1*ae771770SStanislav Sedov.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan 2bbd80c28SJacques Vidrine.\" (Royal Institute of Technology, Stockholm, Sweden). 3bbd80c28SJacques Vidrine.\" All rights reserved. 4bbd80c28SJacques Vidrine.\" 5bbd80c28SJacques Vidrine.\" Redistribution and use in source and binary forms, with or without 6bbd80c28SJacques Vidrine.\" modification, are permitted provided that the following conditions 7bbd80c28SJacques Vidrine.\" are met: 8bbd80c28SJacques Vidrine.\" 9bbd80c28SJacques Vidrine.\" 1. Redistributions of source code must retain the above copyright 10bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer. 11bbd80c28SJacques Vidrine.\" 12bbd80c28SJacques Vidrine.\" 2. Redistributions in binary form must reproduce the above copyright 13bbd80c28SJacques Vidrine.\" notice, this list of conditions and the following disclaimer in the 14bbd80c28SJacques Vidrine.\" documentation and/or other materials provided with the distribution. 15bbd80c28SJacques Vidrine.\" 16bbd80c28SJacques Vidrine.\" 3. Neither the name of the Institute nor the names of its contributors 17bbd80c28SJacques Vidrine.\" may be used to endorse or promote products derived from this software 18bbd80c28SJacques Vidrine.\" without specific prior written permission. 19bbd80c28SJacques Vidrine.\" 20bbd80c28SJacques Vidrine.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21bbd80c28SJacques Vidrine.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22bbd80c28SJacques Vidrine.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23bbd80c28SJacques Vidrine.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24bbd80c28SJacques Vidrine.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25bbd80c28SJacques Vidrine.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26bbd80c28SJacques Vidrine.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27bbd80c28SJacques Vidrine.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28bbd80c28SJacques Vidrine.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29bbd80c28SJacques Vidrine.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30bbd80c28SJacques Vidrine.\" SUCH DAMAGE. 31bbd80c28SJacques Vidrine.\" 32*ae771770SStanislav Sedov.\" $Id$ 335e9cd1aeSAssar Westerlund.\" 34c19800e8SDoug Rabson.Dd Feb 22, 2007 355e9cd1aeSAssar Westerlund.Dt KADMIN 8 365e9cd1aeSAssar Westerlund.Os HEIMDAL 375e9cd1aeSAssar Westerlund.Sh NAME 385e9cd1aeSAssar Westerlund.Nm kadmin 3945524cd7SAssar Westerlund.Nd Kerberos administration utility 405e9cd1aeSAssar Westerlund.Sh SYNOPSIS 415e9cd1aeSAssar Westerlund.Nm 42c19800e8SDoug Rabson.Bk -words 43*ae771770SStanislav Sedov.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string 44*ae771770SStanislav Sedov.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string 45*ae771770SStanislav Sedov.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file 46*ae771770SStanislav Sedov.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file 47*ae771770SStanislav Sedov.