'\" te .\" Copyright 1989 by the Massachusetts Institute of Technology. Copyright (c) 2008, Sun Microsystems, Inc. All Rights Reserved .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License. .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License. .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner] .TH kadmin 1M "29 Feb 2008" "SunOS 5.11" "System Administration Commands" .SH NAME kadmin, kadmin.local \- Kerberos database administration program .SH SYNOPSIS .LP .nf \fB/usr/sbin/kadmin\fR [\fB-r\fR \fIrealm\fR] [\fB-p\fR \fIprincipal\fR] [\fB-q\fR \fIquery\fR] [\fB-s\fR \fIadmin_server\fR [\fI:port\fR]] [ [\fB-c\fR \fIcredential_cache\fR] | [\fB-k\fR [\fB-t\fR \fIkeytab\fR]] | [\fB-w\fR \fIpassword\fR]] [\fB-x\fR \fIdb_args\fR]... .fi .LP .nf \fB/usr/sbin/kadmin.local\fR [\fB-r\fR \fIrealm\fR] [\fB-p\fR \fIprincipal\fR] [\fB-q\fR \fIquery\fR] [\fB-d\fR \fIdbname\fR] [\fB-e\fR "\fIenc:salt...\fR"] [\fB-m\fR] [\fB-D\fR] .fi .SH DESCRIPTION .sp .LP \fBkadmin\fR and \fBkadmin.local\fR are interactive command-line interfaces to the Kerberos V5 administration system. They provide for the maintenance of Kerberos principals, policies, and service key tables (keytabs). \fBkadmin\fR and \fBkadmin.local\fR provide identical functionality; the difference is that \fBkadmin.local\fR can run only on the master KDC and does not use Kerberos authentication. .sp .LP Except as explicitly noted otherwise, this man page uses \fBkadmin\fR to refer to both versions. .sp .LP By default, both versions of \fBkadmin\fR attempt to determine your user name and perform operations on behalf of your "\fIusername\fR/\fIadmin\fR" instance. Operations performed are subject to privileges granted or denied to this user instance by the Kerberos ACL file (see \fBkadm5.acl\fR(4)). You may perform administration as another user instance by using the \fB-p\fR option. .sp .LP The remote version, \fBkadmin\fR, uses Kerberos authentication and an encrypted RPC to operate securely from anywhere on the network. It normally prompts for a password and authenticates the user to the Kerberos administration server, \fBkadmind\fR, whose service principal is \fBkadmin/\fR\fIfqdn\fR. Some options specific to the remote version permit the password prompt to be bypassed. The \fB-c\fR option searches the named credentials cache for a valid ticket for the \fBkadmin/\fR\fIfqdn\fR service and uses it to authenticate the user to the Kerberos admin server without a password. The \fB-k\fR option searches a keytab for a credential to authenticate to the \fBkadmin/\fR\fIfqdn\fR service, and again no password is collected. If \fBkadmin\fR has collected a password, it requests a \fBkadmin/\fR\fIfqdn\fR Kerberos service ticket from the KDC, and uses that service ticket to interact with \fBkadmind\fR. .sp .LP The local version, \fBkadmin.local\fR, must be run with an effective UID of root, and normally uses a key from the \fB/var/krb5/.k5.\fR\fIrealm\fR stash file (see \fBkdb5_util\fR(1M)) to decrypt information from the database rather than prompting for a password. The \fB-m\fR option will bypass the \fB\&.k5.\fR\fIrealm\fR stash file and prompt for the master password. .SH OPTIONS .sp .LP The following options are supported: .sp .ne 2 .mk .na \fB\fB-c\fR \fIcredentials_cache\fR\fR .ad .sp .6 .RS 4n Search \fIcredentials_cache\fR for a service ticket for the \fBkadmin/\fR\fIfqdn\fR service; it can be acquired with the \fBkinit\fR(1) program. If this option is not specified, \fBkadmin\fR requests a new service ticket from the KDC, and stores it in its own temporary credentials cache. .RE .sp .ne 2 .mk .na \fB\fB-d\fR \fIdbname\fR\fR .ad .sp .6 .RS 4n Specify a non-standard database name. [Local only] .RE .sp .ne 2 .mk .na \fB\fB-D\fR\fR .ad .sp .6 .RS 4n Turn on debug mode. [Local only] .RE .sp .ne 2 .mk .na \fB\fB-e\fR \fI"enc:salt ..."