. . .nr rst2man-indent-level 0 . \\$1 \\n[an-margin] level \\n[rst2man-indent-level] level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] - \\n[rst2man-indent0] \\n[rst2man-indent1] \\n[rst2man-indent2] .. .rstReportMargin pre:
. RS \\$1 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] . nr rst2man-indent-level +1 .rstReportMargin post:
.. . RE indent \\n[an-margin]
old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1 new: \\n[rst2man-indent\\n[rst2man-indent-level]]
..
-r realm Use realm as the default database realm.
-p principal Use principal to authenticate. Otherwise, kadmin will append /admin to the primary principal name of the default ccache, the value of the USER environment variable, or the username as obtained with getpwuid, in order of preference.
-k Use a keytab to decrypt the KDC response instead of prompting for a password. In this case, the default principal will be host/hostname. If there is no keytab specified with the -t option, then the default keytab will be used.
-t keytab Use keytab to decrypt the KDC response. This can only be used with the -k option.
-n Requests anonymous processing. Two types of anonymous principals are supported. For fully anonymous Kerberos, configure PKINIT on the KDC and configure pkinit_anchors in the client\(aqs krb5.conf(5). Then use the -n option with a principal of the form @REALM (an empty principal name followed by the at-sign and a realm name). If permitted by the KDC, an anonymous ticket will be returned. A second form of anonymous tickets is supported; these realm-exposed tickets hide the identity of the client but not the client\(aqs realm. For this mode, use kinit -n with a normal principal name. If supported by the KDC, the principal (but not realm) will be replaced by the anonymous principal. As of release 1.8, the MIT Kerberos KDC only supports fully anonymous operation.
-c credentials_cache Use credentials_cache as the credentials cache. The cache should contain a service ticket for the kadmin/admin or kadmin/ADMINHOST (where ADMINHOST is the fully-qualified hostname of the admin server) service; it can be acquired with the kinit(1) program. If this option is not specified, kadmin requests a new service ticket from the KDC, and stores it in its own temporary ccache.
-w password Use password instead of prompting for one. Use this option with care, as it may expose the password to other users on the system via the process list.
-q query Perform the specified query and then exit.
-d dbname Specifies the name of the KDC database. This option does not apply to the LDAP database module.
-s admin_server[:port] Specifies the admin server which kadmin should contact.
-m If using kadmin.local, prompt for the database master password instead of reading it from a stash file.
-e "enc:salt ..." Sets the keysalt list to be used for any new keys created. See Keysalt_lists in kdc.conf(5) for a list of possible values.
-O Force use of old AUTH_GSSAPI authentication flavor.
-N Prevent fallback to AUTH_GSSAPI authentication flavor.
-x db_args Specifies the database specific arguments. See the next section for supported options. NINDENT Starting with release 1.14, if any command-line arguments remain after the options, they will be treated as a single query to be executed. This mode of operation is intended for scripts and behaves differently from the interactive mode in several respects: NDENT 0.0
-x dbname=*filename* Specifies the base filename of the DB2 database.
-x lockiter Make iteration operations hold the lock for the duration of the entire operation, rather than temporarily releasing the lock while handling each principal. This is the default behavior, but this option exists to allow command line override of a [dbmodules] setting. First introduced in release 1.13.
-x unlockiter Make iteration operations unlock the database for each principal, instead of holding the lock for the duration of the entire operation. First introduced in release 1.13. NINDENT NINDENT NINDENT Supported options for the LDAP module are: NDENT 0.0 NDENT 3.5 NDENT 0.0
-x host=ldapuri Specifies the LDAP server to connect to by a LDAP URI.
-x binddn=bind_dn Specifies the DN used to bind to the LDAP server.
-x bindpwd=password Specifies the password or SASL secret used to bind to the LDAP server. Using this option may expose the password to other users on the system via the process list; to avoid this, instead stash the password using the stashsrvpw command of kdb5_ldap_util(8).
-x sasl_mech=mechanism Specifies the SASL mechanism used to bind to the LDAP server. The bind DN is ignored if a SASL mechanism is used. New in release 1.13.
