database.html - OpenGrok cross reference for /freebsd/crypto/krb5/doc/html/admin/database.html

Lines Matching +full:non +full:- +full:secure +full:- +full:otp
6     <meta charset="utf-8" />
7 …<meta name="viewport" content="width=device-width, initial-scale=1.0" /><meta name="generator" con…
13 …<script data-url_root="../" id="documentation_options" src="../_static/documentation_options.js"><…
24     <div class="header-wrapper">
42     <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a>
47     <div class="content-wrapper">
55   <section id="database-administration">
56 <h1>Database administration<a class="headerlink" href="#database-administration" title="Permalink t…
59 …"reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kd…
61 …eference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadm…
63 …rence internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpas…
64 program has its own command-line interface, to which you type the
66 …"reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kd…
69 …nd-8"><span class="std std-ref">kadmind</span></a> and <a class="reference internal" href="admin_c…
71 …eference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadm…
74 …s="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadm…
81 ticket for either service principal and the <strong>-c</strong> ccache option is
83 the <strong>-p</strong> and <strong>-k</strong> options are used to specify the client Kerberos
87 …eference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadm…
93 …eference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadm…
95 …l notranslate"><span class="pre">+requires_preauth</span> <span class="pre">-allow_svr</span></cod…
96 …="reference internal" href="dictionary.html#dictionary"><span class="std std-ref">Addressing dicti…
97 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span …
99 <span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">passw…
102 …<a class="reference internal" href="pkinit.html#pkinit"><span class="std std-ref">PKINIT configura…
103 instead by created with the <code class="docutils literal notranslate"><span class="pre">-nokey</sp…
105 <div><p>kadmin: addprinc -nokey alice</p>
107 …eated with the <code class="docutils literal notranslate"><span class="pre">-nokey</span></code> o…
108 long-term keys will be added when a keytab is generated:</p>
109 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span …
110 …/span><span class="p">:</span> <span class="n">ktadd</span> <span class="o">-</span><span class="n…
111 …-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="…
112 …-</span><span class="n">cts</span><span class="o">-</span><span class="n">hmac</span><span class="…
117 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span …
122 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>kadmin: delprin…
131 …rence internal" href="../user/user_commands/kpasswd.html#kpasswd-1"><span class="std std-ref">kpas…
143 …eference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadm…
144 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span …
151 <strong>modify_principal</strong> command with the <strong>-policy</strong> option:</p>
153 <div><p>kadmin: modprinc -policy stduser alice
161 <section id="updating-the-history-key">
162 <span id="updating-history-key"></span><h3>Updating the history key<a class="headerlink" href="#upd…
170 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span …
173 <p>This command will fail if you specify the <strong>-keepold</strong> flag.  Only one
184 …ass="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">ka…
186 <p class="admonition-title">Note</p>
196 <section id="operations-on-the-kerberos-database">
197 <span id="db-operations"></span><h2>Operations on the Kerberos database<a class="headerlink" href="…
198 …"reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kd…
200 <a class="reference internal" href="dbtypes.html#dbtypes"><span class="std std-ref">Database types<…
201 <a class="reference internal" href="install_kdc.html#create-db"><span class="std std-ref">Create th…
203 …tils literal notranslate"><span class="pre">create</span> <span class="pre">-s</span></code> flag,…
206 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util sta…
213 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util des…
220 <section id="dumping-and-loading-a-kerberos-database">
221 …pan id="restore-from-dump"></span><h3>Dumping and loading a Kerberos database<a class="headerlink"…
223 …"reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kd…
225 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util dum…
227 $ kbd5_util dump -verbose dumpfile
237 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util dum…
243 …"reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kd…
244 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util loa…
248 only some principals, use the <code class="docutils literal notranslate"><span class="pre">-update<…
249 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util loa…
253 <p class="admonition-title">Note</p>
254 <p>If the database file exists, and the <em>-update</em> flag was not
258 <section id="updating-the-master-key">
259 <span id="updating-master-key"></span><h3>Updating the master key<a class="headerlink" href="#updat…
260 …"reference internal" href="admin_commands/kdb5_util.html#kdb5-util-8"><span class="std std-ref">kd…
267 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_util lis…