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm 48*ae771770SStanislav Sedov.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host 49*ae771770SStanislav Sedov.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number 50*ae771770SStanislav Sedov.Op Fl l | Fl Fl local 51*ae771770SStanislav Sedov.Op Fl h | Fl Fl help 52*ae771770SStanislav Sedov.Op Fl v | Fl Fl version 535e9cd1aeSAssar Westerlund.Op Ar command 54c19800e8SDoug Rabson.Ek 555e9cd1aeSAssar Westerlund.Sh DESCRIPTION 565e9cd1aeSAssar WesterlundThe 575e9cd1aeSAssar Westerlund.Nm 58bbd80c28SJacques Vidrineprogram is used to make modifications to the Kerberos database, either remotely via the 595e9cd1aeSAssar Westerlund.Xr kadmind 8 605e9cd1aeSAssar Westerlunddaemon, or locally (with the 615e9cd1aeSAssar Westerlund.Fl l 625e9cd1aeSAssar Westerlundoption). 635e9cd1aeSAssar Westerlund.Pp 645e9cd1aeSAssar WesterlundSupported options: 655e9cd1aeSAssar Westerlund.Bl -tag -width Ds 66*ae771770SStanislav Sedov.It Fl p Ar string , Fl Fl principal= Ns Ar string 675e9cd1aeSAssar Westerlundprincipal to authenticate as 68*ae771770SStanislav Sedov.It Fl K Ar string , Fl Fl keytab= Ns Ar string 69bbd80c28SJacques Vidrinekeytab for authentication principal 70*ae771770SStanislav Sedov.It Fl c Ar file , Fl Fl config-file= Ns Ar file 715e9cd1aeSAssar Westerlundlocation of config file 72*ae771770SStanislav Sedov.It Fl k Ar file , Fl Fl key-file= Ns Ar file 735e9cd1aeSAssar Westerlundlocation of master key file 74*ae771770SStanislav Sedov.It Fl r Ar realm , Fl Fl realm= Ns Ar realm 755e9cd1aeSAssar Westerlundrealm to use 76*ae771770SStanislav Sedov.It Fl a Ar host , Fl Fl admin-server= Ns Ar host 775e9cd1aeSAssar Westerlundserver to contact 78*ae771770SStanislav Sedov.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number 795e9cd1aeSAssar Westerlundport to use 80*ae771770SStanislav Sedov.It Fl l , Fl Fl local 815e9cd1aeSAssar Westerlundlocal admin mode 825e9cd1aeSAssar Westerlund.El 835e9cd1aeSAssar Westerlund.Pp 845e9cd1aeSAssar WesterlundIf no 855e9cd1aeSAssar Westerlund.Ar command 865e9cd1aeSAssar Westerlundis given on the command line, 875e9cd1aeSAssar Westerlund.Nm 88c19800e8SDoug Rabsonwill prompt for commands to process. Some of the commands that take 89c19800e8SDoug Rabsonone or more principals as argument 90c19800e8SDoug Rabson.Ns ( Nm delete , 91c19800e8SDoug Rabson.Nm ext_keytab , 92c19800e8SDoug Rabson.Nm get , 93c19800e8SDoug Rabson.Nm modify , 94c19800e8SDoug Rabsonand 95c19800e8SDoug Rabson.Nm passwd ) 96c19800e8SDoug Rabsonwill accept a glob style wildcard, and perform the operation on all 97c19800e8SDoug Rabsonmatching principals. 98c19800e8SDoug Rabson.Pp 99c19800e8SDoug RabsonCommands include: 1005e9cd1aeSAssar Westerlund.\" not using a list here, since groff apparently gets confused 1015e9cd1aeSAssar Westerlund.