-x sasl_authcid=name Specifies the authentication name used when binding to the LDAP server with a SASL mechanism, if the mechanism requires one. New in release 1.13.
-x sasl_authzid=name Specifies the authorization name used when binding to the LDAP server with a SASL mechanism. New in release 1.13.
-x sasl_realm=realm Specifies the realm used when binding to the LDAP server with a SASL mechanism, if the mechanism uses one. New in release 1.13.
-x debug=level sets the OpenLDAP client library debug level. level is an integer to be interpreted by the library. Debugging messages are printed to standard error. New in release 1.12. NINDENT NINDENT NINDENT
-expire expdate (getdate string) The expiration date of the principal.
-pwexpire pwexpdate (getdate string) The password expiration date.
-maxlife maxlife (duration or getdate string) The maximum ticket life for the principal.
-maxrenewlife maxrenewlife (duration or getdate string) The maximum renewable life of tickets for the principal.
-kvno kvno The initial key version number.
-policy policy The password policy used by this principal. If not specified, the policy default is used if it exists (unless -clearpolicy is specified).
-clearpolicy Prevents any policy from being assigned when -policy is not specified.
{-|+}allow_postdated -allow_postdated prohibits this principal from obtaining postdated tickets. +allow_postdated clears this flag.
{-|+}allow_forwardable -allow_forwardable prohibits this principal from obtaining forwardable tickets. +allow_forwardable clears this flag.
{-|+}allow_renewable -allow_renewable prohibits this principal from obtaining renewable tickets. +allow_renewable clears this flag.
{-|+}allow_proxiable -allow_proxiable prohibits this principal from obtaining proxiable tickets. +allow_proxiable clears this flag.
{-|+}allow_dup_skey -allow_dup_skey disables user-to-user authentication for this principal by prohibiting others from obtaining a service ticket encrypted in this principal\(aqs TGT session key. +allow_dup_skey clears this flag.
{-|+}requires_preauth +requires_preauth requires this principal to preauthenticate before being allowed to kinit. -requires_preauth clears this flag. When +requires_preauth is set on a service principal, the KDC will only issue service tickets for that service principal if the client\(aqs initial authentication was performed using preauthentication.
{-|+}requires_hwauth +requires_hwauth requires this principal to preauthenticate using a hardware device before being allowed to kinit. -requires_hwauth clears this flag. When +requires_hwauth is set on a service principal, the KDC will only issue service tickets for that service principal if the client\(aqs initial authentication was performed using a hardware device to preauthenticate.
{-|+}ok_as_delegate +ok_as_delegate sets the okay as delegate flag on tickets issued with this principal as the service. Clients may use this flag as a hint that credentials should be delegated when authenticating to the service. -ok_as_delegate clears this flag.
{-|+}allow_svr -allow_svr prohibits the issuance of service tickets for this principal. In release 1.17 and later, user-to-user service tickets are still allowed unless the -allow_dup_skey flag is also set. +allow_svr clears this flag.
{-|+}allow_tgs_req -allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service ticket for this principal is not permitted. +allow_tgs_req clears this flag.
{-|+}allow_tix -allow_tix forbids the issuance of any tickets for this principal. +allow_tix clears this flag.
{-|+}needchange +needchange forces a password change on the next initial authentication to this principal. -needchange clears this flag.
{-|+}password_changing_service +password_changing_service marks this principal as a password change service principal.
{-|+}ok_to_auth_as_delegate +ok_to_auth_as_delegate allows this principal to acquire forwardable tickets to itself from arbitrary users, for use with constrained delegation.
{-|+}no_auth_data_required +no_auth_data_required prevents PAC or AD-SIGNEDPATH data from being added to service tickets for the principal.
{-|+}lockdown_keys +lockdown_keys prevents keys for this principal from leaving the KDC via kadmind. The chpass and extract operations are denied for a principal with this attribute. The chrand operation is allowed, but will not return the new keys. The delete and rename operations are also denied if this attribute is set, in order to prevent a malicious administrator from replacing principals like krbtgt/* or kadmin/* with new principals without the attribute. This attribute can be set via the network protocol, but can only be removed using kadmin.local.
