« back to all changes in this revision
Viewing changes to .pc/050_kadmin_to_usr_bin/kadmin/kadmin.8
- browse files at revision 47
- compare with another revision
- download diff
- download tarball
- view history from revision 47
- Committer: Package Import Robot
- Author(s): Jelmer Vernooij
- Date: 2014-06-01 21:55:06 UTC
- Revision ID: package-import@ubuntu.com-20140601215506-f2m94c90z0q0kovl
Tags: 1.6~rc2+dfsg-7
* Use alternatives for kpasswd, ksu, kdestroy, kswitch, kadmin and ktutil.
+ Allows installation together with krb5-user. Closes: #482528
* Move kadmin and ktutil from /usr/sbin to /usr/bin. Closes: #168170
+ Allows installation together with krb5-user. Closes: #482528
* Move kadmin and ktutil from /usr/sbin to /usr/bin. Closes: #168170
- files added:
- .pc/050_kadmin_to_usr_bin
- .pc/050_kadmin_to_usr_bin/admin
- .pc/050_kadmin_to_usr_bin/kadmin
- .pc/050_kadmin_to_usr_bin/lib
- .pc/050_kadmin_to_usr_bin/lib/krb5
- files removed:
- admin/ktutil.8
- files modified:
- .pc/applied-patches
added
removed
.pc/050_kadmin_to_usr_bin/kadmin/kadmin.8
1
.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
2
.\" (Royal Institute of Technology, Stockholm, Sweden).
3
.\" All rights reserved.
4
.\"
5
.\" Redistribution and use in source and binary forms, with or without
6
.\" modification, are permitted provided that the following conditions
7
.\" are met:
8
.\"
9
.\" 1. Redistributions of source code must retain the above copyright
10
.\" notice, this list of conditions and the following disclaimer.
11
.\"
12
.\" 2. Redistributions in binary form must reproduce the above copyright
13
.\" notice, this list of conditions and the following disclaimer in the
14
.\" documentation and/or other materials provided with the distribution.
15
.\"
16
.\" 3. Neither the name of the Institute nor the names of its contributors
17
.\" may be used to endorse or promote products derived from this software
18
.\" without specific prior written permission.
19
.\"
20
.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
21
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
24
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30
.\" SUCH DAMAGE.
31
.\"
32
.\" $Id$
33
.\"
34
.Dd Feb 22, 2007
35
.Dt KADMIN 8
36
.Os HEIMDAL
37
.Sh NAME
38
.Nm kadmin
39
.Nd Kerberos administration utility
40
.Sh SYNOPSIS
41
.Nm
42
.Bk -words
43
.Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
44
.Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
45
.Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
46
.Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
47
.Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
48
.Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
49
.Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
50
.Op Fl l | Fl Fl local
51
.Op Fl h | Fl Fl help
52
.Op Fl v | Fl Fl version
53
.Op Ar command
54
.Ek
55
.Sh DESCRIPTION
56
The
57
.Nm
58
program is used to make modifications to the Kerberos database, either remotely via the
59
.Xr kadmind 8
60
daemon, or locally (with the
61
.Fl l
62
option).
63
.Pp
64
Supported options:
65
.Bl -tag -width Ds
66
.It Fl p Ar string , Fl Fl principal= Ns Ar string
67
principal to authenticate as
68
.It Fl K Ar string , Fl Fl keytab= Ns Ar string
69
keytab for authentication principal
70
.It Fl c Ar file , Fl Fl config-file= Ns Ar file
71
location of config file
72
.It Fl k Ar file , Fl Fl key-file= Ns Ar file
73
location of master key file
74
.It Fl r Ar realm , Fl Fl realm= Ns Ar realm
75
realm to use
76
.It Fl a Ar host , Fl Fl admin-server= Ns Ar host
77
server to contact
78
.It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
79
port to use
80
.It Fl l , Fl Fl local
81
local admin mode
82
.El
83
.Pp
84
If no
85
.Ar command
86
is given on the command line,
87
.Nm
88
will prompt for commands to process. Some of the commands that take
89
one or more principals as argument
90
.Ns ( Nm delete ,
91
.Nm ext_keytab ,
92
.Nm get ,
93
.Nm modify ,
94
and
95
.Nm passwd )
96
will accept a glob style wildcard, and perform the operation on all
97
matching principals.
