1.. _kadmin(1): 2 3kadmin 4====== 5 6SYNOPSIS 7-------- 8 9.. _kadmin_synopsis: 10 11**kadmin** 12[**-O**\|\ **-N**] 13[**-r** *realm*] 14[**-p** *principal*] 15[**-q** *query*] 16[[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**] 17[**-w** *password*] 18[**-s** *admin_server*\ [:*port*]] 19[command args...] 20 21**kadmin.local** 22[**-r** *realm*] 23[**-p** *principal*] 24[**-q** *query*] 25[**-d** *dbname*] 26[**-e** *enc*:*salt* ...] 27[**-m**] 28[**-x** *db_args*] 29[command args...] 30 31 32DESCRIPTION 33----------- 34 35kadmin and kadmin.local are command-line interfaces to the Kerberos V5 36administration system. They provide nearly identical functionalities; 37the difference is that kadmin.local directly accesses the KDC 38database, while kadmin performs operations using :ref:`kadmind(8)`. 39Except as explicitly noted otherwise, this man page will use "kadmin" 40to refer to both versions. kadmin provides for the maintenance of 41Kerberos principals, password policies, and service key tables 42(keytabs). 43 44The remote kadmin client uses Kerberos to authenticate to kadmind 45using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST`` 46(where *ADMINHOST* is the fully-qualified hostname of the admin 47server). If the credentials cache contains a ticket for one of these 48principals, and the **-c** credentials_cache option is specified, that 49ticket is used to authenticate to kadmind. Otherwise, the **-p** and 50**-k** options are used to specify the client Kerberos principal name 51used to authenticate. Once kadmin has determined the principal name, 52it requests a service ticket from the KDC, and uses that service 53ticket to authenticate to kadmind. 54 55Since kadmin.local directly accesses the KDC database, it usually must 56be run directly on the primary KDC with sufficient permissions to read 57the KDC database. If the KDC database uses the LDAP database module, 58kadmin.local can be run on any host which can access the LDAP server. 59 60 61OPTIONS 62------- 63 64.. _kadmin_options: 65 66**-r** *realm* 67 Use *realm* as the default database realm. 68 69**-p** *principal* 70 Use *principal* to authenticate. Otherwise, kadmin will append 71 ``/admin`` to the primary principal name of the default ccache, 72 the value of the **USER** environment variable, or the username as 73 obtained with getpwuid, in order of preference. 74 75**-k** 76 Use a keytab to decrypt the KDC response instead of prompting for 77 a password. In this case, the default principal will be 78 ``host/hostname``. If there is no keytab specified with the 79 **-t** option, then the default keytab will be used. 80 81**-t** *keytab* 82 Use *keytab* to decrypt the KDC response. This can only be used 83 with the **-k** option. 84 85**-n** 86 Requests anonymous processing. Two types of anonymous principals 87 are supported. For fully anonymous Kerberos, configure PKINIT on 88 the KDC and configure **pkinit_anchors** in the client's 89 :ref:`krb5.conf(5)`. Then use the **-n** option with a principal 90 of the form ``@REALM`` (an empty principal name followed by the 91 at-sign and a realm name). If permitted by the KDC, an anonymous 92 ticket will be returned. A second form of anonymous tickets is 93 supported; these realm-exposed tickets hide the identity of the 94 client but not the client's realm. For this mode, use ``kinit 95 -n`` with a normal principal name. If supported by the KDC, the 96 principal (but not realm) will be replaced by the anonymous 97 principal. As of release 1.8, the MIT Kerberos KDC only supports 98 fully anonymous operation. 99 100**-c** *credentials_cache* 101 Use *credentials_cache* as the credentials cache. The cache 102 should contain a service ticket for the ``kadmin/admin`` or 103 ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified 104 hostname of the admin server) service; it can be acquired with the 105 :ref:`kinit(1)` program. If this option is not specified, kadmin 106 requests a new service ticket from the KDC, and stores it in its 107 own temporary ccache. 108 109**-w** *password* 110 Use *password* instead of prompting for one. Use this option with 111 care, as it may expose the password to other users on the system 112 via the process list. 113 114**-q** *query* 115 Perform the specified query and then exit. 116 117**-d** *dbname* 118 Specifies the name of the KDC database. This option does not 119 apply to the LDAP database module. 120 121**-s** *admin_server*\ [:*port*] 122 Specifies the admin server which kadmin should contact. 