1.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan 2.\" (Royal Institute of Technology, Stockholm, Sweden). 3.\" All rights reserved. 4.\" 5.\" Redistribution and use in source and binary forms, with or without 6.\" modification, are permitted provided that the following conditions 7.\" are met: 8.\" 9.\" 1. Redistributions of source code must retain the above copyright 10.\" notice, this list of conditions and the following disclaimer. 11.\" 12.\" 2. Redistributions in binary form must reproduce the above copyright 13.\" notice, this list of conditions and the following disclaimer in the 14.\" documentation and/or other materials provided with the distribution. 15.\" 16.\" 3. Neither the name of the Institute nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $Id$ 33.\" 34.Dd October 5, 2025 35.Dt KADMIN 8 36.Os HEIMDAL 37.Sh NAME 38.Nm kadmin 39.Nd Kerberos administration utility 40.Sh SYNOPSIS 41.Nm 42.Bk -words 43.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string 44.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string 45.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file 46.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file 47.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm 48.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host 49.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number 50.Op Fl l | Fl Fl local 51.Op Fl h | Fl Fl help 52.Op Fl v | Fl Fl version 53.Op Ar command 54.Ek 55.Sh DESCRIPTION 56The 57.Nm 58program is used to make modifications to the Kerberos database, either remotely via the 59.Xr kadmind 8 60daemon, or locally (with the 61.Fl l 62option). 63.Pp 64Supported options: 65.Bl -tag -width Ds 66.It Fl p Ar string , Fl Fl principal= Ns Ar string 67principal to authenticate as 68.It Fl K Ar string , Fl Fl keytab= Ns Ar string 69keytab for authentication principal 70.It Fl c Ar file , Fl Fl config-file= Ns Ar file 71location of config file 72.It Fl k Ar file , Fl Fl key-file= Ns Ar file 73location of master key file 74.It Fl r Ar realm , Fl Fl realm= Ns Ar realm 75realm to use 76.It Fl a Ar host , Fl Fl admin-server= Ns Ar host 77server to contact 78.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number 79port to use 80.It Fl l , Fl Fl local 81local admin mode 82.El 83.Pp 84If no 85.Ar command 86is given on the command line, 87.Nm 88will prompt for commands to process. Some of the commands that take 89one or more principals as argument 90.Ns ( Nm delete , 91.Nm ext_keytab , 92.Nm get , 93.Nm modify , 94and 95.Nm passwd ) 96will accept a glob style wildcard, and perform the operation on all 97matching principals. 98.Pp 99Commands include: 100.\" not using a list here, since groff apparently gets confused 101.\" with nested Xo/Xc 102.Pp 103.Nm add 104.Op Fl r | Fl Fl random-key 105.Op Fl Fl random-password 106.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string 107.Op Fl Fl key= Ns Ar string 108.Op Fl Fl max-ticket-life= Ns Ar lifetime 109.Op Fl Fl max-renewable-life= Ns Ar lifetime 110.Op Fl Fl attributes= Ns Ar attributes 111.Op Fl Fl expiration-time= Ns Ar time 112.Op Fl Fl pw-expiration-time= Ns Ar time 113.Ar principal... 114.Bd -ragged -offset indent 115Adds a new principal to the database. The options not passed on the 116command line will be promped for. 117.Ed 118.Pp 119.Nm add_enctype 120.Op Fl r | Fl Fl random-key 121.Ar principal enctypes... 122.Pp 123.Bd -ragged -offset indent 124Adds a new encryption type to the principal, only random key are 125supported. 126.Ed 127.Pp 128.Nm delete 129.Ar principal... 130.Bd -ragged -offset indent 131Removes a principal. 132.Ed 133.Pp 134.Nm del_enctype 135.Ar principal enctypes... 136.Bd -ragged -offset indent 137Removes some enctypes from a principal; this can be useful if the 138service belonging to the principal is known to not handle certain 139enctypes. 140.Ed 141.Pp 142.Nm ext_keytab 143.Oo Fl k Ar string \*(Ba Xo 144.Fl Fl keytab= Ns Ar string 145.Xc 146.Oc 147.Ar principal... 148.Bd -ragged -offset indent 149Creates a keytab with the keys of the specified principals. 150.Ed 151.Pp 152.Nm get 153.Op Fl l | Fl Fl long 154.Op Fl s | Fl Fl short 155.Op Fl t | Fl Fl terse 156.Op Fl o Ar string | Fl Fl column-info= Ns Ar string 157.Ar principal... 158.Bd -ragged -offset indent 159Lists the matching principals, short prints the result as a table, 160while long format produces a more verbose output. Which columns to 161print can be selected with the 162.Fl o 163option. The argument is a comma separated list of column names 164optionally appended with an equal sign 165.Pq Sq = 166and a column header. Which columns are printed by default differ 167slightly between short and long output. 168.Pp 169The default terse output format is similar to 170.Fl s o Ar principal= , 171just printing the names of matched principals. 172.Pp 173Possible column names include: 174.Li principal , 175.Li princ_expire_time , 176.Li pw_expiration , 177.Li last_pwd_change , 178.Li max_life , 179.Li max_rlife , 180.Li mod_time , 181.Li mod_name , 182.Li attributes , 183.Li kvno , 184.Li mkvno , 185.Li last_success , 186.Li last_failed , 187.Li fail_auth_count , 188.Li policy , 189and 190.Li keytypes . 