98
.Pp
99
Commands include:
100
.\" not using a list here, since groff apparently gets confused
101
.\" with nested Xo/Xc
102
.Pp
103
.Nm add
104
.Op Fl r | Fl Fl random-key
105
.Op Fl Fl random-password
106
.Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
107
.Op Fl Fl key= Ns Ar string
108
.Op Fl Fl max-ticket-life= Ns Ar lifetime
109
.Op Fl Fl max-renewable-life= Ns Ar lifetime
110
.Op Fl Fl attributes= Ns Ar attributes
111
.Op Fl Fl expiration-time= Ns Ar time
112
.Op Fl Fl pw-expiration-time= Ns Ar time
113
.Op Fl Fl policy= Ns Ar policy-name
114
.Ar principal...
115
.Bd -ragged -offset indent
116
Adds a new principal to the database. The options not passed on the
117
command line will be promped for.
118
The only policy supported by Heimdal servers is
119
.Q1 default .
120
.Ed
121
.Pp
122
.Nm add_enctype
123
.Op Fl r | Fl Fl random-key
124
.Ar principal enctypes...
125
.Pp
126
.Bd -ragged -offset indent
127
Adds a new encryption type to the principal, only random key are
128
supported.
129
.Ed
130
.Pp
131
.Nm delete
132
.Ar principal...
133
.Bd -ragged -offset indent
134
Removes a principal.
135
.Ed
136
.Pp
137
.Nm del_enctype
138
.Ar principal enctypes...
139
.Bd -ragged -offset indent
140
Removes some enctypes from a principal; this can be useful if the
141
service belonging to the principal is known to not handle certain
142
enctypes.
143
.Ed
144
.Pp
145
.Nm ext_keytab
146
.Oo Fl k Ar string \*(Ba Xo
147
.Fl Fl keytab= Ns Ar string
148
.Xc
149
.Oc
150
.Ar principal...
151
.Bd -ragged -offset indent
152
Creates a keytab with the keys of the specified principals. Requires
153
get-keys rights.
154
.Ed
155
.Pp
156
.Nm get
157
.Op Fl l | Fl Fl long
158
.Op Fl s | Fl Fl short
159
.Op Fl t | Fl Fl terse
160
.Op Fl o Ar string | Fl Fl column-info= Ns Ar string
161
.Ar principal...
162
.Bd -ragged -offset indent
163
Lists the matching principals, short prints the result as a table,
164
while long format produces a more verbose output. Which columns to
165
print can be selected with the
166
.Fl o
167
option. The argument is a comma separated list of column names
168
optionally appended with an equal sign
169
.Pq Sq =
170
and a column header. Which columns are printed by default differ
171
slightly between short and long output.
172
.Pp
173
The default terse output format is similar to
174
.Fl s o Ar principal= ,
175
just printing the names of matched principals.
176
.Pp
177
Possible column names include:
178
.Li principal ,
179
.Li princ_expire_time ,
180
.Li pw_expiration ,
181
.Li last_pwd_change ,
182
.Li max_life ,
183
.Li max_rlife ,
184
.Li mod_time ,
185
.Li mod_name ,
186
.Li attributes ,
187
.Li kvno ,
188
.Li mkvno ,
189
.Li last_success ,
190
.Li last_failed ,
191
.Li fail_auth_count ,
192
.Li policy ,
193
and
194
.Li keytypes .
195
.Ed
196
.Pp
197
.Nm modify
198
.Oo Fl a Ar attributes \*(Ba Xo
199
.Fl Fl attributes= Ns Ar attributes
200
.Xc
201
.Oc
202
.Op Fl Fl max-ticket-life= Ns Ar lifetime
203
.Op Fl Fl max-renewable-life= Ns Ar lifetime
204
.Op Fl Fl expiration-time= Ns Ar time
205
.Op Fl Fl pw-expiration-time= Ns Ar time
206
.Op Fl Fl kvno= Ns Ar number
207
.Op Fl Fl policy= Ns Ar policy-name
208
.Ar principal...
209
.Bd -ragged -offset indent
210
Modifies certain attributes of a principal. If run without command
211
line options, you will be prompted. With command line options, it will
212
only change the ones specified.
213
.Pp
214
Only policy supported by Heimdal is
215
.Q1 default .