\fR\fR .ad .sp .6 .RS 4n Specify a different encryption type and/or key salt. [Local only] .RE .sp .ne 2 .mk .na \fB\fB-k\fR [\fB-t\fR \fIkeytab\fR]\fR .ad .sp .6 .RS 4n Use the default keytab (\fB-k\fR) or a specific keytab (\fB-t\fR \fIkeytab\fR) to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be \fBhost\fR/\fBhostname\fR. This is primarily used for keytab maintenance. .RE .sp .ne 2 .mk .na \fB\fB-m\fR\fR .ad .sp .6 .RS 4n Accept the database master password from the keyboard rather than using the \fB/var/krb5/.k5.\fIrealm\fR\fR stash file. [Local only] .RE .sp .ne 2 .mk .na \fB\fB-p\fR \fIprincipal\fR\fR .ad .sp .6 .RS 4n Authenticate \fIprincipal\fR to the \fBkadmin/\fR\fIfqdn\fR service. Otherwise, \fBkadmin\fR will append \fB/admin\fR to the primary principal name of the default credentials cache, the value of the \fBUSER\fR environment variable, or the username as obtained with \fBgetpwuid\fR, in that order of preference. .RE .sp .ne 2 .mk .na \fB\fB-q\fR \fIquery\fR\fR .ad .sp .6 .RS 4n Pass \fIquery\fR directly to \fBkadmin\fR, which will perform \fIquery\fR and then exit. This can be useful for writing scripts. .RE .sp .ne 2 .mk .na \fB\fB-r\fR \fIrealm\fR\fR .ad .sp .6 .RS 4n Use \fIrealm\fR as the default database realm. .RE .sp .ne 2 .mk .na \fB\fB-s\fR \fIadmin_server\fR[\fI:port\fR]\fR .ad .sp .6 .RS 4n Administer the specified \fIadmin\fR server at the specified port number (\fIport\fR). This can be useful in administering a realm not known to your client. .RE .sp .ne 2 .mk .na \fB\fB-w\fR \fIpassword\fR\fR .ad .sp .6 .RS 4n Use \fIpassword\fR instead of prompting for one. Note that placing the password for a Kerberos principal with administration access into a shell script can be dangerous if unauthorized users gain read access to the script or can read arguments of this command through \fBps\fR(1). .RE .sp .ne 2 .mk .na \fB\fB-x\fR \fIdb_args\fR\fR .ad .sp .6 .RS 4n Pass database-specific arguments to \fBkadmin\fR. Supported arguments are for LDAP and the \fBBerkeley-db2\fR plug-in. These arguments are: .sp .ne 2 .mk .na \fB\fBbinddn\fR=\fIbinddn\fR\fR .ad .sp .6 .RS 4n LDAP simple bind DN for authorization on the directory server. Overrides the \fBldap_kadmind_dn\fR parameter setting in \fBkrb5.conf\fR(4). .RE .sp .ne 2 .mk .na \fB\fBbindpwd\fR=\fIbindpwd\fR\fR .ad .sp .6 .RS 4n Bind password. .RE .sp .ne 2 .mk .na \fB\fBdbname\fR=\fIname\fR\fR .ad .sp .6 .RS 4n For the \fBBerkeley-db2\fR plug-in, specifies a name for the Kerberos database. .RE .sp .ne 2 .mk .na \fB\fBnconns\fR=\fInum\fR\fR .ad .sp .6 .RS 4n Maximum number of server connections. .RE .sp .ne 2 .mk .na \fB\fBport\fR=\fInum\fR\fR .ad .sp .6 .RS 4n Directory server connection port. .RE .RE .SH COMMANDS .sp .ne 2 .mk .na \fB\fBlist_requests\fR\fR .ad .sp .6 .RS 4n Lists all the commands available for \fBkadmin\fR. Aliased by \fBlr\fR and \fB?\fR. .RE .sp .ne 2 .mk .na \fB\fBget_privs\fR\fR .ad .sp .6 .RS 4n Lists the current Kerberos administration privileges (ACLs) for the principal that is currently running \fBkadmin\fR. The privileges are based on the \fB/etc/krb5/kadm5.acl\fR file on the master KDC. Aliased by \fBgetprivs\fR. .RE .sp .ne 2 .mk .na \fB\fB\fR\fBadd_principal\fR \fB[\fIoptions\fR]\fR \fB\fInewprinc\fR\fR\fR .ad .sp .6 .RS 4n Creates a new principal, \fInewprinc\fR, prompting twice for a password. If the \fB-policy\fR option is not specified and a policy named \fBdefault\fR exists, then the \fBdefault\fR policy is assigned to the principal; note that the assignment of the \fBdefault\fR policy occurs automatically only when a principal is first created, so the \fBdefault\fR policy must already exist for the assignment to occur. The automatic assignment of the \fBdefault\fR policy can be suppressed with the \fB-clearpolicy\fR option. This command requires the \fBadd\fR privilege. Aliased by \fBaddprinc\fR and \fBank\fR. The options are: .sp .ne 2 .mk .na \fB\fB-expire\fR \fIexpdate\fR\fR .ad .sp .6 .RS 4n Expiration date of the principal. See the \fBTime\fR \fBFormats\fR section for the valid absolute time formats that you can specify for \fIexpdate\fR. .RE .sp .ne 2 .mk .na \fB\fB-pwexpire\fR \fIpwexpdate\fR\fR .ad .sp .6 .RS 4n Password expiration date. See