191.Ed 192.Pp 193.Nm modify 194.Oo Fl a Ar attributes \*(Ba Xo 195.Fl Fl attributes= Ns Ar attributes 196.Xc 197.Oc 198.Op Fl Fl max-ticket-life= Ns Ar lifetime 199.Op Fl Fl max-renewable-life= Ns Ar lifetime 200.Op Fl Fl expiration-time= Ns Ar time 201.Op Fl Fl pw-expiration-time= Ns Ar time 202.Op Fl Fl kvno= Ns Ar number 203.Ar principal... 204.Bd -ragged -offset indent 205Modifies certain attributes of a principal. If run without command 206line options, you will be prompted. With command line options, it will 207only change the ones specified. 208.Pp 209Possible attributes are: 210.Li new-princ , 211.Li support-desmd5 , 212.Li pwchange-service , 213.Li disallow-svr , 214.Li requires-pw-change , 215.Li requires-hw-auth , 216.Li requires-pre-auth , 217.Li disallow-all-tix , 218.Li disallow-dup-skey , 219.Li disallow-proxiable , 220.Li disallow-renewable , 221.Li disallow-tgt-based , 222.Li disallow-forwardable , 223.Li disallow-postdated 224.Pp 225Attributes may be negated with a "-", e.g., 226.Pp 227kadmin -l modify -a -disallow-proxiable user 228.Ed 229.Pp 230.Nm passwd 231.Op Fl r | Fl Fl random-key 232.Op Fl Fl random-password 233.Oo Fl p Ar string \*(Ba Xo 234.Fl Fl password= Ns Ar string 235.Xc 236.Oc 237.Op Fl Fl key= Ns Ar string 238.Ar principal... 239.Bd -ragged -offset indent 240Changes the password of an existing principal. 241.Ed 242.Pp 243.Nm password-quality 244.Ar principal 245.Ar password 246.Bd -ragged -offset indent 247Run the password quality check function locally. 248You can run this on the host that is configured to run the kadmind 249process to verify that your configuration file is correct. 250The verification is done locally, if kadmin is run in remote mode, 251no rpc call is done to the server. 252.Ed 253.Pp 254.Nm privileges 255.Bd -ragged -offset indent 256Lists the operations you are allowed to perform. These include 257.Li add , 258.Li add_enctype , 259.Li change-password , 260.Li delete , 261.Li del_enctype , 262.Li get , 263.Li list , 264and 265.Li modify . 266.Ed 267.Pp 268.Nm rename 269.Ar from to 270.Bd -ragged -offset indent 271Renames a principal. This is normally transparent, but since keys are 272salted with the principal name, they will have a non-standard salt, 273and clients which are unable to cope with this will fail. Kerberos 4 274suffers from this. 275.Ed 276.Pp 277.Nm check 278.Op Ar realm 279.Pp 280.Bd -ragged -offset indent 281Check database for strange configurations on important principals. If 282no realm is given, the default realm is used. 283.Ed 284.Pp 285When running in local mode, the following commands can also be used: 286.Pp 287.Nm dump 288.Op Fl d | Fl Fl decrypt 289.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format 290.Op Ar dump-file 291.Bd -ragged -offset indent 292Writes the database in 293.Dq machine readable text 294form to the specified file, or standard out. If the database is 295encrypted, the dump will also have encrypted keys, unless 296.Fl Fl decrypt 297is used. 298.Pp 299If 300.Fl Fl format=MIT 301is used then the dump will be in MIT format. 302This option may be used if you require that all principal 303passwords be changed after loading the dump into an MIT KDC database. 304.Pp 305If 306.Fl Fl format=<keytab-file> 307is used, the 308.Dq <keytab-file> 309should hold the master key for the 310MIT KDC (usually a file called /var/db/krb5kdc/.k5.YOUR.REALM). 311This will cause the keys to be re-encrypted in the MIT master 312key as well as doing the dump in MIT format. 313When this dump is loaded into the MIT KDC's database, 314the principals that had at least one strong encryption type 315key should work and any keytabs for those principals should still work. 316The principcals with only weak encryption keys will require a 317.Dq change_password 318be done on the MIT KDC to get them working. 319The 320.Fl Fl decrypt 321flag is meaningless for this case. 322.Ed 323.Pp 324.Nm init 325.Op Fl Fl realm-max-ticket-life= Ns Ar string 326.Op Fl Fl realm-max-renewable-life= Ns Ar string 327.Ar realm 328.Bd -ragged -offset indent 329Initializes the Kerberos database with entries for a new realm. It's 330possible to have more than one realm served by one server. 331.Ed 332.Pp 333.Nm load 334.Ar file 335.Bd -ragged -offset indent 336Reads a previously dumped database, and re-creates that database from 337scratch. 338.Ed 339.Pp 340.Nm merge 341.Ar file 342.Bd -ragged -offset indent 343Similar to 344.Nm load 345but just modifies the database with the entries in the dump file. 346.Ed 347.Pp 348.Nm stash 349.Oo Fl e Ar enctype \*(Ba Xo 350.Fl Fl enctype= Ns Ar enctype 351.Xc 352.Oc 353.Oo Fl k Ar keyfile \*(Ba Xo 354.Fl Fl key-file= Ns Ar keyfile 355.Xc 356.Oc 357.Op Fl Fl convert-file 358.Op Fl Fl master-key-fd= Ns Ar fd 359.Bd -ragged -offset indent 360Writes the Kerberos master key to a file used by the KDC. 361.Ed 362.\".Sh ENVIRONMENT 363.\".Sh FILES 364.\".Sh EXAMPLES 365.\".Sh DIAGNOSTICS 366.Sh SEE ALSO 367.Xr kadmind 8 , 368.Xr kdc 8 369.\".Sh STANDARDS 370.\".Sh HISTORY 371.\".Sh AUTHORS 372.\".Sh BUGS 373