-randkey Sets the key of the principal to a random value.
-nokey Causes the principal to be created with no key. New in release 1.12.
-pw password Sets the password of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script may expose the password to other users on the system via the process list.
-e enc:salt,... Uses the specified keysalt list for setting the keys of the principal. See Keysalt_lists in kdc.conf(5) for a list of possible values.
-x db_princ_args Indicates database-specific options. The options for the LDAP database module are: NDENT 7.0
-x dn=dn Specifies the LDAP object that will contain the Kerberos principal being created.
-x linkdn=dn Specifies the LDAP object to which the newly created Kerberos principal object will point.
-x containerdn=container_dn Specifies the container object under which the Kerberos principal is to be created.
-x tktpolicy=policy Associates a ticket policy to the Kerberos principal. NINDENT NOTE: NDENT 7.0 NDENT 3.5 NDENT 0.0
kadmin: addprinc jennifer No policy specified for "jennifer@ATHENA.MIT.EDU"; defaulting to no policy. Enter password for principal jennifer@ATHENA.MIT.EDU: Re-enter password for principal jennifer@ATHENA.MIT.EDU: Principal "jennifer@ATHENA.MIT.EDU" created. kadmin:NINDENT NINDENT
-unlock Unlocks a locked principal (one which has received too many failed authentication attempts without enough time between them according to its password policy) so that it can successfully authenticate. NINDENT
-randkey Sets the key of the principal to a random value.
-pw password Set the password to the specified string. Using this option in a script may expose the password to other users on the system via the process list.
-e enc:salt,... Uses the specified keysalt list for setting the keys of the principal. See Keysalt_lists in kdc.conf(5) for a list of possible values.
-keepold Keeps the existing keys in the database. This flag is usually not necessary except perhaps for krbtgt principals. NINDENT Example: NDENT 0.0 NDENT 3.5
kadmin: cpw systest Enter password for principal systest@BLEEP.COM: Re-enter password for principal systest@BLEEP.COM: Password for systest@BLEEP.COM changed. kadmin:NINDENT NINDENT
kadmin: getprinc tlyu/admin Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 Password expiration date: [never] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 1 Key: vno 1, aes256-cts-hmac-sha384-192 MKey: vno 1 Attributes: Policy: [none] kadmin: getprinc -terse systest systest@BLEEP.COM 3 86400 604800 1 785926535 753241234 785900000 tlyu/admin@BLEEP.COM 786100034 0 0 kadmin:NINDENT NINDENT
kadmin: listprincs test* test3@SECURE-TEST.OV.COM test2@SECURE-TEST.OV.COM test1@SECURE-TEST.OV.COM testuser@SECURE-TEST.OV.COM kadmin:NINDENT NINDENT
require_auth Specifies an authentication indicator which is required to authenticate to the principal as a service. Multiple indicators can be specified, separated by spaces; in this case any of the specified indicators will be accepted. (New in release 1.14.)
session_enctypes Specifies the encryption types supported for session keys when the principal is authenticated to as a server. See Encryption_types in kdc.conf(5) for a list of the accepted values.
otp Enables One Time Passwords (OTP) preauthentication for a client principal. The value is a JSON string representing an array of objects, each having optional type and username fields.
pkinit_cert_match Specifies a matching expression that defines the certificate attributes required for the client certificate used by the principal during PKINIT authentication. The matching expression is in the same format as those used by the pkinit_cert_match option in krb5.conf(5). (New in release 1.16.)
pac_privsvr_enctype Forces the encryption type of the PAC KDC checksum buffers to the specified encryption type for tickets issued to this server, by deriving a key from the local krbtgt key if it is of a different encryption type. It may be necessary to set this value to "aes256-sha1" on the cross-realm krbtgt entry for an Active Directory realm when using aes-sha2 keys on the local krbtgt entry. NINDENT This command requires the modify privilege. Alias: setstr Example: NDENT 0.0 NDENT 3.5
set_string host/foo.mit.edu session_enctypes aes128-cts set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"NINDENT NINDENT
-maxlife time (duration or getdate string) Sets the maximum lifetime of a password.
