1
This is krb5-admin.info, produced by makeinfo version 4.5 from
4
Copyright (C) 1985-2010 by the Massachusetts Institute of Technology.
5
INFO-DIR-SECTION Kerberos
7
* krb5-admin: (krb5-admin). Kerberos V5 Administrator's Guide
11
File: krb5-admin.info, Node: Retrieving a List of Principals, Prev: Attributes, Up: Retrieving Information About a Principal
13
Retrieving a List of Principals
14
...............................
16
To generate a listing of principals, use the `kadmin' `list_principals'
17
command, which requires the "list" privilege. The syntax is:
19
list_principals [expression]
21
where expression is a shell-style glob expression that can contain the
22
characters `*', `?', `[', and `]'. All policy names matching the
23
expression are displayed. The `list_principals' command has the
24
aliases `listprincs', `get_principals', and `getprincs'. For example:
26
kadmin: listprincs test*
30
testuser@ATHENA.MIT.EDU
33
If no expression is provided, all principals are printed.
36
File: krb5-admin.info, Node: Privileges, Next: Adding or Modifying Principals, Prev: Retrieving Information About a Principal, Up: Principals
41
Administrative privileges for the Kerberos database are stored in the
44
The format of the file is:
46
Kerberos_principal permissions [target_principal] [restrictions]
48
The Kerberos principal (and optional target principal) can include the
49
"*" wildcard, so if you want any principal with the instance "admin" to
50
have full permissions on the database, you could use the principal
51
"`*/admin@REALM'" where "REALM" is your Kerberos realm.
52
`target_principal' can also include backreferences to
53
`Kerberos_principal', in which "*number" matches the component number
54
in the `Kerberos_principal'.
56
Note: a common use of an admin instance is so you can grant separate
57
permissions (such as administrator access to the Kerberos database) to
58
a separate Kerberos principal. For example, the user `joeadmin' might
59
have a principal for his administrative use, called `joeadmin/admin'.
60
This way, `joeadmin' would obtain `joeadmin/admin' tickets only when he
61
actually needs to use those permissions.
63
The permissions are represented by single letters; UPPER-CASE letters
64
represent negative permissions. The permissions are:
67
allows the addition of principals or policies in the database.
70
disallows the addition of principals or policies in the database.
73
allows the deletion of principals or policies in the database.
76
disallows the deletion of principals or policies in the database.
79
allows the modification of principals or policies in the database.
82
disallows the modification of principals or policies in the
86
allows the changing of passwords for principals in the database.
89
disallows the changing of passwords for principals in the database.
92
allows inquiries to the database.
95
disallows inquiries to the database.
98
allows the listing of principals or policies in the database.
101
disallows the listing of principals or policies in the database.
104
allows the explicit setting of the key for a principal
107
disallows the explicit setting of the key for a principal
110
All privileges (admcil).
113
All privileges (admcil); identical to "*".
115
The restrictions are a string of flags. Allowed restrictions are:
118
flag is forced to indicated value. The permissible flags are the
119
same as the `+' and `-' flags for the `kadmin addprinc' and
123
policy is forced to clear
126
policy is forced to be pol
132
associated value will be forced to MIN(time, requested value)
134
The above flags act as restrictions on any add or modify operation
135
which is allowed due to that ACL line.
137
Here is an example of a `kadm5.acl' file. Note that order is
138
important; permissions are determined by the first matching entry.