\" with nested Xo/Xc 1025e9cd1aeSAssar Westerlund.Pp 103*ae771770SStanislav Sedov.Nm add 104*ae771770SStanislav Sedov.Op Fl r | Fl Fl random-key 105*ae771770SStanislav Sedov.Op Fl Fl random-password 106*ae771770SStanislav Sedov.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string 107*ae771770SStanislav Sedov.Op Fl Fl key= Ns Ar string 108*ae771770SStanislav Sedov.Op Fl Fl max-ticket-life= Ns Ar lifetime 109*ae771770SStanislav Sedov.Op Fl Fl max-renewable-life= Ns Ar lifetime 110*ae771770SStanislav Sedov.Op Fl Fl attributes= Ns Ar attributes 111*ae771770SStanislav Sedov.Op Fl Fl expiration-time= Ns Ar time 112*ae771770SStanislav Sedov.Op Fl Fl pw-expiration-time= Ns Ar time 113*ae771770SStanislav Sedov.Ar principal... 11445524cd7SAssar Westerlund.Bd -ragged -offset indent 115c19800e8SDoug RabsonAdds a new principal to the database. The options not passed on the 116c19800e8SDoug Rabsoncommand line will be promped for. 117c19800e8SDoug Rabson.Ed 118c19800e8SDoug Rabson.Pp 119c19800e8SDoug Rabson.Nm add_enctype 120*ae771770SStanislav Sedov.Op Fl r | Fl Fl random-key 121c19800e8SDoug Rabson.Ar principal enctypes... 122c19800e8SDoug Rabson.Pp 123c19800e8SDoug Rabson.Bd -ragged -offset indent 124c19800e8SDoug RabsonAdds a new encryption type to the principal, only random key are 125c19800e8SDoug Rabsonsupported. 126c19800e8SDoug Rabson.Ed 127c19800e8SDoug Rabson.Pp 128c19800e8SDoug Rabson.Nm delete 129c19800e8SDoug Rabson.Ar principal... 130c19800e8SDoug Rabson.Bd -ragged -offset indent 131c19800e8SDoug RabsonRemoves a principal. 132c19800e8SDoug Rabson.Ed 133c19800e8SDoug Rabson.Pp 134c19800e8SDoug Rabson.Nm del_enctype 135c19800e8SDoug Rabson.Ar principal enctypes... 136c19800e8SDoug Rabson.Bd -ragged -offset indent 137c19800e8SDoug RabsonRemoves some enctypes from a principal; this can be useful if the 138c19800e8SDoug Rabsonservice belonging to the principal is known to not handle certain 139c19800e8SDoug Rabsonenctypes. 140c19800e8SDoug Rabson.Ed 141c19800e8SDoug Rabson.Pp 142c19800e8SDoug Rabson.Nm ext_keytab 143c19800e8SDoug Rabson.Oo Fl k Ar string \*(Ba Xo 144*ae771770SStanislav Sedov.Fl Fl keytab= Ns Ar string 145c19800e8SDoug Rabson.Xc 146c19800e8SDoug Rabson.Oc 147c19800e8SDoug Rabson.Ar principal... 148c19800e8SDoug Rabson.Bd -ragged -offset indent 149c19800e8SDoug RabsonCreates a keytab with the keys of the specified principals. 150c19800e8SDoug Rabson.Ed 151c19800e8SDoug Rabson.Pp 152c19800e8SDoug Rabson.Nm get 153*ae771770SStanislav Sedov.Op Fl l | Fl Fl long 154*ae771770SStanislav Sedov.Op Fl s | Fl Fl short 155*ae771770SStanislav Sedov.Op Fl t | Fl Fl terse 156*ae771770SStanislav Sedov.Op Fl o Ar string | Fl Fl column-info= Ns Ar string 157c19800e8SDoug Rabson.Ar principal... 158c19800e8SDoug Rabson.Bd -ragged -offset indent 159c19800e8SDoug RabsonLists the matching principals, short prints the result as a table, 160c19800e8SDoug Rabsonwhile long format produces a more verbose output. Which columns to 161c19800e8SDoug Rabsonprint can be selected with the 162c19800e8SDoug Rabson.Fl o 163c19800e8SDoug Rabsonoption. The argument is a comma separated list of column names 164c19800e8SDoug Rabsonoptionally appended with an equal sign 165c19800e8SDoug Rabson.Pq Sq = 166c19800e8SDoug Rabsonand a column header. Which columns are printed by default differ 167c19800e8SDoug Rabsonslightly between short and long output. 