123 124**-m** 125 If using kadmin.local, prompt for the database master password 126 instead of reading it from a stash file. 127 128**-e** "*enc*:*salt* ..." 129 Sets the keysalt list to be used for any new keys created. See 130 :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible 131 values. 132 133**-O** 134 Force use of old AUTH_GSSAPI authentication flavor. 135 136**-N** 137 Prevent fallback to AUTH_GSSAPI authentication flavor. 138 139**-x** *db_args* 140 Specifies the database specific arguments. See the next section 141 for supported options. 142 143Starting with release 1.14, if any command-line arguments remain after 144the options, they will be treated as a single query to be executed. 145This mode of operation is intended for scripts and behaves differently 146from the interactive mode in several respects: 147 148* Query arguments are split by the shell, not by kadmin. 149* Informational and warning messages are suppressed. Error messages 150 and query output (e.g. for **get_principal**) will still be 151 displayed. 152* Confirmation prompts are disabled (as if **-force** was given). 153 Password prompts will still be issued as required. 154* The exit status will be non-zero if the query fails. 155 156The **-q** option does not carry these behavior differences; the query 157will be processed as if it was entered interactively. The **-q** 158option cannot be used in combination with a query in the remaining 159arguments. 160 161.. _dboptions: 162 163DATABASE OPTIONS 164---------------- 165 166Database options can be used to override database-specific defaults. 167Supported options for the DB2 module are: 168 169 **-x dbname=**\ \*filename* 170 Specifies the base filename of the DB2 database. 171 172 **-x lockiter** 173 Make iteration operations hold the lock for the duration of 174 the entire operation, rather than temporarily releasing the 175 lock while handling each principal. This is the default 176 behavior, but this option exists to allow command line 177 override of a [dbmodules] setting. First introduced in 178 release 1.13. 179 180 **-x unlockiter** 181 Make iteration operations unlock the database for each 182 principal, instead of holding the lock for the duration of the 183 entire operation. First introduced in release 1.13. 184 185Supported options for the LDAP module are: 186 187 **-x host=**\ *ldapuri* 188 Specifies the LDAP server to connect to by a LDAP URI. 189 190 **-x binddn=**\ *bind_dn* 191 Specifies the DN used to bind to the LDAP server. 192 193 **-x bindpwd=**\ *password* 194 Specifies the password or SASL secret used to bind to the LDAP 195 server. Using this option may expose the password to other 196 users on the system via the process list; to avoid this, 197 instead stash the password using the **stashsrvpw** command of 198 :ref:`kdb5_ldap_util(8)`. 199 200 **-x sasl_mech=**\ *mechanism* 201 Specifies the SASL mechanism used to bind to the LDAP server. 202 The bind DN is ignored if a SASL mechanism is used. New in 203 release 1.13. 204 205 **-x sasl_authcid=**\ *name* 206 Specifies the authentication name used when binding to the 207 LDAP server with a SASL mechanism, if the mechanism requires 208 one. New in release 1.13. 209 210 **-x sasl_authzid=**\ *name* 211 Specifies the authorization name used when binding to the LDAP 212 server with a SASL mechanism. New in release 1.13. 213 214 **-x sasl_realm=**\ *realm* 215 Specifies the realm used when binding to the LDAP server with 216 a SASL mechanism, if the mechanism uses one. New in release 217 1.13. 218 219 **-x debug=**\ *level* 220 sets the OpenLDAP client library debug level. *level* is an 221 integer to be interpreted by the library. Debugging messages 222 are printed to standard error. New in release 1.12. 223 224 225COMMANDS 226-------- 227 228When using the remote client, available commands may be restricted 229according to the privileges specified in the :ref:`kadm5.acl(5)` file 230on the admin server. 231 232.. _add_principal: 233 234add_principal 235~~~~~~~~~~~~~ 236 237 **add_principal** [*options*] *newprinc* 238 239Creates the principal *newprinc*, prompting twice for a password. If 240no password policy is specified with the **-policy** option, and the 241policy named ``default`` is assigned to the principal if it exists. 242However, creating a policy named ``default`` will not automatically 243assign this policy to previously existing principals. This policy 244assignment can be suppressed with the **-clearpolicy** option. 245 246This command requires the **add** privilege. 