the \fBTime\fR \fBFormats\fR section for the valid absolute time formats that you can specify for \fIpwexpdate\fR. .RE .sp .ne 2 .mk .na \fB\fB-maxlife\fR \fImaxlife\fR\fR .ad .sp .6 .RS 4n Maximum ticket life for the principal. See the \fBTime\fR \fBFormats\fR section for the valid time duration formats that you can specify for \fImaxlife\fR. .RE .sp .ne 2 .mk .na \fB\fB-maxrenewlife\fR \fImaxrenewlife\fR\fR .ad .sp .6 .RS 4n Maximum renewable life of tickets for the principal. See the \fBTime\fR \fBFormats\fR section for the valid time duration formats that you can specify for \fImaxrenewlife\fR. .RE .sp .ne 2 .mk .na \fB\fB-kvno\fR \fIkvno\fR\fR .ad .sp .6 .RS 4n Explicitly set the key version number. .RE .sp .ne 2 .mk .na \fB\fB-policy\fR \fIpolicy\fR\fR .ad .sp .6 .RS 4n Policy used by the principal. If both the \fB-policy\fR and \fB-clearpolicy\fR options are not specified, the \fBdefault\fR policy is used if it exists; otherwise, the principal will have no policy. Also note that the password and principal name must be different when you add a new principal with a specific policy or the \fBdefault\fR policy. .RE .sp .ne 2 .mk .na \fB\fB-clearpolicy\fR\fR .ad .sp .6 .RS 4n \fB-clearpolicy\fR prevents the \fBdefault\fR policy from being assigned when \fB-policy\fR is not specified. This option has no effect if the \fBdefault\fR policy does not exist. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_postdated\fR\fR .ad .sp .6 .RS 4n \fB-allow_postdated\fR prohibits the principal from obtaining postdated tickets. (Sets the \fBKRB5_KDB_DISALLOW_POSTDATED\fR flag.) \fB+allow_postdated\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_forwardable\fR\fR .ad .sp .6 .RS 4n \fB-allow_forwardable\fR prohibits the principal from obtaining forwardable tickets. (Sets the \fBKRB5_KDB_DISALLOW_FORWARDABLE\fR flag.) \fB+allow_forwardable\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_renewable\fR\fR .ad .sp .6 .RS 4n \fB-allow_renewable\fR prohibits the principal from obtaining renewable tickets. (Sets the \fBKRB5_KDB_DISALLOW_RENEWABLE\fR flag.) \fB+allow_renewable\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_proxiable\fR\fR .ad .sp .6 .RS 4n \fB-allow_proxiable\fR prohibits the principal from obtaining proxiable tickets. (Sets the \fBKRB5_KDB_DISALLOW_PROXIABLE\fR flag.) \fB+allow_proxiable\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_dup_skey\fR\fR .ad .sp .6 .RS 4n \fB-allow_dup_skey\fR disables user-to-user authentication for the principal by prohibiting this principal from obtaining a session key for another user. (Sets the \fBKRB5_KDB_DISALLOW_DUP_SKEY\fR flag.) \fB+allow_dup_skey\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBrequires_preauth\fR\fR .ad .sp .6 .RS 4n \fB+requires_preauth\fR requires the principal to preauthenticate before being allowed to \fBkinit\fR. (Sets the \fBKRB5_KDB_REQUIRES_PRE_AUTH\fR flag.) \fB-requires_preauth\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBrequires_hwauth\fR\fR .ad .sp .6 .RS 4n \fB+requires_hwauth\fR requires the principal to preauthenticate using a hardware device before being allowed to kinit. (Sets the \fBKRB5_KDB_REQUIRES_HW_AUTH\fR flag.) \fB-requires_hwauth\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_svr\fR\fR .ad .sp .6 .RS 4n \fB-allow_svr\fR prohibits the issuance of service tickets for the principal. (Sets the \fBKRB5_KDB_DISALLOW_SVR\fR flag.) \fB+allow_svr\fR clears this flag. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_tgs_req\fR\fR .ad .sp .6 .RS 4n \fB-allow_tgs_req\fR specifies that a Ticket-Granting Service (TGS) request for a service ticket for the principal is not permitted. This option is useless for most things. \fB+allow_tgs_req\fR clears this flag. The default is \fB+allow_tgs_req\fR. In effect, \fB-allow_tgs_req\fR sets the \fBKRB5_KDB_DISALLOW_TGT_BASED\fR flag on the principal in the database. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBallow_tix\fR\fR .ad .sp .6 .RS 4n \fB-allow_tix\fR forbids the issuance of any tickets for the principal. \fB+allow_tix\fR clears this flag. The default is \fB+allow_tix\fR. In effect, \fB-allow_tix\fR sets the \fBKRB5_KDB_DISALLOW_ALL_TIX\fR flag on the principal in the database. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBneedchange\fR\fR .ad .sp .6 .RS 4n \fB+needchange\fR sets a flag in attributes field to force a password change; \fB-needchange\fR clears it. The default is \fB-needchange\fR\&. In effect, \fB+needchange\fR sets the \fBKRB5_KDB_REQUIRES_PWCHANGE\fR flag on the principal in the database. .RE .sp .ne 2 .mk .na \fB{\fB-\fR|\fB+\fR}\fBpassword_changing_service\fR\fR .ad .sp .6 .RS 4n \fB+password_changing_service\fR sets a flag in the attributes field marking this as a password change service principal (useless for most things). \fB-password_changing_service\fR clears the flag. This flag intentionally has a long name. The default is \fB-password_changing_service\fR\&. In effect, \fB+password_changing_service\fR sets the \fBKRB5_KDB_PWCHANGE_SERVICE\fR flag on the principal in the database. .RE .sp .ne 2 .mk .na \fB\fB-randkey\fR\fR .ad .sp .6 .RS 4n Sets the key of the principal to a random value. .RE .sp .ne 2 .mk .na \fB\fB\fR\fB-pw\fR \fB\fIpassword\fR\fR\fR .ad .sp .6 .RS 4n Sets the key of the principal to the specified string and does not prompt for a password. Note that using this option in a shell script can be dangerous if unauthorized users gain read access to the script. .RE .sp .ne 2 .mk .na \fB\fB-e\fR "enc:salt ..."\fR .ad .sp .6 .RS 4n Override the list of enctype:salttype pairs given in \fBkdc.conf\fR(4) for setting the key of the principal. The quotes are necessary if there are multiple enctype:salttype pairs. One key for each similar enctype and same salttype will be created and the first one listed will be used. For example, in a list of two similar enctypes with the same salt, "des-cbc-crc:normal des-cbc-md5:normal", one key will be created and it will be of type des-cbc-crc:normal. .RE .sp .ne 2 .mk .na \fBExample:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBaddprinc tlyu/admin\fR WARNING: no policy specified for "tlyu/admin@ACME.COM"; defaulting to no policy. Enter password for principal tlyu/admin@ACME.COM: Re-enter password for principal tlyu/admin@ACME.COM: Principal "tlyu/admin@ACME.COM" created. kadmin: .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_ADD\fR (requires \fBadd\fR privilege) .sp \fBKADM5_BAD_MASK\fR (should not happen) .sp \fBKADM5_DUP\fR (principal exists already) .sp \fBKADM5_UNK_POLICY\fR (policy does not exist) .sp \fBKADM5_PASS_Q_*\fR (password quality violations) .RE .RE .sp .ne 2 .mk .na \fB\fBdelete_principal\fR [\fB-force\fR] \fIprincipal\fR\fR .ad .sp .6 .RS 4n Deletes the specified principal from the database. This command prompts for deletion, unless the \fB-force\fR option is given. This command requires the \fBdelete\fR privilege. Aliased by \fBdelprinc\fR. .sp .ne 2 .mk .na \fBExample:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBdelprinc mwm_user\fR Are you sure you want to delete the principal "mwm_user@ACME.COM"? (yes/no): \fByes\fR Principal "mwm_user@ACME.COM" deleted. Make sure that you have removed this principal from all kadmind ACLs before reusing. kadmin: .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_DELETE\fR (requires \fBdelete\fR privilege) .sp \fBKADM5_UNK_PRINC\fR (principal does not exist) .RE .RE .sp .ne 2 .mk .na \fB\fBmodify_principal\fR [\fIoptions\fR] \fIprincipal\fR\fR .ad .sp .6 .RS 4n Modifies the specified principal, changing the fields as specified. The options are as above for \fBadd_principal\fR, except that password changing is forbidden by this command. In addition, the option \fB-clearpolicy\fR will clear the current policy of a principal. This command requires the \fBmodify\fR privilege. Aliased by \fBmodprinc\fR. .