269 KVNO: 1, Enctype: aes256-cts-hmac-sha384-192, Active on: Thu Jan 01 00:00:00 UTC 1970 *
277 …="pre">kdb5_util</span> <span class="pre">add_mkey</span> <span class="pre">-s</span></code> to cr…
278 master key and write it to the stash file.  Enter a secure password
292 …s="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadm…
295 This command will iterate over the database and re-encrypt all keys
300 …s literal notranslate"><span class="pre">kdb5_util</span> <span class="pre">-x</span> <span class=…
311 <section id="operations-on-the-ldap-database">
312 <span id="ops-on-ldap"></span><h2>Operations on the LDAP database<a class="headerlink" href="#opera…
313 …nce internal" href="admin_commands/kdb5_ldap_util.html#kdb5-ldap-util-8"><span class="std std-ref"…
315 …ence internal" href="conf_ldap.html#conf-ldap"><span class="std std-ref">Configuring Kerberos with…
318 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
325 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
330 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
337 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
344 <section id="ticket-policy-operations">
345 <h3>Ticket Policy operations<a class="headerlink" href="#ticket-policy-operations" title="Permalink…
353 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
357 …eference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadm…
358 with the <strong>-x tktpolicy=</strong><em>policy</em> option:</p>
359 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin.local …
364 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kadmin.local …
369 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
375 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
380 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
388 <div class="highlight-default notranslate"><div class="highlight"><pre><span></span>$ kdb5_ldap_uti…
396 <section id="cross-realm-authentication">
397 <span id="xrealm-authn"></span><h2>Cross-realm authentication<a class="headerlink" href="#cross-rea…
401 For example, if you need to do cross-realm authentication between the realms
407 the key version number with the <strong>-kvno</strong> option.</p>
408 <p>In the ATHENA.MIT.EDU and EXAMPLE.COM cross-realm case, the administrators
410 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">shell</span><span c…
411 …an><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n…
413 <span class="n">Re</span><span class="o">-</span><span class="n">enter</span> <span class="n">passw…
414 …an><span class="p">:</span> <span class="n">addprinc</span> <span class="o">-</span><span class="n…
421 <p class="admonition-title">Note</p>
424 desirable on cross-realm authentication keys because doing
426 service-by-service basis.  Disabling it as in the example
430 <p class="admonition-title">Note</p>
436 <section id="changing-the-krbtgt-key">
437 <span id="changing-krbtgt-key"></span><h2>Changing the krbtgt key<a class="headerlink" href="#chang…
444 …eference internal" href="admin_commands/kadmin_local.html#kadmin-1"><span class="std std-ref">kadm…
447 <strong>-keepold</strong> flag to change_password to retain the previous key in the
449 …-default notranslate"><div class="highlight"><pre><span></span><span class="n">kadmin</span><span …
453 <p class="admonition-title">Warning</p>
462 ticket-granting tickets.  However, the set of encryption types present
465 …al" href="enctypes.html#session-key-selection"><span class="std std-ref">Session key selection</sp…
470 specifying any <strong>-e</strong> option when changing the krbtgt key, or by
472 …eference internal" href="admin_commands/kadmin_local.html#set-string"><span class="std std-ref">se…
478 <section id="incremental-database-propagation">
479 <span id="incr-db-prop"></span><h2>Incremental database propagation<a class="headerlink" href="#inc…
490 …s="reference internal" href="admin_commands/kadmind.html#kadmind-8"><span class="std std-ref">kadm…
493 <p>Incremental propagation uses the following entries in the per-realm
494 …class="reference internal" href="conf_files/kdc_conf.html#kdc-conf-5"><span class="std std-ref">kd…
495 <table class="docutils align-default">
502 <tr class="row-odd"><td><p>iprop_enable</p></td>
506 <tr class="row-even"><td><p>iprop_master_ulogsize</p></td>
510 <tr class="row-odd"><td><p>iprop_replica_poll</p></td>
514 <tr class="row-even"><td><p>iprop_port</p></td>
518 <tr class="row-odd"><td><p>iprop_resync_timeout</p></td>
522 <tr class="row-even"><td><p>iprop_logfile</p></td>
524 …-conf-5"><span class="std std-ref">kdc.conf</span></a>, with <em>.ulog</em> appended. (NOTE: If da…
530 fully-qualified, canonical name for the host) registered in the
532 …"reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">DEFKTNAME</span>…
536 …ass="reference internal" href="conf_files/kadm5_acl.html#kadm5-acl-5"><span class="std std-ref">ka…
537 …e (see <a class="reference internal" href="#privileges"><span class="std std-ref">Privileges</span…
538 …ass="reference internal" href="admin_commands/kpropd.html#kpropd-8"><span class="std std-ref">kpro…
547 and invoke a one-time kprop propagation, with special options to also
553 …ils literal notranslate"><span class="pre">kadmind</span> <span class="pre">-proponly</span></code…
554 …tils literal notranslate"><span class="pre">kpropd</span> <span class="pre">-A</span> <span class=…