247 248Aliases: **addprinc**, **ank** 249 250Options: 251 252**-expire** *expdate* 253 (:ref:`getdate` string) The expiration date of the principal. 254 255**-pwexpire** *pwexpdate* 256 (:ref:`getdate` string) The password expiration date. 257 258**-maxlife** *maxlife* 259 (:ref:`duration` or :ref:`getdate` string) The maximum ticket life 260 for the principal. 261 262**-maxrenewlife** *maxrenewlife* 263 (:ref:`duration` or :ref:`getdate` string) The maximum renewable 264 life of tickets for the principal. 265 266**-kvno** *kvno* 267 The initial key version number. 268 269**-policy** *policy* 270 The password policy used by this principal. If not specified, the 271 policy ``default`` is used if it exists (unless **-clearpolicy** 272 is specified). 273 274**-clearpolicy** 275 Prevents any policy from being assigned when **-policy** is not 276 specified. 277 278{-\|+}\ **allow_postdated** 279 **-allow_postdated** prohibits this principal from obtaining 280 postdated tickets. **+allow_postdated** clears this flag. 281 282{-\|+}\ **allow_forwardable** 283 **-allow_forwardable** prohibits this principal from obtaining 284 forwardable tickets. **+allow_forwardable** clears this flag. 285 286{-\|+}\ **allow_renewable** 287 **-allow_renewable** prohibits this principal from obtaining 288 renewable tickets. **+allow_renewable** clears this flag. 289 290{-\|+}\ **allow_proxiable** 291 **-allow_proxiable** prohibits this principal from obtaining 292 proxiable tickets. **+allow_proxiable** clears this flag. 293 294{-\|+}\ **allow_dup_skey** 295 **-allow_dup_skey** disables user-to-user authentication for this 296 principal by prohibiting others from obtaining a service ticket 297 encrypted in this principal's TGT session key. 298 **+allow_dup_skey** clears this flag. 299 300{-\|+}\ **requires_preauth** 301 **+requires_preauth** requires this principal to preauthenticate 302 before being allowed to kinit. **-requires_preauth** clears this 303 flag. When **+requires_preauth** is set on a service principal, 304 the KDC will only issue service tickets for that service principal 305 if the client's initial authentication was performed using 306 preauthentication. 307 308{-\|+}\ **requires_hwauth** 309 **+requires_hwauth** requires this principal to preauthenticate 310 using a hardware device before being allowed to kinit. 311 **-requires_hwauth** clears this flag. When **+requires_hwauth** is 312 set on a service principal, the KDC will only issue service tickets 313 for that service principal if the client's initial authentication was 314 performed using a hardware device to preauthenticate. 315 316{-\|+}\ **ok_as_delegate** 317 **+ok_as_delegate** sets the **okay as delegate** flag on tickets 318 issued with this principal as the service. Clients may use this 319 flag as a hint that credentials should be delegated when 320 authenticating to the service. **-ok_as_delegate** clears this 321 flag. 322 323{-\|+}\ **allow_svr** 324 **-allow_svr** prohibits the issuance of service tickets for this 325 principal. In release 1.17 and later, user-to-user service 326 tickets are still allowed unless the **-allow_dup_skey** flag is 327 also set. **+allow_svr** clears this flag. 328 329{-\|+}\ **allow_tgs_req** 330 **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS) 331 request for a service ticket for this principal is not permitted. 332 **+allow_tgs_req** clears this flag. 333 334{-\|+}\ **allow_tix** 335 **-allow_tix** forbids the issuance of any tickets for this 336 principal. **+allow_tix** clears this flag. 337 338{-\|+}\ **needchange** 339 **+needchange** forces a password change on the next initial 340 authentication to this principal. **-needchange** clears this 341 flag. 342 343{-\|+}\ **password_changing_service** 344 **+password_changing_service** marks this principal as a password 345 change service principal. 346 347{-\|+}\ **ok_to_auth_as_delegate** 348 **+ok_to_auth_as_delegate** allows this principal to acquire 349 forwardable tickets to itself from arbitrary users, for use with 350 constrained delegation. 351 352{-\|+}\ **no_auth_data_required** 353 **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from 354 being added to service tickets for the principal. 355 356{-\|+}\ **lockdown_keys** 357 **+lockdown_keys** prevents keys for this principal from leaving 358 the KDC via kadmind. The chpass and extract operations are denied 359 for a principal with this attribute. The chrand operation is 360 allowed, but will not return the new keys. The delete and rename 361 operations are also denied if this attribute is set, in order to 362 prevent a malicious administrator from replacing principals like 363 krbtgt/* or kadmin/* with new principals without the attribute. 