168c19800e8SDoug Rabson.Pp 169c19800e8SDoug RabsonThe default terse output format is similar to 170c19800e8SDoug Rabson.Fl s o Ar principal= , 171c19800e8SDoug Rabsonjust printing the names of matched principals. 172c19800e8SDoug Rabson.Pp 173c19800e8SDoug RabsonPossible column names include: 174c19800e8SDoug Rabson.Li principal , 175c19800e8SDoug Rabson.Li princ_expire_time , 176c19800e8SDoug Rabson.Li pw_expiration , 177c19800e8SDoug Rabson.Li last_pwd_change , 178c19800e8SDoug Rabson.Li max_life , 179c19800e8SDoug Rabson.Li max_rlife , 180c19800e8SDoug Rabson.Li mod_time , 181c19800e8SDoug Rabson.Li mod_name , 182c19800e8SDoug Rabson.Li attributes , 183c19800e8SDoug Rabson.Li kvno , 184c19800e8SDoug Rabson.Li mkvno , 185c19800e8SDoug Rabson.Li last_success , 186c19800e8SDoug Rabson.Li last_failed , 187c19800e8SDoug Rabson.Li fail_auth_count , 188c19800e8SDoug Rabson.Li policy , 189c19800e8SDoug Rabsonand 190c19800e8SDoug Rabson.Li keytypes . 191c19800e8SDoug Rabson.Ed 192c19800e8SDoug Rabson.Pp 193c19800e8SDoug Rabson.Nm modify 194c19800e8SDoug Rabson.Oo Fl a Ar attributes \*(Ba Xo 195*ae771770SStanislav Sedov.Fl Fl attributes= Ns Ar attributes 196c19800e8SDoug Rabson.Xc 197c19800e8SDoug Rabson.Oc 198*ae771770SStanislav Sedov.Op Fl Fl max-ticket-life= Ns Ar lifetime 199*ae771770SStanislav Sedov.Op Fl Fl max-renewable-life= Ns Ar lifetime 200*ae771770SStanislav Sedov.Op Fl Fl expiration-time= Ns Ar time 201*ae771770SStanislav Sedov.Op Fl Fl pw-expiration-time= Ns Ar time 202*ae771770SStanislav Sedov.Op Fl Fl kvno= Ns Ar number 203c19800e8SDoug Rabson.Ar principal... 204c19800e8SDoug Rabson.Bd -ragged -offset indent 205c19800e8SDoug RabsonModifies certain attributes of a principal. If run without command 206c19800e8SDoug Rabsonline options, you will be prompted. With command line options, it will 207c19800e8SDoug Rabsononly change the ones specified. 208c19800e8SDoug Rabson.Pp 209c19800e8SDoug RabsonPossible attributes are: 210c19800e8SDoug Rabson.Li new-princ , 211c19800e8SDoug Rabson.Li support-desmd5 , 212c19800e8SDoug Rabson.Li pwchange-service , 213c19800e8SDoug Rabson.Li disallow-svr , 214c19800e8SDoug Rabson.Li requires-pw-change , 215c19800e8SDoug Rabson.Li requires-hw-auth , 216c19800e8SDoug Rabson.Li requires-pre-auth , 217c19800e8SDoug Rabson.Li disallow-all-tix , 218c19800e8SDoug Rabson.Li disallow-dup-skey , 219c19800e8SDoug Rabson.Li disallow-proxiable , 220c19800e8SDoug Rabson.Li disallow-renewable , 221c19800e8SDoug Rabson.Li disallow-tgt-based , 222c19800e8SDoug Rabson.Li disallow-forwardable , 223c19800e8SDoug Rabson.Li disallow-postdated 224c19800e8SDoug Rabson.Pp 225c19800e8SDoug