568 <section id="sun-mit-incremental-propagation-differences">
569 …mental propagation differences<a class="headerlink" href="#sun-mit-incremental-propagation-differe…
584 <p>The Sun implementation hard-codes pathnames in <code class="docutils literal notranslate"><span …
585 update log and the per-replica kprop dump files.  In the MIT
587 config file, and the per-replica dump files are stored in
588 <a class="reference internal" href="../mitK5defaults.html#paths"><span class="std std-ref">LOCALSTA…
606 <li><a class="reference internal" href="#updating-the-history-key">Updating the history key</a></li>
610 <li><a class="reference internal" href="#operations-on-the-kerberos-database">Operations on the Ker…
611 <li><a class="reference internal" href="#dumping-and-loading-a-kerberos-database">Dumping and loadi…
612 <li><a class="reference internal" href="#updating-the-master-key">Updating the master key</a></li>
615 <li><a class="reference internal" href="#operations-on-the-ldap-database">Operations on the LDAP da…
616 <li><a class="reference internal" href="#ticket-policy-operations">Ticket Policy operations</a></li>
619 <li><a class="reference internal" href="#cross-realm-authentication">Cross-realm authentication</a>…
620 <li><a class="reference internal" href="#changing-the-krbtgt-key">Changing the krbtgt key</a></li>
621 <li><a class="reference internal" href="#incremental-database-propagation">Incremental database pro…
623 <li><a class="reference internal" href="#sun-mit-incremental-propagation-differences">Sun/MIT incre…
633 <li class="toctree-l1"><a class="reference internal" href="../user/index.html">For users</a></li>
634 <li class="toctree-l1 current"><a class="reference internal" href="index.html">For administrators</…
635 <li class="toctree-l2"><a class="reference internal" href="install.html">Installation guide</a></li>
636 <li class="toctree-l2"><a class="reference internal" href="conf_files/index.html">Configuration Fil…
637 <li class="toctree-l2"><a class="reference internal" href="realm_config.html">Realm configuration d…
638 <li class="toctree-l2 current"><a class="current reference internal" href="#">Database administrati…
639 <li class="toctree-l2"><a class="reference internal" href="dbtypes.html">Database types</a></li>
640 <li class="toctree-l2"><a class="reference internal" href="lockout.html">Account lockout</a></li>
641 <li class="toctree-l2"><a class="reference internal" href="conf_ldap.html">Configuring Kerberos wit…
642 <li class="toctree-l2"><a class="reference internal" href="appl_servers.html">Application servers</…
643 <li class="toctree-l2"><a class="reference internal" href="host_config.html">Host configuration</a>…
644 <li class="toctree-l2"><a class="reference internal" href="backup_host.html">Backups of secure host…
645 <li class="toctree-l2"><a class="reference internal" href="pkinit.html">PKINIT configuration</a></l…
646 <li class="toctree-l2"><a class="reference internal" href="otp.html">OTP Preauthentication</a></li>
647 <li class="toctree-l2"><a class="reference internal" href="spake.html">SPAKE Preauthentication</a><…
648 <li class="toctree-l2"><a class="reference internal" href="dictionary.html">Addressing dictionary a…
649 <li class="toctree-l2"><a class="reference internal" href="princ_dns.html">Principal names and DNS<…
650 <li class="toctree-l2"><a class="reference internal" href="enctypes.html">Encryption types</a></li>
651 <li class="toctree-l2"><a class="reference internal" href="https.html">HTTPS proxy configuration</a…
652 <li class="toctree-l2"><a class="reference internal" href="auth_indicator.html">Authentication indi…
653 <li class="toctree-l2"><a class="reference internal" href="admin_commands/index.html">Administratio…
654 <li class="toctree-l2"><a class="reference internal" href="../mitK5defaults.html">MIT Kerberos defa…
655 <li class="toctree-l2"><a class="reference internal" href="env_variables.html">Environment variable…
656 <li class="toctree-l2"><a class="reference internal" href="troubleshoot.html">Troubleshooting</a></…
657 <li class="toctree-l2"><a class="reference internal" href="advanced/index.html">Advanced topics</a>…
658 <li class="toctree-l2"><a class="reference internal" href="various_envs.html">Various links</a></li>
661 <li class="toctree-l1"><a class="reference internal" href="../appdev/index.html">For application de…
662 <li class="toctree-l1"><a class="reference internal" href="../plugindev/index.html">For plugin modu…
663 <li class="toctree-l1"><a class="reference internal" href="../build/index.html">Building Kerberos V…
664 <li class="toctree-l1"><a class="reference internal" href="../basic/index.html">Kerberos V5 concept…
665 <li class="toctree-l1"><a class="reference internal" href="../formats/index.html">Protocols and fil…
666 <li class="toctree-l1"><a class="reference internal" href="../mitK5features.html">MIT Kerberos feat…
667 <li class="toctree-l1"><a class="reference internal" href="../build_this.html">How to build this do…
668 <li class="toctree-l1"><a class="reference internal" href="../about.html">Contributing to the MIT K…
669 <li class="toctree-l1"><a class="reference internal" href="../resources.html">Resources</a></li>
687     <div class="footer-wrapper">
690                 &copy; <a href="../copyright.html">Copyright</a> 1985-2024, MIT.
704     <a href="mailto:krb5-bugs@mit.edu?subject=Documentation__Database administration">feedback</a>