364 This attribute can be set via the network protocol, but can only 365 be removed using kadmin.local. 366 367**-randkey** 368 Sets the key of the principal to a random value. 369 370**-nokey** 371 Causes the principal to be created with no key. New in release 372 1.12. 373 374**-pw** *password* 375 Sets the password of the principal to the specified string and 376 does not prompt for a password. Note: using this option in a 377 shell script may expose the password to other users on the system 378 via the process list. 379 380**-e** *enc*:*salt*,... 381 Uses the specified keysalt list for setting the keys of the 382 principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a 383 list of possible values. 384 385**-x** *db_princ_args* 386 Indicates database-specific options. The options for the LDAP 387 database module are: 388 389 **-x dn=**\ *dn* 390 Specifies the LDAP object that will contain the Kerberos 391 principal being created. 392 393 **-x linkdn=**\ *dn* 394 Specifies the LDAP object to which the newly created Kerberos 395 principal object will point. 396 397 **-x containerdn=**\ *container_dn* 398 Specifies the container object under which the Kerberos 399 principal is to be created. 400 401 **-x tktpolicy=**\ *policy* 402 Associates a ticket policy to the Kerberos principal. 403 404 .. note:: 405 406 - The **containerdn** and **linkdn** options cannot be 407 specified with the **dn** option. 408 - If the *dn* or *containerdn* options are not specified while 409 adding the principal, the principals are created under the 410 principal container configured in the realm or the realm 411 container. 412 - *dn* and *containerdn* should be within the subtrees or 413 principal container configured in the realm. 414 415Example:: 416 417 kadmin: addprinc jennifer 418 No policy specified for "jennifer@ATHENA.MIT.EDU"; 419 defaulting to no policy. 420 Enter password for principal jennifer@ATHENA.MIT.EDU: 421 Re-enter password for principal jennifer@ATHENA.MIT.EDU: 422 Principal "jennifer@ATHENA.MIT.EDU" created. 423 kadmin: 424 425.. _modify_principal: 426 427modify_principal 428~~~~~~~~~~~~~~~~ 429 430 **modify_principal** [*options*] *principal* 431 432Modifies the specified principal, changing the fields as specified. 433The options to **add_principal** also apply to this command, except 434for the **-randkey**, **-pw**, and **-e** options. In addition, the 435option **-clearpolicy** will clear the current policy of a principal. 436 437This command requires the *modify* privilege. 438 439Alias: **modprinc** 440 441Options (in addition to the **addprinc** options): 442 443**-unlock** 444 Unlocks a locked principal (one which has received too many failed 445 authentication attempts without enough time between them according 446 to its password policy) so that it can successfully authenticate. 447 448.. _rename_principal: 449 450rename_principal 451~~~~~~~~~~~~~~~~ 452 453 **rename_principal** [**-force**] *old_principal* *new_principal* 454 455Renames the specified *old_principal* to *new_principal*. This 456command prompts for confirmation, unless the **-force** option is 457given. 458 459This command requires the **add** and **delete** privileges. 460 461Alias: **renprinc** 462 463.. _delete_principal: 464 465delete_principal 466~~~~~~~~~~~~~~~~ 467 468 **delete_principal** [**-force**] *principal* 469 470Deletes the specified *principal* from the database. This command 471prompts for deletion, unless the **-force** option is given. 472 473This command requires the **delete** privilege. 474 475Alias: **delprinc** 476 477.. _change_password: 478 479change_password 480~~~~~~~~~~~~~~~ 481 482 **change_password** [*options*] *principal* 483 484Changes the password of *principal*. Prompts for a new password if 485neither **-randkey** or **-pw** is specified. 486 487This command requires the **changepw** privilege, or that the 488principal running the program is the same as the principal being 489changed. 490 491Alias: **cpw** 492 493The following options are available: 494 495**-randkey** 496 Sets the key of the principal to a random value. 497 498**-pw** *password* 499 Set the password to the specified string. Using this option in a 500 script may expose the password to other users on the system via 501 the process list. 502 503**-e** *enc*:*salt*,... 504 Uses the specified keysalt list for setting the keys of the 505 principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a 506 list of possible values. 