-minlife time (duration or getdate string) Sets the minimum lifetime of a password.
-minlength length Sets the minimum length of a password.
-minclasses number Sets the minimum number of character classes required in a password. The five character classes are lower case, upper case, numbers, punctuation, and whitespace/unprintable characters.
-history number Sets the number of past keys kept for a principal. This option is not supported with the LDAP KDC database module. NINDENT NDENT 0.0
-maxfailure maxnumber Sets the number of authentication failures before the principal is locked. Authentication failures are only tracked for principals which require preauthentication. The counter of failed attempts resets to 0 after a successful attempt to authenticate. A maxnumber value of 0 (the default) disables lockout. NINDENT NDENT 0.0
-failurecountinterval failuretime (duration or getdate string) Sets the allowable time between authentication failures. If an authentication failure happens after failuretime has elapsed since the previous failure, the number of authentication failures is reset to 1. A failuretime value of 0 (the default) means forever. NINDENT NDENT 0.0
-lockoutduration lockouttime (duration or getdate string) Sets the duration for which the principal is locked from authenticating if too many authentication failures occur without the specified failure count interval elapsing. A duration of 0 (the default) means the principal remains locked out until it is administratively unlocked with modprinc -unlock.
-allowedkeysalts Specifies the key/salt tuples supported for long-term keys when setting or changing a principal\(aqs password/keys. See Keysalt_lists in kdc.conf(5) for a list of the accepted values, but note that key/salt tuples must be separated with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use a value of \(aq-\(aq. NINDENT Example: NDENT 0.0 NDENT 3.5
kadmin: add_policy -maxlife "2 days" -minlength 5 guests kadmin:NINDENT NINDENT
kadmin: del_policy guests Are you sure you want to delete the policy "guests"? (yes/no): yes kadmin:NINDENT NINDENT
kadmin: get_policy admin Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17 kadmin: get_policy -terse admin admin 15552000 0 6 2 5 17 kadmin:NINDENT NINDENT The "Reference count" is the number of principals using that policy. With the LDAP KDC database module, the reference count field is not meaningful.
kadmin: listpols test-pol dict-only once-a-min test-pol-nopw kadmin: listpols t* test-pol test-pol-nopw kadmin:NINDENT NINDENT
ktadd [options] principal ktadd [options] -glob princ-expNINDENT NINDENT Adds a principal, or all principals matching princ-exp, to a keytab file. Each principal\(aqs keys are randomized in the process. The rules for princ-exp are described in the list_principals command. This command requires the inquire and changepw privileges. With the -glob form, it also requires the list privilege. The options are: NDENT 0.0
-k[eytab] keytab Use keytab as the keytab file. Otherwise, the default keytab is used.
-e enc:salt,... Uses the specified keysalt list for setting the new keys of the principal. See Keysalt_lists in kdc.conf(5) for a list of possible values.
-q Display less verbose information.
-norandkey Do not randomize the keys. The keys and their version numbers stay unchanged. This option cannot be specified in combination with the -e option. NINDENT An entry for each of the principal\(aqs unique encryption types is added, ignoring multiple keys with the same encryption type but different salt types. Alias: xst Example: NDENT 0.0 NDENT 3.5
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3, encryption type aes256-cts-hmac-sha1-96 added to keytab FILE:/tmp/foo-new-keytab kadmin:NINDENT NINDENT
-k[eytab] keytab Use keytab as the keytab file. Otherwise, the default keytab is used.
-q Display less verbose information. NINDENT Alias: ktrem Example: NDENT 0.0 NDENT 3.5
kadmin: ktremove kadmin/admin all Entry for principal kadmin/admin with kvno 3 removed from keytab FILE:/etc/krb5.keytab kadmin:NINDENT NINDENT
.