140
*/admin@ATHENA.MIT.EDU *
141
joeadmin@ATHENA.MIT.EDU ADMCIL
142
joeadmin/*@ATHENA.MIT.EDU il */root@ATHENA.MIT.EDU
143
*@ATHENA.MIT.EDU cil *1/admin@ATHENA.MIT.EDU
145
*/admin@EXAMPLE.COM * -maxlife 9h -postdateable
147
In the above file, any principal in the ATHENA.MIT.EDU realm with an
148
`admin' instance has all administrative privileges. The user `joeadmin'
149
has all permissions with his `admin' instance,
150
`joeadmin/admin@ATHENA.MIT.EDU' (matches the first line). He has no
151
permissions at all with his `null' instance, `joeadmin@ATHENA.MIT.EDU'
152
(matches the second line). His root instance has inquire and list
153
permissions with any other principal that has the instance `root'. Any
154
principal in ATHENA.MIT.EDU can inquire, list, or change the password of
155
their `admin' instance, but not any other `admin' instance. Any
156
principal in the realm `ATHENA.MIT.EDU' (except for
157
`joeadmin@ATHENA.MIT.EDU', as mentioned above) has inquire privileges.
158
Finally, any principal with an admin instance in EXAMPLE.COM has all
159
permissions, but any principal that they create or modify will not be
160
able to get postdateable tickets or tickets with a life of longer than
164
File: krb5-admin.info, Node: Adding or Modifying Principals, Next: Deleting Principals, Prev: Privileges, Up: Principals
166
Adding or Modifying Principals
167
------------------------------
169
To add a principal to the database, use the kadmin `add_principal'
170
command, which requires the "add" administrative privilege. This
171
function creates the new principal, prompting twice for a password, and,
172
if neither the -policy nor -clearpolicy options are specified and the
173
policy "default" exists, assigns it that policy. The syntax is:
175
kadmin: add_principal [options] principal
177
To modify attributes of a principal, use the kadmin `modify_principal'
178
command, which requires the "modify" administrative privilege. The
181
kadmin: modify_principal [options] principal
183
`add_principal' has the aliases `addprinc' and `ank'(1).
184
`modify_principal' has the alias `modprinc'.
186
The `add_principal' and `modify_principal' commands take the following
190
Denotes the database specific options.
192
The options for LDAP database are:
194
Specifies the LDAP object that will contain the Kerberos
195
principal being created.
198
Specifies the LDAP object to which the newly created
199
Kerberos principal object will point to.
201
-x containerdn=<container_dn>
202
Specifies the container object under which the Kerberos
203
principal is to be created.
205
-x tktpolicy=<policy>
206
Associates a ticket policy to the Kerberos principal.
207
Specifying an empty string value clears the ticket policy
208
associated with the principal.
212
* dn and containerdn options are not valid while modifying
215
* containerdn and linkdn options cannot be specified with dn
218
* If dn or containerdn options are not specified while
219
adding the principal, the principals are created under the
220
prinicipal container configured in the realm or the realm
221
container. * dn and containerdn should be within the
222
subtrees or principal container configured in the realm.
225
Sets the expiration date of the principal to date.
228
Sets the expiration date of the password to date.
231
Sets the maximum ticket life of the principal to maxlife.
233
-maxrenewlife maxrenewlife
234
Sets the maximum renewable life of tickets for the principal to
238
Explicity sets the key version number to number. MIT does not
239
recommend doing this unless there is a specific reason.
242
Sets the policy used by this principal. (*Note Policies::.) With
243
`modify_principal', the current policy assigned to the principal is
244
set or changed. With `add_principal', if this option is not
245
supplied, the -clearpolicy is not specified, and the policy
246
"default" exists, that policy is assigned. If a principal is
247
created with no policy, `kadmin' will print a warning message.
250
For `modify_principal', removes the current policy from a
251
principal. For `add_principal', suppresses the automatic
252
assignment of the policy "default".
255
The "-allow_postdated" option prohibits this principal from
256
obtaining postdated tickets. "+allow_postdated" clears this flag.
257
In effect, "-allow_postdated" sets the
258
KRB5_KDB_DISALLOW_POSTDATED flag on the principal in the database.
260
{-|+}allow_forwardable
261
The "-allow_forwardable" option prohibits this principal from
262
obtaining forwardable tickets. "+allow_forwardable" clears this
263
flag. In effect, "-allow_forwardable" sets the
264
KRB5_KDB_DISALLOW_FORWARDABLE flag on the principal in the
268
The "-allow_renewable" option prohibits this principal from
269
obtaining renewable tickets. "+allow_renewable" clears this flag.