507 508**-keepold** 509 Keeps the existing keys in the database. This flag is usually not 510 necessary except perhaps for ``krbtgt`` principals. 511 512Example:: 513 514 kadmin: cpw systest 515 Enter password for principal systest@BLEEP.COM: 516 Re-enter password for principal systest@BLEEP.COM: 517 Password for systest@BLEEP.COM changed. 518 kadmin: 519 520.. _purgekeys: 521 522purgekeys 523~~~~~~~~~ 524 525 **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal* 526 527Purges previously retained old keys (e.g., from **change_password 528-keepold**) from *principal*. If **-keepkvno** is specified, then 529only purges keys with kvnos lower than *oldest_kvno_to_keep*. If 530**-all** is specified, then all keys are purged. The **-all** option 531is new in release 1.12. 532 533This command requires the **modify** privilege. 534 535.. _get_principal: 536 537get_principal 538~~~~~~~~~~~~~ 539 540 **get_principal** [**-terse**] *principal* 541 542Gets the attributes of principal. With the **-terse** option, outputs 543fields as quoted tab-separated strings. 544 545This command requires the **inquire** privilege, or that the principal 546running the the program to be the same as the one being listed. 547 548Alias: **getprinc** 549 550Examples:: 551 552 kadmin: getprinc tlyu/admin 553 Principal: tlyu/admin@BLEEP.COM 554 Expiration date: [never] 555 Last password change: Mon Aug 12 14:16:47 EDT 1996 556 Password expiration date: [never] 557 Maximum ticket life: 0 days 10:00:00 558 Maximum renewable life: 7 days 00:00:00 559 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) 560 Last successful authentication: [never] 561 Last failed authentication: [never] 562 Failed password attempts: 0 563 Number of keys: 1 564 Key: vno 1, aes256-cts-hmac-sha384-192 565 MKey: vno 1 566 Attributes: 567 Policy: [none] 568 569 kadmin: getprinc -terse systest 570 systest@BLEEP.COM 3 86400 604800 1 571 785926535 753241234 785900000 572 tlyu/admin@BLEEP.COM 786100034 0 0 573 kadmin: 574 575.. _list_principals: 576 577list_principals 578~~~~~~~~~~~~~~~ 579 580 **list_principals** [*expression*] 581 582Retrieves all or some principal names. *expression* is a shell-style 583glob expression that can contain the wild-card characters ``?``, 584``*``, and ``[]``. All principal names matching the expression are 585printed. If no expression is provided, all principal names are 586printed. If the expression does not contain an ``@`` character, an 587``@`` character followed by the local realm is appended to the 588expression. 589 590This command requires the **list** privilege. 591 592Alias: **listprincs**, **get_principals**, **getprincs** 593 594Example:: 595 596 kadmin: listprincs test* 597 test3@SECURE-TEST.OV.COM 598 test2@SECURE-TEST.OV.COM 599 test1@SECURE-TEST.OV.COM 600 testuser@SECURE-TEST.OV.COM 601 kadmin: 602 603.. _get_strings: 604 605get_strings 606~~~~~~~~~~~ 607 608 **get_strings** *principal* 609 610Displays string attributes on *principal*. 611 612This command requires the **inquire** privilege. 613 614Alias: **getstrs** 615 616.. _set_string: 617 618set_string 619~~~~~~~~~~ 620 621 **set_string** *principal* *name* *value* 622 623Sets a string attribute on *principal*. String attributes are used to 624supply per-principal configuration to the KDC and some KDC plugin 625modules. The following string attribute names are recognized by the 626KDC: 627 628**require_auth** 629 Specifies an authentication indicator which is required to 630 authenticate to the principal as a service. Multiple indicators 631 can be specified, separated by spaces; in this case any of the 632 specified indicators will be accepted. (New in release 1.14.) 633 634**session_enctypes** 635 Specifies the encryption types supported for session keys when the 636 principal is authenticated to as a server. See 637 :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the 638 accepted values. 639 640**otp** 641 Enables One Time Passwords (OTP) preauthentication for a client 642 *principal*. The *value* is a JSON string representing an array 643 of objects, each having optional ``type`` and ``username`` fields. 644 645**pkinit_cert_match** 646 Specifies a matching expression that defines the certificate 647 attributes required for the client certificate used by the 648 principal during PKINIT authentication. The matching expression 649 is in the same format as those used by the **pkinit_cert_match** 650 option in :ref:`krb5.conf(5)`. (New in release 1.16.) 