1
.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
2
.\" (Royal Institute of Technology, Stockholm, Sweden).
3
.\" All rights reserved.
5
.\" Redistribution and use in source and binary forms, with or without
6
.\" modification, are permitted provided that the following conditions
9
.\" 1. Redistributions of source code must retain the above copyright
10
.\" notice, this list of conditions and the following disclaimer.
12
.\" 2. Redistributions in binary form must reproduce the above copyright
13
.\" notice, this list of conditions and the following disclaimer in the
14
.\" documentation and/or other materials provided with the distribution.
16
.\" 3. Neither the name of the Institute nor the names of its contributors
17
.\" may be used to endorse or promote products derived from this software
18
.\" without specific prior written permission.
20
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
39
.Nd Kerberos administration utility
43
.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
44
.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
45
.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
46
.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
47
.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
48
.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
49
.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
50
.Op Fl l | Fl Fl local
52
.Op Fl v | Fl Fl version
58
program is used to make modifications to the Kerberos database, either remotely via the
60
daemon, or locally (with the
66
.It Fl p Ar string , Fl Fl principal= Ns Ar string
67
principal to authenticate as
68
.It Fl K Ar string , Fl Fl keytab= Ns Ar string
69
keytab for authentication principal
70
.It Fl c Ar file , Fl Fl config-file= Ns Ar file
71
location of config file
72
.It Fl k Ar file , Fl Fl key-file= Ns Ar file
73
location of master key file
74
.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
76
.It Fl a Ar host , Fl Fl admin-server= Ns Ar host
78
.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
80
.It Fl l , Fl Fl local
86
is given on the command line,
88
will prompt for commands to process. Some of the commands that take
89
one or more principals as argument
96
will accept a glob style wildcard, and perform the operation on all
100
.\" not using a list here, since groff apparently gets confused
101
.\" with nested Xo/Xc
104
.Op Fl r | Fl Fl random-key
105
.Op Fl Fl random-password
106
.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
107
.Op Fl Fl key= Ns Ar string
108
.Op Fl Fl max-ticket-life= Ns Ar lifetime
109
.Op Fl Fl max-renewable-life= Ns Ar lifetime
110
.Op Fl Fl attributes= Ns Ar attributes
111
.Op Fl Fl expiration-time= Ns Ar time
112
.Op Fl Fl pw-expiration-time= Ns Ar time
113
.Op Fl Fl policy= Ns Ar policy-name
115
.Bd -ragged -offset indent
116
Adds a new principal to the database. The options not passed on the
117
command line will be promped for.
118
The only policy supported by Heimdal servers is
123
.Op Fl r | Fl Fl random-key
124
.Ar principal enctypes...
126
.Bd -ragged -offset indent
127
Adds a new encryption type to the principal, only random key are
133
.Bd -ragged -offset indent
138
.Ar principal enctypes...
139
.Bd -ragged -offset indent
140
Removes some enctypes from a principal; this can be useful if the
141
service belonging to the principal is known to not handle certain
146
.Oo Fl k Ar string \*(Ba Xo
147
.Fl Fl keytab= Ns Ar string
151
.Bd -ragged -offset indent
152
Creates a keytab with the keys of the specified principals. Requires
157
.Op Fl l | Fl Fl long
158
.Op Fl s | Fl Fl short
159
.Op Fl t | Fl Fl terse
160
.Op Fl o Ar string | Fl Fl column-info= Ns Ar string
162
.Bd -ragged -offset indent
163
Lists the matching principals, short prints the result as a table,
164
while long format produces a more verbose output. Which columns to
165
print can be selected with the
167
option. The argument is a comma separated list of column names
168
optionally appended with an equal sign
170
and a column header. Which columns are printed by default differ
171
slightly between short and long output.
173
The default terse output format is similar to
174
.Fl s o Ar principal= ,
175
just printing the names of matched principals.
177
Possible column names include:
179
.Li princ_expire_time ,
181
.Li last_pwd_change ,
191
.Li fail_auth_count ,
198
.Oo Fl a Ar attributes \*(Ba Xo
199
.Fl Fl attributes= Ns Ar attributes
202
.Op Fl Fl max-ticket-life= Ns Ar lifetime
203
.Op Fl Fl max-renewable-life= Ns Ar lifetime
204
.Op Fl Fl expiration-time= Ns Ar time
205
.Op Fl Fl pw-expiration-time= Ns Ar time
206
.Op Fl Fl kvno= Ns Ar number
207
.Op Fl Fl policy= Ns Ar policy-name
209
.Bd -ragged -offset indent
210
Modifies certain attributes of a principal. If run without command
211
line options, you will be prompted. With command line options, it will
212
only change the ones specified.
214
Only policy supported by Heimdal is
217
Possible attributes are:
220
.Li pwchange-service ,
222
.Li requires-pw-change ,
223
.Li requires-hw-auth ,
224
.Li requires-pre-auth ,
225
.Li disallow-all-tix ,
226
.Li disallow-dup-skey ,
227
.Li disallow-proxiable ,
228
.Li disallow-renewable ,
229
.Li disallow-tgt-based ,
230
.Li disallow-forwardable ,
231
.Li disallow-postdated
233
Attributes may be negated with a "-", e.g.,
235
kadmin -l modify -a -disallow-proxiable user
240
.Op Fl r | Fl Fl random-key
241
.Op Fl Fl random-password
242
.Oo Fl p Ar string \*(Ba Xo
243
.Fl Fl password= Ns Ar string
246
.Op Fl Fl key= Ns Ar string
248
.Bd -ragged -offset indent
249
Changes the password of an existing principal.
255
.Bd -ragged -offset indent
256
Run the password quality check function locally.
257
You can run this on the host that is configured to run the kadmind
258
process to verify that your configuration file is correct.
259
The verification is done locally, if kadmin is run in remote mode,
260
no rpc call is done to the server.
264
.Bd -ragged -offset indent
265
Lists the operations you are allowed to perform. These include
268
.Li change-password ,
280
.Bd -ragged -offset indent
281
Renames a principal. This is normally transparent, but since keys are
282
salted with the principal name, they will have a non-standard salt,
283
and clients which are unable to cope with this will fail. Kerberos 4
290
.Bd -ragged -offset indent
291
Check database for strange configurations on important principals. If
292
no realm is given, the default realm is used.
295
When running in local mode, the following commands can also be used:
298
.Op Fl d | Fl Fl decrypt
299
.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format
301
.Bd -ragged -offset indent
302
Writes the database in
303
.Dq machine readable text
304
form to the specified file, or standard out. If the database is
305
encrypted, the dump will also have encrypted keys, unless
309
is used then the dump will be in MIT format. Otherwise it will be in
314
.Op Fl Fl realm-max-ticket-life= Ns Ar string
315
.Op Fl Fl realm-max-renewable-life= Ns Ar string
317
.Bd -ragged -offset indent
318
Initializes the Kerberos database with entries for a new realm. It's
319
possible to have more than one realm served by one server.
324
.Bd -ragged -offset indent
325
Reads a previously dumped database, and re-creates that database from
331
.Bd -ragged -offset indent
334
but just modifies the database with the entries in the dump file.
338
.Oo Fl e Ar enctype \*(Ba Xo
339
.Fl Fl enctype= Ns Ar enctype
342
.Oo Fl k Ar keyfile \*(Ba Xo
343
.Fl Fl key-file= Ns Ar keyfile
346
.Op Fl Fl convert-file
347
.Op Fl Fl master-key-fd= Ns Ar fd
348
.Bd -ragged -offset indent
349
Writes the Kerberos master key to a file used by the KDC.