270
In effect, "-allow_renewable" sets the
271
KRB5_KDB_DISALLOW_RENEWABLE flag on the principal in the database.
274
The "-allow_proxiable" option prohibits this principal from
275
obtaining proxiable tickets. "+allow_proxiable" clears this flag.
276
In effect, "-allow_proxiable" sets the
277
KRB5_KDB_DISALLOW_PROXIABLE flag. on the principal in the database.
280
The "-allow_dup_skey" option disables user-to-user authentication
281
for this principal by prohibiting this principal from obtaining a
282
session key for another user. "+allow_dup_skey" clears this flag.
283
In effect, "-allow_dup_skey" sets the
284
KRB5_KDB_DISALLOW_DUP_SKEY flag on the principal in the database.
286
{-|+}requires_preauth
287
The "+requires_preauth" option requires this principal to
288
preauthenticate before being allowed to kinit. -requires_preauth
289
clears this flag. In effect, +requires_preauth sets the
290
KRB5_KDB_REQUIRES_PRE_AUTH flag on the principal in the database.
293
The "+requires_hwauth" flag requires the principal to
294
preauthenticate using a hardware device before being allowed to
295
kinit. "-requires_hwauth" clears this flag. In effect,
296
"+requires_hwauth" sets the KRB5_KDB_REQUIRES_HW_AUTH flag on the
297
principal in the database.
300
The "-allow_svr" flag prohibits the issuance of service tickets for
301
this principal. "+allow_svr" clears this flag. In effect,
302
"-allow_svr" sets the
303
KRB5_KDB_DISALLOW_SVR flag on the principal in the database.
306
The "-allow_tgs_req" option specifies that a Ticket-Granting
307
Service (TGS) request for a service ticket for this principal is
308
not permitted. You will probably never need to use this option.
309
"+allow_tgs_req" clears this flag. The default is
310
"+allow_tgs_req". In effect, "-allow_tgs_req" sets the
311
KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in the database.
314
The "-allow_tix" option forbids the issuance of any tickets for
315
this principal. "+allow_tix" clears this flag. The default is
316
"+allow_tix". In effect, "-allow_tix" sets the
317
KRB5_KDB_DISALLOW_ALL_TIX flag on the principal in the database.
320
The "+needchange" option sets a flag in attributes field to force a
321
password change; "-needchange" clears it. The default is
322
"-needchange". In effect, "+needchange" sets the
323
KRB5_KDB_REQUIRES_PWCHANGE flag on the principal in the database.
325
{-|+}password_changing_service
326
The "+password_changing_service" option sets a flag in the
327
attributes field marking this principal as a password change
328
service. (Again, you will probably never need to use this option.)
329
"-password_changing_service" clears the flag. The default is
330
"-password_changing_service". In effect, the
331
"+password_changing_service" option sets the
332
KRB5_KDB_PWCHANGE_SERVICE flag on the principal in the database.
335
The "+ok_as_delegate" option sets a flag in tickets issued for the
336
service principal. Some client programs may recognize this flag as
337
indicating that it is okay to delegate credentials to the service.
338
If ok_as_delegate is set on a cross-realm TGT, it indicates that
339
the foreign realm's ok_as_delegate flags should be honored by
340
clients in the local realm. The default is "-ok_as_delegate".
343
Sets the key for the principal to a random value (`add_principal'
344
only). MIT recommends using this option for host keys.
347
Sets the key of the principal to the specified string and does not
348
prompt for a password (`add_principal' only). MIT does not
349
recommend using this option.
352
Uses the specified list of enctype-salttype pairs for setting the
353
key of the principal. The quotes are necessary if there are
354
multiple enctype-salttype pairs. This will not function against
355
kadmin daemons earlier than krb5-1.2. See *Note Supported
356
Encryption Types:: and *Note Salts:: for available types.
358
If you want to just use the default values, all you need to do is:
360
kadmin: addprinc jennifer
361
WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
362
defaulting to no policy.