RabsonAttributes may be negated with a "-", e.g., 226c19800e8SDoug Rabson.Pp 227c19800e8SDoug Rabsonkadmin -l modify -a -disallow-proxiable user 2285e9cd1aeSAssar Westerlund.Ed 2295e9cd1aeSAssar Westerlund.Pp 2305e9cd1aeSAssar Westerlund.Nm passwd 231*ae771770SStanislav Sedov.Op Fl r | Fl Fl random-key 232*ae771770SStanislav Sedov.Op Fl Fl random-password 2335e9cd1aeSAssar Westerlund.Oo Fl p Ar string \*(Ba Xo 234*ae771770SStanislav Sedov.Fl Fl password= Ns Ar string 2355e9cd1aeSAssar Westerlund.Xc 236adb0ddaeSAssar Westerlund.Oc 237*ae771770SStanislav Sedov.Op Fl Fl key= Ns Ar string 2385e9cd1aeSAssar Westerlund.Ar principal... 23945524cd7SAssar Westerlund.Bd -ragged -offset indent 240c19800e8SDoug RabsonChanges the password of an existing principal. 2415e9cd1aeSAssar Westerlund.Ed 2425e9cd1aeSAssar Westerlund.Pp 243c19800e8SDoug Rabson.Nm password-quality 244c19800e8SDoug Rabson.Ar principal 245c19800e8SDoug Rabson.Ar password 24645524cd7SAssar Westerlund.Bd -ragged -offset indent 247c19800e8SDoug RabsonRun the password quality check function locally. 248c19800e8SDoug RabsonYou can run this on the host that is configured to run the kadmind 249c19800e8SDoug Rabsonprocess to verify that your configuration file is correct. 250c19800e8SDoug RabsonThe verification is done locally, if kadmin is run in remote mode, 251c19800e8SDoug Rabsonno rpc call is done to the server. 2525e9cd1aeSAssar Westerlund.Ed 2535e9cd1aeSAssar Westerlund.Pp 254c19800e8SDoug Rabson.Nm privileges 25545524cd7SAssar Westerlund.Bd -ragged -offset indent 256c19800e8SDoug RabsonLists the operations you are allowed to perform. These include 257c19800e8SDoug Rabson.Li add , 258c19800e8SDoug Rabson.Li add_enctype , 259c19800e8SDoug Rabson.Li change-password , 260c19800e8SDoug Rabson.Li delete , 261c19800e8SDoug Rabson.Li del_enctype , 262c19800e8SDoug Rabson.Li get , 263c19800e8SDoug Rabson.Li list , 264c19800e8SDoug Rabsonand 265c19800e8SDoug Rabson.Li modify . 2665e9cd1aeSAssar Westerlund.Ed 2675e9cd1aeSAssar Westerlund.Pp 2685e9cd1aeSAssar Westerlund.Nm rename 2695e9cd1aeSAssar Westerlund.Ar from to 27045524cd7SAssar Westerlund.Bd -ragged -offset indent 271c19800e8SDoug RabsonRenames a principal. This is normally transparent, but since keys are 272c19800e8SDoug Rabsonsalted with the principal name, they will have a non-standard salt, 273c19800e8SDoug Rabsonand clients which are unable to cope with this will fail. Kerberos 4 274c19800e8SDoug Rabsonsuffers from this. 2755e9cd1aeSAssar Westerlund.Ed 2765e9cd1aeSAssar Westerlund.Pp 277c19800e8SDoug Rabson.Nm check 278c19800e8SDoug Rabson.Op Ar realm 2795e9cd1aeSAssar Westerlund.Pp 28045524cd7SAssar Westerlund.Bd -ragged -offset indent 281c19800e8SDoug RabsonCheck database for strange configurations on important principals. If 282c19800e8SDoug Rabsonno realm is given, the default realm is used. 2835e9cd1aeSAssar Westerlund.Ed 2845e9cd1aeSAssar Westerlund.Pp 285bbd80c28SJacques VidrineWhen running in