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_MODIFY\fR (requires \fBmodify\fR privilege) .sp \fBKADM5_UNK_PRINC\fR (principal does not exist) .sp \fBKADM5_UNK_POLICY\fR (policy does not exist) .sp \fBKADM5_BAD_MASK\fR (should not happen) .RE .RE .sp .ne 2 .mk .na \fB\fBchange_password\fR [\fIoptions\fR] \fIprincipal\fR\fR .ad .sp .6 .RS 4n Changes the password of \fIprincipal\fR. Prompts for a new password if neither \fB-randkey\fR or \fB-pw\fR is specified. Requires the \fBchangepw\fR privilege, or that the principal that is running the program to be the same as the one changed. Aliased by \fBcpw\fR. The following options are available: .sp .ne 2 .mk .na \fB\fB-randkey\fR\fR .ad .sp .6 .RS 4n Sets the key of the principal to a random value. .RE .sp .ne 2 .mk .na \fB\fB-pw\fR \fIpassword\fR\fR .ad .sp .6 .RS 4n Sets the password to the specified string. Not recommended. .RE .sp .ne 2 .mk .na \fB\fB-e\fR "enc:salt ..."\fR .ad .sp .6 .RS 4n Override the list of enctype:salttype pairs given in \fBkdc.conf\fR(4) for setting the key of the principal. The quotes are necessary if there are multiple enctype:salttype pairs. For each key, the first matching similar enctype and same salttype in the list will be used to set the new key(s). .RE .sp .ne 2 .mk .na \fB\fB-keepold\fR\fR .ad .sp .6 .RS 4n Keeps the previous kvno's keys around. There is no easy way to delete the old keys, and this flag is usually not necessary except perhaps for TGS keys as it will allow existing valid TGTs to continue to work. .RE .sp .ne 2 .mk .na \fBExample:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBcpw systest\fR Enter password for principal systest@ACME.COM: Re-enter password for principal systest@ACME.COM: Password for systest@ACME.COM changed. kadmin: .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_MODIFY\fR (requires the \fBmodify\fR privilege) .sp \fBKADM5_UNK_PRINC\fR (principal does not exist) .sp \fBKADM5_PASS_Q_*\fR (password policy violation errors) .sp \fBKADM5_PASS_REUSE\fR (password is in principal's password history) .sp \fBKADM5_PASS_TOOSOON\fR (current password minimum life not expired) .RE .RE .sp .ne 2 .mk .na \fB\fBget_principal\fR [\fB-terse\fR] \fIprincipal\fR\fR .ad .sp .6 .RS 4n Gets the attributes of \fIprincipal\fR. Requires the \fBinquire\fR privilege, or that the principal that is running the program to be the same as the one being listed. With the \fB-terse\fR option, outputs fields as quoted tab-separated strings. Aliased by \fBgetprinc\fR. .sp .ne 2 .mk .na \fBExamples:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBgetprinc tlyu/admin\fR Principal: tlyu/admin@ACME.COM Expiration date: [never] Last password change: Thu Jan 03 12:17:46 CET 2008 Password expiration date: [none] Maximum ticket life: 24855 days 03:14:07 Maximum renewable life: 24855 days 03:14:07 Last modified: Thu Jan 03 12:17:46 CET 2008 (root/admin@ACME.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 5 Key: vno 2, AES-256 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, AES-128 CTS mode with 96-bit SHA-1 HMAC, no salt Key: vno 2, Triple DES cbc mode with HMAC/sha1, no salt Key: vno 2, ArcFour with HMAC/md5, no salt Key: vno 2, DES cbc mode with RSA-MD5, no salt Attributes: REQUIRES_PRE_AUTH Policy: [none] kadmin: \fBgetprinc -terse tlyu/admin\fR "tlyu/admin@ACME.COM" 0 1199359066 0 2147483647 "root/admin@ACME.COM" 1199359066 128 2 0 "[none]" 21474836 47 0 0 0 5 1 2 18 0 1 2 17 0 1 2 16 0 1 2 23 0 12 3 0 kadmin: .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_GET\fR (requires the get [inquire] privilege) .sp \fBKADM5_UNK_PRINC\fR (principal does not exist) .RE .RE .sp .ne 2 .mk .na \fB\fBlist_principals\fR [\fIexpression\fR]\fR .ad .sp .6 .RS 4n Retrieves all or some principal names. \fIexpression\fR is a shell-style glob expression that can contain the wild-card characters ?, *, and []'s. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression. Requires the \fBlist\fR privilege. Aliased by \fBlistprincs\fR, \fBget_principals\fR, and \fBgetprincs\fR. .sp .ne 2 .mk .na \fBExamples:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBlistprincs test*\fR test3@ACME.COM test2@ACME.COM test1@ACME.COM testuser@ACME.COM kadmin: .fi .in -2 .sp .RE .RE .sp .ne 2 .mk .na \fB\fBadd_policy\fR [\fIoptions\fR] \fIpolicy\fR\fR .ad .sp .6 .RS 4n Adds the named policy to the policy database. Requires the \fBadd\fR privilege. Aliased by \fBaddpol\fR. The following options are available: .sp .ne 2 .mk .na \fB\fB-maxlife\fR \fImaxlife\fR\fR .ad .sp .6 .RS 4n sets the maximum lifetime of a password. See the \fBTime\fR \fBFormats\fR section for the valid time duration formats that you can specify for \fImaxlife\fR. .RE .sp .ne 2 .mk .na \fB\fB-minlife\fR \fIminlife\fR\fR .ad .sp .6 .RS 4n sets the minimum lifetime of a password. See the \fBTime\fR \fBFormats\fR section for the valid time duration formats that you can specify for \fIminlife\fR. .RE .sp .ne 2 .mk .na \fB\fB-minlength\fR \fIlength\fR\fR .ad .sp .6 .RS 4n sets the minimum length of a password. .RE .sp .ne 2 .mk .na \fB\fB-minclasses\fR \fInumber\fR\fR .ad .sp .6 .RS 4n sets the minimum number of character classes allowed in a password. The valid values are: .RE .sp .ne 2 .mk .na \fB\fB1\fR\fR .ad .sp .6 .RS 4n only letters (himom) .RE .sp .ne 2 .mk .na \fB\fB2\fR\fR .ad .sp .6 .RS 4n both letters and numbers (hi2mom) .RE .sp .ne 2 .mk .na \fB\fB3\fR\fR .ad .sp .6 .RS 4n letters, numbers, and punctuation (hi2mom!) .RE .sp .ne 2 .mk .na \fB\fB-history\fR \fInumber\fR\fR .ad .sp .6 .RS 4n sets the number of past keys kept for a principal. .RE .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_ADD\fR (requires the \fBadd\fR privilege) .sp \fBKADM5_DUP\fR (policy already exists) .RE .RE .sp .ne 2 .mk .na \fB\fBdelete_policy\fR \fB[-force]\fR \fIpolicy\fR\fR .ad .sp .6 .RS 4n Deletes the named policy. Unless the \fB-force\fR option is specified, prompts for confirmation before deletion. The command will fail if the policy is in use by any principals. Requires the \fBdelete\fR privilege. Aliased by \fBdelpol\fR. .sp .ne 2 .mk .na \fBExample:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBdel_policy guests\fR Are you sure you want to delete the policy "guests"? (yes/no): \fByes\fR Policy "guests" deleted. kadmin: .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_DELETE\fR (requires the delete privilege) .sp \fBKADM5_UNK_POLICY\fR (policy does not exist) .sp \fBKADM5_POLICY_REF\fR (reference count on policy is not zero) .RE .RE .sp .ne 2 .mk .na \fB\fB\fR\fBmodify_policy\fR \fB[\fIoptions\fR]\fR \fB\fIpolicy\fR\fR\fR .ad .sp .6 .RS 4n Modifies the named policy. Options are as above for \fBadd_policy\fR. Requires the \fBmodify\fR privilege. Aliased by \fBmodpol\fR. .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_MODIFY\fR (requires the \fBmodify\fR privilege) .sp \fBKADM5_UNK_POLICY\fR (policy does not exist) .RE .RE .sp .ne 2 .mk .na \fB\fBget_policy\fR [\fB-terse\fR] \fIpolicy\fR\fR .ad .sp .6 .RS 4n Displays the values of the named policy. Requires the \fBinquire\fR privilege. With the \fB-terse\fR flag, outputs the fields as quoted strings separated by tabs. Aliased by \fBgetpol\fR. .sp .ne 2 .mk .na \fBExamples:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBget_policy admin\fR Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin: \fBget_policy -terse\fR admin admin 15552000 0 6 2 5 17 kadmin: .fi .in -2 .sp .RE .sp .ne 2 .mk .na \fBErrors:\fR .ad .sp .6 .RS 4n \fBKADM5_AUTH_GET\fR (requires the \fBget\fR privilege) .sp \fBKADM5_UNK_POLICY\fR (policy does not exist) .RE .RE .sp .ne 2 .mk .na \fB\fBlist_policies\fR [\fIexpression\fR]\fR .ad .sp .6 .RS 4n Retrieves all or some policy names. \fIexpression\fR is a shell-style glob expression that can contain the wild-card characters ?, *, and []'s. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. Requires the \fBlist\fR privilege. Aliased by \fBlistpols\fR, \fBget_policies\fR, and \fBgetpols\fR. .sp .ne 2 .mk .na \fBExamples:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBlistpols\fR test-pol dict-only once-a-min test-pol-nopw kadmin: \fBlistpols t*\fR test-pol test-pol-nopw kadmin: .fi .in -2 .sp .RE .RE .sp .ne 2 .mk .na \fB\fBktadd\fR [\fB-k\fR \fIkeytab\fR] [\fB-q\fR] [\fB-e\fR \fB\fIenctype\fR:salt\fR]\fR .ad .sp .6 .RS 4n Adds a principal or all principals matching \fIprinc-exp\fR to a keytab, randomizing each principal's key in the process. .sp \fBktadd\fR requires the \fBinquire\fR and \fBchangepw\fR privileges. An entry for each of the principal's unique encryption types is added, ignoring multiple keys with the same encryption type but different \fBsalt\fR types. If the \fB-k\fR argument is not specified, the default keytab file, \fB/etc/krb5/krb5.keytab\fR, is used. .sp The "\fB-e\fR \fB\fIenctype\fR:salt\fR" option overrides the list of \fIenctypes\fR given in \fBkrb5.conf\fR(4), in the \fBpermitted_enctypes\fR parameter. If "\fB-e\fR \fB\fIenctype\fR:salt\fR" is not used and \fBpermitted_enctypes\fR is not defined in \fBkrb5.conf\fR(4), a key for each \fIenctype\fR supported by the system on which \fBkadmin\fR is run will be created and added to the \fBkeytab\fR. Restricting the \fIenctypes\fR of keys in the \fBkeytab\fR is useful when the system for which keys are being created does not support the same set of \fIenctypes\fR as the KDC. Note that \fBktadd\fR modifies the \fIenctype\fR of the keys in the principal database as well. .sp If the \fB-q\fR option is specified, less status information is displayed. Aliased by \fBxst\fR. The \fB-glob\fR option requires the \fBlist\fR privilege. Also, note that if you use \fB-glob\fR to create a keytab, you need to remove \fB/etc/krb5/kadm5.keytab\fR and create it again if you want to use \fB-p\fR \fB*/admin\fR with \fBkadmin\fR. .RE .sp .ne 2 .mk .na \fB\fBprinc-exp\fR\fR .ad .sp .6 .RS 4n \fIprinc-exp\fR follows the same rules described for the \fBlist_principals\fR command. .sp .ne 2 .mk .na \fBExample:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBktadd -k /tmp/new-keytab nfs/chicago\fR Entry for principal nfs/chicago with kvno 2, encryption type DES-CBC-CRC added to keytab WRFILE:/tmp/new-keytab. kadmin: .fi .in -2 .sp .RE .RE .sp .ne 2 .mk .na \fB\fBktremove\fR [\fB-k\fR \fIkeytab\fR] [\fB-q\fR] \fIprincipal\fR [\fIkvno\fR | \fBall\fR | \fBold\fR]\fR .ad .sp .6 .RS 4n Removes entries for the specified principal from a keytab. Requires no privileges, since this does not require database access. If \fBall\fR is specified, all entries for that principal are removed; if \fBold\fR is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose \fBkvno\fR match that integer are removed. If the \fB-k\fR argument is not specified, the default keytab file, \fB/etc/krb5/krb5.keytab\fR, is used. If the \fB-q\fR option is specified, less status information is displayed. Aliased by \fBktrem\fR. .sp .ne 2 .mk .na \fBExample:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBktremove -k /tmp/new-keytab nfs/chicago\fR Entry for principal nfs/chicago with kvno 2 removed from keytab WRFILE:/tmp/new-keytab. kadmin: .fi .in -2 .sp .RE .RE .sp .ne 2 .mk .na \fB\fBquit\fR\fR .ad .sp .6 .RS 4n Quits \fBkadmin\fR. Aliased by \fBexit\fR and \fBq\fR. .RE .SS "Time Formats" .sp .LP Various commands in \fBkadmin\fR can take a variety of time formats, specifying time durations or absolute times. The \fBkadmin\fR option variables \fImaxrenewlife\fR, \fImaxlife\fR, and \fIminlife\fR are time durations, whereas \fIexpdate\fR and \fIpwexpdate\fR are absolute times. .sp .ne 2 .mk .na \fBExamples:\fR .ad .sp .6 .RS 4n .sp .in +2 .nf kadmin: \fBmodprinc -expire "12/31 7pm" jdb\fR kadmin: \fBmodprinc -maxrenewlife "2 fortnight" jdb\fR kadmin: \fBmodprinc -pwexpire "this sunday" jdb\fR kadmin: \fBmodprinc -expire never jdb\fR kadmin: \fBmodprinc -maxlife "7:00:00pm tomorrow" jdb\fR .fi .in -2 .sp .RE .sp .LP Note that times which do not have the "ago" specifier default to being absolute times, unless they appear in a field where a duration is expected. In that case, the time specifier will be interpreted as relative. Specifying "ago" in a duration can result in unexpected behavior. .sp .LP The following time formats and units can be combined to specify a time. The time and date format examples are based on the date and time of July 2, 1999, 1:35:30 p.m. .sp .sp .TS