363
Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.
364
Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.
365
Principal "jennifer@ATHENA.MIT.EDU" created.
368
If you want to create a principal which is contained by a LDAP object,
369
all you need to do is:
371
kadmin: addprinc -x dn=cn=jennifer,dc=example,dc=com jennifer
372
WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
373
defaulting to no policy.
374
Enter password for principal jennifer@ATHENA.MIT.EDU: <= Type the password.
375
Re-enter password for principal jennifer@ATHENA.MIT.EDU: <=Type it again.
376
Principal "jennifer@ATHENA.MIT.EDU" created.
379
If you want to create a principal under a specific LDAP container and
380
link to an existing LDAP object, all you need to do is:
382
kadmin: addprinc -x containerdn=dc=example,dc=com -x linkdn=cn=david,dc=example,dc=com david
383
WARNING: no policy specified for "david@ATHENA.MIT.EDU";
384
defaulting to no policy.
385
Enter password for principal david@ATHENA.MIT.EDU: <= Type the password.
386
Re-enter password for principal david@ATHENA.MIT.EDU: <=Type it again.
387
Principal "david@ATHENA.MIT.EDU" created.
390
If you want to associate a ticket policy to a principal, all you need
393
kadmin: modprinc -x tktpolicy=userpolicy david
394
Principal "david@ATHENA.MIT.EDU" modified.
397
If, on the other hand, you want to set up an account that expires on
398
January 1, 2000, that uses a policy called "stduser", with a temporary
399
password (which you want the user to change immediately), you would type
400
the following. (Note: each line beginning with => is a continuation
401
of the previous line.)
404
kadmin: addprinc david -expire "1/1/2000 12:01am EST" -policy stduser
406
Enter password for principal david@ATHENA.MIT.EDU: <= Type the password.
407
Re-enter password for principal
408
david@ATHENA.MIT.EDU: <= Type it again.
409
Principal "david@ATHENA.MIT.EDU" created.
412
If you will need cross-realm authentication, you need to add principals
413
for the other realm's TGT to each realm. For example, if you need to
414
do cross-realm authentication between the realms ATHENA.MIT.EDU and
415
EXAMPLE.COM, you would need to add the principals
416
`krbtgt/EXAMPLE.COM@ATHENA.MIT.EDU' and
417
`krbtgt/ATHENA.MIT.EDU@EXAMPLE.COM' to both databases. You need to be
418
sure the passwords and the key version numbers (kvno) are the same in
419
both databases. This may require explicitly setting the kvno with the
420
`-kvno' option. See *Note Cross-realm Authentication:: for more
423
---------- Footnotes ----------
425
(1) `ank' was the short form of the equivalent command using the
426
deprecated `kadmin5' database administrative tool. It has been kept
429
File: krb5-admin.info, Node: Deleting Principals, Next: Changing Passwords, Prev: Adding or Modifying Principals, Up: Principals
434
To delete a principal, use the kadmin `delete_principal' command, which
435
requires the "delete" administrative privilege. The syntax is:
437
delete_principal [-force] principal
439
`delete_principal' has the alias `delprinc'. The `-force' option
440
causes `delete_principal' not to ask if you're sure. For example:
442
kadmin: delprinc jennifer
443
Are you sure you want to delete the principal
444
"jennifer@ATHENA.MIT.EDU"? (yes/no): yes
445
Principal "jennifer@ATHENA.MIT.EDU" deleted.
446
Make sure that you have removed this principal from
447
all ACLs before reusing.
451
File: krb5-admin.info, Node: Changing Passwords, Prev: Deleting Principals, Up: Principals
456
To change a principal's password use the kadmin `change_password'
457
command, which requires the "modify" administrative privilege (unless
458
the principal is changing his/her own password). The syntax is:
460
change_password [options] principal
462
The `change_password' option has the alias `cpw'. `change_password'
463
takes the following options:
466
Sets the key of the principal to a random value.