651 652**pac_privsvr_enctype** 653 Forces the encryption type of the PAC KDC checksum buffers to the 654 specified encryption type for tickets issued to this server, by 655 deriving a key from the local krbtgt key if it is of a different 656 encryption type. It may be necessary to set this value to 657 "aes256-sha1" on the cross-realm krbtgt entry for an Active 658 Directory realm when using aes-sha2 keys on the local krbtgt 659 entry. 660 661This command requires the **modify** privilege. 662 663Alias: **setstr** 664 665Example:: 666 667 set_string host/foo.mit.edu session_enctypes aes128-cts 668 set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]" 669 670.. _del_string: 671 672del_string 673~~~~~~~~~~ 674 675 **del_string** *principal* *key* 676 677Deletes a string attribute from *principal*. 678 679This command requires the **delete** privilege. 680 681Alias: **delstr** 682 683.. _add_policy: 684 685add_policy 686~~~~~~~~~~ 687 688 **add_policy** [*options*] *policy* 689 690Adds a password policy named *policy* to the database. 691 692This command requires the **add** privilege. 693 694Alias: **addpol** 695 696The following options are available: 697 698**-maxlife** *time* 699 (:ref:`duration` or :ref:`getdate` string) Sets the maximum 700 lifetime of a password. 701 702**-minlife** *time* 703 (:ref:`duration` or :ref:`getdate` string) Sets the minimum 704 lifetime of a password. 705 706**-minlength** *length* 707 Sets the minimum length of a password. 708 709**-minclasses** *number* 710 Sets the minimum number of character classes required in a 711 password. The five character classes are lower case, upper case, 712 numbers, punctuation, and whitespace/unprintable characters. 713 714**-history** *number* 715 Sets the number of past keys kept for a principal. This option is 716 not supported with the LDAP KDC database module. 717 718.. _policy_maxfailure: 719 720**-maxfailure** *maxnumber* 721 Sets the number of authentication failures before the principal is 722 locked. Authentication failures are only tracked for principals 723 which require preauthentication. The counter of failed attempts 724 resets to 0 after a successful attempt to authenticate. A 725 *maxnumber* value of 0 (the default) disables lockout. 726 727.. _policy_failurecountinterval: 728 729**-failurecountinterval** *failuretime* 730 (:ref:`duration` or :ref:`getdate` string) Sets the allowable time 731 between authentication failures. If an authentication failure 732 happens after *failuretime* has elapsed since the previous 733 failure, the number of authentication failures is reset to 1. A 734 *failuretime* value of 0 (the default) means forever. 735 736.. _policy_lockoutduration: 737 738**-lockoutduration** *lockouttime* 739 (:ref:`duration` or :ref:`getdate` string) Sets the duration for 740 which the principal is locked from authenticating if too many 741 authentication failures occur without the specified failure count 742 interval elapsing. A duration of 0 (the default) means the 743 principal remains locked out until it is administratively unlocked 744 with ``modprinc -unlock``. 745 746**-allowedkeysalts** 747 Specifies the key/salt tuples supported for long-term keys when 748 setting or changing a principal's password/keys. See 749 :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the 750 accepted values, but note that key/salt tuples must be separated 751 with commas (',') only. To clear the allowed key/salt policy use 752 a value of '-'. 753 754Example:: 755 756 kadmin: add_policy -maxlife "2 days" -minlength 5 guests 757 kadmin: 758 759.. _modify_policy: 760 761modify_policy 762~~~~~~~~~~~~~ 763 764 **modify_policy** [*options*] *policy* 765 766Modifies the password policy named *policy*. Options are as described 767for **add_policy**. 768 769This command requires the **modify** privilege. 770 771Alias: **modpol** 772 773.. _delete_policy: 774 775delete_policy 776~~~~~~~~~~~~~ 777 778 **delete_policy** [**-force**] *policy* 779 780Deletes the password policy named *policy*. Prompts for confirmation 781before deletion. The command will fail if the policy is in use by any 782principals. 783 784This command requires the **delete** privilege. 785 786Alias: **delpol** 787 788Example:: 789 790 kadmin: del_policy guests 791 Are you sure you want to delete the policy "guests"? 792 (yes/no): yes 793 kadmin: 794 795.. _get_policy: 796 797get_policy 798~~~~~~~~~~ 799 800 **get_policy** [ **-terse** ] *policy* 801 802Displays the values of the password policy named *policy*. With the 803**-terse** flag, outputs the fields as quoted strings separated by 804tabs. 805 806This command requires the **inquire** privilege. 