216
.Pp
217
Possible attributes are:
218
.Li new-princ ,
219
.Li support-desmd5 ,
220
.Li pwchange-service ,
221
.Li disallow-svr ,
222
.Li requires-pw-change ,
223
.Li requires-hw-auth ,
224
.Li requires-pre-auth ,
225
.Li disallow-all-tix ,
226
.Li disallow-dup-skey ,
227
.Li disallow-proxiable ,
228
.Li disallow-renewable ,
229
.Li disallow-tgt-based ,
230
.Li disallow-forwardable ,
231
.Li disallow-postdated
232
.Pp
233
Attributes may be negated with a "-", e.g.,
234
.Pp
235
kadmin -l modify -a -disallow-proxiable user
236
.Ed
237
.Pp
238
.Nm passwd
239
.Op Fl Fl keepold
240
.Op Fl r | Fl Fl random-key
241
.Op Fl Fl random-password
242
.Oo Fl p Ar string \*(Ba Xo
243
.Fl Fl password= Ns Ar string
244
.Xc
245
.Oc
246
.Op Fl Fl key= Ns Ar string
247
.Ar principal...
248
.Bd -ragged -offset indent
249
Changes the password of an existing principal.
250
.Ed
251
.Pp
252
.Nm password-quality
253
.Ar principal
254
.Ar password
255
.Bd -ragged -offset indent
256
Run the password quality check function locally.
257
You can run this on the host that is configured to run the kadmind
258
process to verify that your configuration file is correct.
259
The verification is done locally, if kadmin is run in remote mode,
260
no rpc call is done to the server.
261
.Ed
262
.Pp
263
.Nm privileges
264
.Bd -ragged -offset indent
265
Lists the operations you are allowed to perform. These include
266
.Li add ,
267
.Li add_enctype ,
268
.Li change-password ,
269
.Li delete ,
270
.Li del_enctype ,
271
.Li get ,
272
.Li get-keys ,
273
.Li list ,
274
and
275
.Li modify .
276
.Ed
277
.Pp
278
.Nm rename
279
.Ar from to
280
.Bd -ragged -offset indent
281
Renames a principal. This is normally transparent, but since keys are
282
salted with the principal name, they will have a non-standard salt,
283
and clients which are unable to cope with this will fail. Kerberos 4
284
suffers from this.
285
.Ed
286
.Pp
287
.Nm check
288
.Op Ar realm
289
.Pp
290
.Bd -ragged -offset indent
291
Check database for strange configurations on important principals. If
292
no realm is given, the default realm is used.
293
.Ed
294
.Pp
295
When running in local mode, the following commands can also be used:
296
.Pp
297
.Nm dump
298
.Op Fl d | Fl Fl decrypt
299
.Op Fl f Ns Ar format | Fl Fl format= Ns Ar format
300
.Op Ar dump-file
301
.Bd -ragged -offset indent
302
Writes the database in
303
.Dq machine readable text
304
form to the specified file, or standard out. If the database is
305
encrypted, the dump will also have encrypted keys, unless
306
.Fl Fl decrypt
307
is used. If
308
.Fl Fl format=MIT
309
is used then the dump will be in MIT format. Otherwise it will be in
310
Heimdal format.
311
.Ed
312
.Pp
313
.Nm init
314
.Op Fl Fl realm-max-ticket-life= Ns Ar string
315
.Op Fl Fl realm-max-renewable-life= Ns Ar string
316
.Ar realm
317
.Bd -ragged -offset indent
318
Initializes the Kerberos database with entries for a new realm. It's
319
possible to have more than one realm served by one server.
320
.Ed
321
.Pp
322
.Nm load
323
.Ar file
324
.Bd -ragged -offset indent
325
Reads a previously dumped database, and re-creates that database from
326
scratch.
327
.Ed
328
.Pp
329
.Nm merge
330
.Ar file
331
.Bd -ragged -offset indent
332
Similar to
333
.Nm load
334
but just modifies the database with the entries in the dump file.
335
.Ed
336
.Pp
337
.Nm stash
338
.Oo Fl e Ar enctype \*(Ba Xo
339
.Fl Fl enctype= Ns Ar enctype
340
.Xc
341
.Oc
342
.Oo Fl k Ar keyfile \*(Ba Xo
343
.Fl Fl key-file= Ns Ar keyfile
344
.Xc
345
.Oc
346
.Op Fl Fl convert-file
347
.Op Fl Fl master-key-fd= Ns Ar fd
348
.Bd -ragged -offset indent
349
Writes the Kerberos master key to a file used by the KDC.
350
.Ed
351
.\".Sh ENVIRONMENT
352
.\".Sh FILES
353
.\".Sh EXAMPLES
354
.\".Sh DIAGNOSTICS
355
.Sh SEE ALSO
356
.Xr kadmind 8 ,
357
.Xr kdc 8
358
.\".Sh STANDARDS
359
.\".Sh HISTORY
360
.\".Sh AUTHORS
361
.\".Sh BUGS
Loggerhead is a web-based interface for Breezy
Version: 2.0.1