469
Sets the password to the string password. MIT does not recommend
473
Uses the specified list of enctype-salttype pairs for setting the
474
key of the principal. The quotes are necessary if there are
475
multiple enctype-salttype pairs. This will not function against
476
kadmin daemons earlier than krb5-1.2. See *Note Supported
477
Encryption Types:: and *Note Salts:: for possible values.
480
Keeps the previous kvno's keys around. This flag is usually not
481
necessary except perhaps for TGS keys. Don't use this flag unless
482
you know what you're doing. This option is not supported for the
489
Enter password for principal david@ATHENA.MIT.EDU: <= Type the new password.
490
Re-enter password for principal david@ATHENA.MIT.EDU: <= Type it again.
491
Password for david@ATHENA.MIT.EDU changed.
494
Note that `change_password' will not let you change the password to one
495
that is in the principal's password history.
498
File: krb5-admin.info, Node: Policies, Next: Global Operations on the Kerberos Database, Prev: Principals, Up: Administrating the Kerberos Database
503
A policy is a set of rules governing passwords. Policies can dictate
504
minimum and maximum password lifetimes, minimum number of characters and
505
character classes a password must contain, and the number of old
506
passwords kept in the database.
510
* Retrieving Policies::
511
* Retrieving the List of Policies::
512
* Adding or Modifying Policies::
513
* Deleting Policies::
514
* Updating the History Key::
517
File: krb5-admin.info, Node: Retrieving Policies, Next: Retrieving the List of Policies, Prev: Policies, Up: Policies
522
To retrieve a policy, use the kadmin `get_policy' command, which
523
requires the "inquire" administrative privilege. The syntax is:
525
get_policy [-terse] policy
527
The `get_policy' command has the alias `getpol'. For example:
529
kadmin: get_policy admin
531
Maximum password life: 180 days 00:00:00
532
Minimum password life: 00:00:00
533
Minimum password length: 6
534
Minimum number of password character classes: 2
535
Number of old keys kept: 5
539
The "reference count" is the number of principals using that policy.
541
The `get_policy' command has a `-terse' option, which lists each field
542
as a quoted, tab-separated string. For example:
544
kadmin: get_policy -terse admin
545
admin 15552000 0 6 2 5 17
549
File: krb5-admin.info, Node: Retrieving the List of Policies, Next: Adding or Modifying Policies, Prev: Retrieving Policies, Up: Policies
551
Retrieving the List of Policies
552
-------------------------------
554
You can retrieve the list of policies with the kadmin `list_policies'
555
command, which requires the "list" privilege. The syntax is:
557
list_policies [expression]
559
where expression is a shell-style glob expression that can contain the
560
characters *, ?, and []. All policy names matching the expression are
561
displayed. The `list_policies' command has the aliases `listpols',
562
`get_policies', and `getpols'. For example:
576
File: krb5-admin.info, Node: Adding or Modifying Policies, Next: Deleting Policies, Prev: Retrieving the List of Policies, Up: Policies
578
Adding or Modifying Policies
579
----------------------------
581
To add a new policy, use the kadmin `add_policy' command, which
582
requires the "add" administrative privilege. The syntax is:
584
add_policy [options] policy_name
586
To modify attributes of a principal, use the kadmin `modify_policy'
587
command, which requires the "modify" administrative privilege. The
590
modify_policy [options] policy_name
592
`add_policy' has the alias `addpol'. `modify_poilcy' has the alias
595
The `add_policy' and `modify_policy' commands take the following
599
Sets the maximum lifetime of a password to time.
602
Sets the minimum lifetime of a password to time.
605
Sets the minimum length of a password to length characters.
608
Requires at least number of character classes in a password.
611
Sets the number of past keys kept for a principal to number. This
612
option is not supported for LDAP database.
