GSP
Quick Navigator

Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages


Manual Reference Pages  -  KADMIN (8)

NAME

kadmin - Kerberos administration utility

CONTENTS

Synopsis
Description
See Also

SYNOPSIS

kadmin
.Bk -words [-p string |-principal= string] [-K string |-keytab= string] [-c file |-config-file= file] [-k file |-key-file= file] [-r realm |-realm= realm] [-a host |-admin-server= host] [-s port number |-server-port= port number] [-l-| -local ] [-h-| -help ] [-v-| -version ] [command]
.Ek

DESCRIPTION

The kadmin program is used to make modifications to the Kerberos database, either remotely via the kadmind(8) daemon, or locally (with the -l option).

Supported options:
-p string,-principal= string
  principal to authenticate as
-K string,-keytab= string
  keytab for authentication principal
-c file,-config-file= file
  location of config file
-k file,-key-file= file
  location of master key file
-r realm,-realm= realm
  realm to use
-a host,-admin-server= host
  server to contact
-s port number,-server-port= port number
  port to use
-l -, -local
  local admin mode

If no command is given on the command line, kadmin will prompt for commands to process. Some of the commands that take one or more principals as argument ( delete, ext_keytab, get, modify, and passwd) will accept a glob style wildcard, and perform the operation on all matching principals.

Commands include:

add [-r-| -random-key ] [-random-password] [-p string |-password= string] [-key=string] [-max-ticket-life=lifetime] [-max-renewable-life=lifetime] [-attributes=attributes] [-expiration-time=time] [-pw-expiration-time=time] principal...

Adds a new principal to the database. The options not passed on the
command line will be promped for.

add_enctype [-r-| -random-key ] principal enctypes...

Adds a new encryption type to the principal, only random key are
supported.

delete principal...

Removes a principal.

del_enctype principal enctypes...

Removes some enctypes from a principal; this can be useful if the
service belonging to the principal is known to not handle certain
enctypes.

ext_keytab [-k string | Xo -keytab= string ] principal...

Creates a keytab with the keys of the specified principals.

get [-l-| -long ] [-s-| -short ] [-t-| -terse ] [-o string |-column-info= string] principal...

Lists the matching principals, short prints the result as a table,
while long format produces a more verbose output. Which columns to
print can be selected with the

-o 
option. The argument is a comma separated list of column names
optionally appended with an equal sign

('=')
and a column header. Which columns are printed by default differ
slightly between short and long output.

The default terse output format is similar to -s -o principal=, just printing the names of matched principals.

Possible column names include: principal, princ_expire_time, pw_expiration, last_pwd_change, max_life, max_rlife, mod_time, mod_name, attributes, kvno, mkvno, last_success, last_failed, fail_auth_count, policy, and keytypes.

modify [-a attributes | Xo -attributes= attributes ] [-max-ticket-life=lifetime] [-max-renewable-life=lifetime] [-expiration-time=time] [-pw-expiration-time=time] [-kvno=number] principal...

Modifies certain attributes of a principal. If run without command
line options, you will be prompted. With command line options, it will
only change the ones specified.

Possible attributes are: new-princ, support-desmd5, pwchange-service, disallow-svr, requires-pw-change, requires-hw-auth, requires-pre-auth, disallow-all-tix, disallow-dup-skey, disallow-proxiable, disallow-renewable, disallow-tgt-based, disallow-forwardable, disallow-postdated

Attributes may be negated with a "-", e.g.,

kadmin -l modify -a -disallow-proxiable user

passwd [-r-| -random-key ] [-random-password] [-p string | Xo -password= string ] [-key=string] principal...

Changes the password of an existing principal.

password-quality principal password

Run the password quality check function locally.
You can run this on the host that is configured to run the kadmind
process to verify that your configuration file is correct.
The verification is done locally, if kadmin is run in remote mode,
no rpc call is done to the server.

privileges

Lists the operations you are allowed to perform. These include

add,

add_enctype,

change-password,

delete,

del_enctype,

get,

list,
and

modify.

rename from to

Renames a principal. This is normally transparent, but since keys are
salted with the principal name, they will have a non-standard salt,
and clients which are unable to cope with this will fail. Kerberos 4
suffers from this.

check [realm]

Check database for strange configurations on important principals. If
no realm is given, the default realm is used.

When running in local mode, the following commands can also be used:

dump [-d-| -decrypt ] [dump-file]

Writes the database in

"human readable"
form to the specified file, or standard out. If the database is
encrypted, the dump will also have encrypted keys, unless

-decrypt 
is used.

init [-realm-max-ticket-life=string] [-realm-max-renewable-life=string] realm

Initializes the Kerberos database with entries for a new realm. It’s
possible to have more than one realm served by one server.

load file

Reads a previously dumped database, and re-creates that database from
scratch.

merge file

Similar to

 load
but just modifies the database with the entries in the dump file.

stash [-e enctype | Xo -enctype= enctype ] [-k keyfile | Xo -key-file= keyfile ] [-convert-file] [-master-key-fd=fd]

Writes the Kerberos master key to a file used by the KDC.

SEE ALSO

kadmind(8), kdc(8)
Search for    or go to Top of page |  Section 8 |  Main Index


Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with manServer 1.07.