
287 When running in local mode, the following commands can also be used:
290 .Op Fl d | Fl Fl decrypt
292 .Bd -ragged -offset indent
293 Writes the database in
295 form to the specified file, or standard out. If the database is
296 encrypted, the dump will also have encrypted keys, unless
302 .Op Fl Fl realm-max-ticket-life= Ns Ar string
303 .Op Fl Fl realm-max-renewable-life= Ns Ar string
305 .Bd -ragged -offset indent
306 Initializes the Kerberos database with entries for a new realm. It's
307 possible to have more than one realm served by one server.
312 .Bd -ragged -offset indent
313 Reads a previously dumped database, and re-creates that database from
319 .Bd -ragged -offset indent
322 but just modifies the database with the entries in the dump file.
326 .Oo Fl e Ar enctype \*(Ba Xo
327 .Fl Fl enctype= Ns Ar enctype
330 .Oo Fl k Ar keyfile \*(Ba Xo
331 .Fl Fl key-file= Ns Ar keyfile
334 .Op Fl Fl convert-file
335 .Op Fl Fl master-key-fd= Ns Ar fd
336 .Bd -ragged -offset indent
337 Writes the Kerberos master key to a file used by the KDC.