807 808Alias: **getpol** 809 810Examples:: 811 812 kadmin: get_policy admin 813 Policy: admin 814 Maximum password life: 180 days 00:00:00 815 Minimum password life: 00:00:00 816 Minimum password length: 6 817 Minimum number of password character classes: 2 818 Number of old keys kept: 5 819 Reference count: 17 820 821 kadmin: get_policy -terse admin 822 admin 15552000 0 6 2 5 17 823 kadmin: 824 825The "Reference count" is the number of principals using that policy. 826With the LDAP KDC database module, the reference count field is not 827meaningful. 828 829.. _list_policies: 830 831list_policies 832~~~~~~~~~~~~~ 833 834 **list_policies** [*expression*] 835 836Retrieves all or some policy names. *expression* is a shell-style 837glob expression that can contain the wild-card characters ``?``, 838``*``, and ``[]``. All policy names matching the expression are 839printed. If no expression is provided, all existing policy names are 840printed. 841 842This command requires the **list** privilege. 843 844Aliases: **listpols**, **get_policies**, **getpols**. 845 846Examples:: 847 848 kadmin: listpols 849 test-pol 850 dict-only 851 once-a-min 852 test-pol-nopw 853 854 kadmin: listpols t* 855 test-pol 856 test-pol-nopw 857 kadmin: 858 859.. _ktadd: 860 861ktadd 862~~~~~ 863 864 | **ktadd** [options] *principal* 865 | **ktadd** [options] **-glob** *princ-exp* 866 867Adds a *principal*, or all principals matching *princ-exp*, to a 868keytab file. Each principal's keys are randomized in the process. 869The rules for *princ-exp* are described in the **list_principals** 870command. 871 872This command requires the **inquire** and **changepw** privileges. 873With the **-glob** form, it also requires the **list** privilege. 874 875The options are: 876 877**-k[eytab]** *keytab* 878 Use *keytab* as the keytab file. Otherwise, the default keytab is 879 used. 880 881**-e** *enc*:*salt*,... 882 Uses the specified keysalt list for setting the new keys of the 883 principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a 884 list of possible values. 885 886**-q** 887 Display less verbose information. 888 889**-norandkey** 890 Do not randomize the keys. The keys and their version numbers stay 891 unchanged. This option cannot be specified in combination with the 892 **-e** option. 893 894An entry for each of the principal's unique encryption types is added, 895ignoring multiple keys with the same encryption type but different 896salt types. 897 898Alias: **xst** 899 900Example:: 901 902 kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu 903 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, 904 encryption type aes256-cts-hmac-sha1-96 added to keytab 905 FILE:/tmp/foo-new-keytab 906 kadmin: 907 908.. _ktremove: 909 910ktremove 911~~~~~~~~ 912 913 **ktremove** [options] *principal* [*kvno* | *all* | *old*] 914 915Removes entries for the specified *principal* from a keytab. Requires 916no permissions, since this does not require database access. 917 918If the string "all" is specified, all entries for that principal are 919removed; if the string "old" is specified, all entries for that 920principal except those with the highest kvno are removed. Otherwise, 921the value specified is parsed as an integer, and all entries whose 922kvno match that integer are removed. 923 924The options are: 925 926**-k[eytab]** *keytab* 927 Use *keytab* as the keytab file. Otherwise, the default keytab is 928 used. 929 930**-q** 931 Display less verbose information. 932 933Alias: **ktrem** 934 935Example:: 936 937 kadmin: ktremove kadmin/admin all 938 Entry for principal kadmin/admin with kvno 3 removed from keytab 939 FILE:/etc/krb5.keytab 940 kadmin: 941 942lock 943~~~~ 944 945Lock database exclusively. Use with extreme caution! This command 946only works with the DB2 KDC database module. 947 948unlock 949~~~~~~ 950 951Release the exclusive database lock. 952 953list_requests 954~~~~~~~~~~~~~ 955 956Lists available for kadmin requests. 957 958Aliases: **lr**, **?** 959 960quit 961~~~~ 962 963Exit program. If the database was locked, the lock is released. 964 965Aliases: **exit**, **q** 966 967 968HISTORY 969------- 970 971The kadmin program was originally written by Tom Yu at MIT, as an 972interface to the OpenVision Kerberos administration program. 973 974 975ENVIRONMENT 976----------- 977 978See :ref:`kerberos(7)` for a description of Kerberos environment 979variables. 980 981 982SEE ALSO 983-------- 984 985:ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)` 986