local mode, the following commands can also be used: 2865e9cd1aeSAssar Westerlund.Pp 287*ae771770SStanislav Sedov.Nm dump 288*ae771770SStanislav Sedov.Op Fl d | Fl Fl decrypt 289*ae771770SStanislav Sedov.Op Ar dump-file 29045524cd7SAssar Westerlund.Bd -ragged -offset indent 291c19800e8SDoug RabsonWrites the database in 2925e9cd1aeSAssar Westerlund.Dq human readable 293c19800e8SDoug Rabsonform to the specified file, or standard out. If the database is 294c19800e8SDoug Rabsonencrypted, the dump will also have encrypted keys, unless 295*ae771770SStanislav Sedov.Fl Fl decrypt 296c19800e8SDoug Rabsonis used. 2975e9cd1aeSAssar Westerlund.Ed 2985e9cd1aeSAssar Westerlund.Pp 2995e9cd1aeSAssar Westerlund.Nm init 300*ae771770SStanislav Sedov.Op Fl Fl realm-max-ticket-life= Ns Ar string 301*ae771770SStanislav Sedov.Op Fl Fl realm-max-renewable-life= Ns Ar string 3025e9cd1aeSAssar Westerlund.Ar realm 30345524cd7SAssar Westerlund.Bd -ragged -offset indent 304c19800e8SDoug RabsonInitializes the Kerberos database with entries for a new realm. It's 305c19800e8SDoug Rabsonpossible to have more than one realm served by one server. 3065e9cd1aeSAssar Westerlund.Ed 3075e9cd1aeSAssar Westerlund.Pp 3085e9cd1aeSAssar Westerlund.Nm load 3095e9cd1aeSAssar Westerlund.Ar file 31045524cd7SAssar Westerlund.Bd -ragged -offset indent 311c19800e8SDoug RabsonReads a previously dumped database, and re-creates that database from 312c19800e8SDoug Rabsonscratch. 3135e9cd1aeSAssar Westerlund.Ed 3145e9cd1aeSAssar Westerlund.Pp 3155e9cd1aeSAssar Westerlund.Nm merge 3165e9cd1aeSAssar Westerlund.Ar file 31745524cd7SAssar Westerlund.Bd -ragged -offset indent 318c19800e8SDoug RabsonSimilar to 319c19800e8SDoug Rabson.Nm load 320c19800e8SDoug Rabsonbut just modifies the database with the entries in the dump file. 321c19800e8SDoug Rabson.Ed 322c19800e8SDoug Rabson.Pp 323c19800e8SDoug Rabson.Nm stash 324c19800e8SDoug Rabson.Oo Fl e Ar enctype \*(Ba Xo 325*ae771770SStanislav Sedov.Fl Fl enctype= Ns Ar enctype 326c19800e8SDoug Rabson.Xc 327c19800e8SDoug Rabson.Oc 328c19800e8SDoug Rabson.Oo Fl k Ar keyfile \*(Ba Xo 329*ae771770SStanislav Sedov.Fl Fl key-file= Ns Ar keyfile 330c19800e8SDoug Rabson.Xc 331c19800e8SDoug Rabson.Oc 332*ae771770SStanislav Sedov.Op Fl Fl convert-file 333*ae771770SStanislav Sedov.Op Fl Fl master-key-fd= Ns Ar fd 334c19800e8SDoug Rabson.Bd -ragged -offset indent 335c19800e8SDoug RabsonWrites the Kerberos master key to a file used by the KDC. 3365e9cd1aeSAssar Westerlund.Ed 3375e9cd1aeSAssar Westerlund.\".Sh ENVIRONMENT 3385e9cd1aeSAssar Westerlund.\".Sh FILES 3395e9cd1aeSAssar Westerlund.\".Sh EXAMPLES 3405e9cd1aeSAssar Westerlund.\".Sh DIAGNOSTICS 3415e9cd1aeSAssar Westerlund.Sh SEE ALSO 3425e9cd1aeSAssar Westerlund.Xr kadmind 8 , 3435e9cd1aeSAssar Westerlund.Xr kdc 8 3445e9cd1aeSAssar Westerlund.\".Sh STANDARDS 3455e9cd1aeSAssar Westerlund.\".Sh HISTORY 3465e9cd1aeSAssar Westerlund.\".Sh AUTHORS 3475e9cd1aeSAssar Westerlund.\".Sh BUGS 348