tab() box; lw(2.75i) lw(2.75i) lw(2.75i) lw(2.75i) . \fBTime Format\fR\fBExamples\fR \fIhh\fR[:\fImm\fR][:\fIss\fR][am/pm/a.m./p.m.]1p.m., 1:35, 1:35:30pm .TE .sp .sp .TS tab(); lw(2.75i) lw(2.75i) lw(2.75i) lw(2.75i) . \fBVariable\fR\fBDescription\fR \fIhh\fRT{ hour (12-hour clock, leading zero permitted but not required) T} \fImm\fRminutes \fIss\fRseconds .TE .sp .sp .TS tab() box; lw(2.75i) lw(2.75i) lw(2.75i) lw(2.75i) . \fBDate Format\fR\fBExamples\fR \fImm\fR/\fBdd\fR[/\fIyy\fR]07/02, 07/02/99 \fIyyyy\fR-\fImm\fR-\fBdd\fR1999-07-02 \fBdd\fR-\fImonth\fR-\fIyyyy\fR02-July-1999 \fImonth\fR [,\fIyyyy\fR]Jul 02, July 02,1999 \fBdd\fR \fImonth\fR[ \fIyyyy\fR]02 JULY, 02 july 1999 .TE .sp .sp .TS tab(); lw(2.75i) lw(2.75i) lw(2.75i) lw(2.75i) . \fBVariable Description\fR \fBdd\fRday \fImm\fRmonth \fIyy\fRT{ year within century (00-38 is 2000 to 2038; 70-99 is 1970 to 1999) T} \fIyyyy\fRyear including century \fImonth\fRlocale's full or abbreviated month name .TE .sp .sp .TS tab() box; lw(2.75i) lw(2.75i) lw(2.75i) lw(2.75i) . \fBTime Units\fR\fBExamples\fR [+|- \fI#\fR] year"-2 year" [+|- \fI#\fR] month"2 months" [+|- \fI#\fR] fortnight [+|- \fI#\fR] week [+|- \fI#\fR] day [+|- \fI#\fR] hour [+|- \fI#\fR] minute [+|- \fI#\fR] min [+|- \fI#\fR] second [+|- \fI#\fR] sec tomorrow yesterday today  now  this"this year" last"last saturday" next"next month" sunday monday tuesday wednesday thursday friday saturday never .TE .sp .LP You can also use the following time modifiers: \fBfirst\fR, \fBsecond\fR, \fBthird\fR, \fBfourth\fR, \fBfifth\fR, \fBsixth\fR, \fBseventh\fR, \fBeighth\fR, \fBninth\fR, \fBtenth\fR, \fBeleventh\fR, \fBtwelfth\fR, and \fBago\fR. .SH ENVIRONMENT VARIABLES .sp .LP See \fBenviron\fR(5) for descriptions of the following environment variables that affect the execution of \fBkadmin\fR: .sp .ne 2 .mk .na \fB\fBPAGER\fR\fR .ad .sp .6 .RS 4n The command to use as a filter for paging output. This can also be used to specify options. The default is \fBmore\fR(1). .RE .SH FILES .sp .ne 2 .mk .na \fB\fB/var/krb5/principal\fR\fR .ad .sp .6 .RS 4n Kerberos principal database. .RE .sp .ne 2 .mk .na \fB\fB/var/krb5/principal.ulog\fR\fR .ad .sp .6 .RS 4n The update log file for incremental propagation. .RE .sp .ne 2 .mk .na \fB\fB/var/krb5/principal.kadm5\fR\fR .ad .sp .6 .RS 4n Kerberos administrative database. Contains policy information. .RE .sp .ne 2 .mk .na \fB\fB/var/krb5/principal.kadm5.lock\fR\fR .ad .sp .6 .RS 4n Lock file for the Kerberos administrative database. This file works backwards from most other lock files (that is, \fBkadmin\fR will exit with an error if this file does \fInot\fR exist). .RE .sp .ne 2 .mk .na \fB\fB/var/krb5/kadm5.dict\fR\fR .ad .sp .6 .RS 4n Dictionary of strings explicitly disallowed as passwords. .RE .sp .ne 2 .mk .na \fB\fB/etc/krb5/kadm5.acl\fR\fR .ad .sp .6 .RS 4n List of principals and their \fBkadmin\fR administrative privileges. .RE .sp .ne 2 .mk .na \fB\fB/etc/krb5/kadm5.keytab\fR\fR .ad .sp .6 .RS 4n Keytab for \fBkadmind\fR principals: \fBkadmin\fR/\fIfqdn\fR, \fBchangepw\fR/\fIfqdn\fR, and \fBkadmin\fR/\fBchangepw\fR. .RE .SH ATTRIBUTES .sp .LP See \fBattributes\fR(5) for descriptions of the following attributes: .sp .sp .TS tab() box; cw(2.75i) |cw(2.75i) lw(2.75i) |lw(2.75i) . ATTRIBUTE TYPEATTRIBUTE VALUE _ Interface StabilityCommitted .TE .SH SEE ALSO .sp .LP \fBkpasswd\fR(1), \fBmore\fR(1), \fBgkadmin\fR(1M), \fBkadmind\fR(1M), \fBkdb5_util\fR(1M), \fBkdb5_ldap_util\fR(1M), \fBkproplog\fR(1M), \fBkadm5.acl\fR(4), \fBkdc.conf\fR(4), \fBkrb5.conf\fR(4), \fBattributes\fR(5), \fBenviron\fR(5), \fBkerberos\fR(5), \fBkrb5envvar\fR(5) .SH HISTORY .sp .LP The \fBkadmin\fR program was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program. .SH DIAGNOSTICS .sp .LP The \fBkadmin\fR command is currently incompatible with the MIT \fBkadmind\fR daemon interface, so you cannot use this command to administer an MIT-based Kerberos database. However, clients running the Solaris implementation of Kerberos can still use an MIT-based KDC.