614
Note: The policies are created under realm container in the LDAP
618
File: krb5-admin.info, Node: Deleting Policies, Next: Updating the History Key, Prev: Adding or Modifying Policies, Up: Policies
623
To delete a policy, use the `kadmin' `delete_policy' command, which
624
requires the "delete" administrative privilege. The syntax is:
626
delete_policy [-force] policy_name
628
The `delete_policy' command has the alias `delpol'. It prompts for
629
confirmation before deletion. For example:
631
kadmin: delete_policy guests
632
Are you sure you want to delete the policy "guests"?
636
Note that you must cancel the policy from all principals before deleting
637
it. The `delete_policy' command will fail if it is in use by any
641
File: krb5-admin.info, Node: Updating the History Key, Prev: Deleting Policies, Up: Policies
643
Updating the History Key
644
------------------------
646
If a policy specifies a number of old keys kept of two or more, the
647
stored old keys are encrypted in a history key, which is found in the
648
key data of the kadmin/history principal.
650
Currently there is no support for proper rollover of the history key,
651
but you can change the history key (for example, to use a better
652
encryption type) at the cost of invalidating currently stored old keys.
653
To change the history key, run:
655
kadmin: change_password -randkey kadmin/history
657
This command will fail if you specify the -keepold flag. Only one new
658
history key will be created, even if you specify multiple key/salt
661
In the future, we plan to migrate towards encrypting old keys in the
662
master key instead of the history key, and implementing proper rollover
663
support for stored old keys.
666
File: krb5-admin.info, Node: Global Operations on the Kerberos Database, Next: Global Operations on the Kerberos LDAP Database, Prev: Policies, Up: Administrating the Kerberos Database
668
Global Operations on the Kerberos Database
669
==========================================
673
* Dumping a Kerberos Database to a File::
674
* Restoring a Kerberos Database from a Dump File::
675
* Creating a Stash File::
676
* Creating and Destroying a Kerberos Database::
678
The `kdb5_util' command is the primary tool for administrating the
679
Kerberos database. The syntax is:
681
kdb5_util command [kdb5_util_options] [command_options]
683
The `kdb5_util' command takes the following options, which override the
684
defaults specified in the configuration files:
687
specifies the the Kerberos realm of the database.
690
specifies the name under which the principal database is stored.
693
specifies the key type of the master key in the database.
696
specifies the principal name of the master key in the database.
699
indicates that the master database password should be read from
700
the TTY rather than fetched from a file on disk.
703
specifies the stash file of the master database password
706
specifies the master database password. MIT does not recommend
711
File: krb5-admin.info, Node: Dumping a Kerberos Database to a File, Next: Restoring a Kerberos Database from a Dump File, Prev: Global Operations on the Kerberos Database, Up: Global Operations on the Kerberos Database
713
Dumping a Kerberos Database to a File
714
-------------------------------------
716
To dump a Kerberos database into a file, use the `kdb5_util' `dump'
717
command on one of the KDCs. The syntax is:
719
kdb5_util dump [-old] [-b6] [-b7] [-ov]
720
[-verbose] [-mkey_convert] [-new_mkey_file] [filename
723
The `kdb5_util dump' command takes the following options:
726
causes the dump to be in the Kerberos 5 Beta 5 and earlier dump
727
format ("kdb5_edit load_dump version 2.0").
730
causes the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
731
load_dump version 3.0").
734
causes the dump to be in the Kerberos 5 Beta 7 format ("kdbt_edit
735
load_dump version 4").
738
causes the dump to be in ovsec_adm_export format. Currently, the
739
only way to preserve per-principal policy information is to use
740
this in conjunction with a normal dump.
743
causes the name of each principal and policy to be printed as it is
747
prompts for a new master password, and then dumps the database with
748
all keys reencrypted in this new master key
751
reads a new key from the default keytab and then dumps the database
752
with all keys reencrypted in this new master key
756
shell% kdb5_util dump dumpfile
759
shell% kbd5_util dump -verbose dumpfile
760
kadmin/admin@ATHENA.MIT.EDU
761
krbtgt/ATHENA.MIT.EDU@ATHENA.MIT.EDU
762
kadmin/history@ATHENA.MIT.EDU
764
kadmin/changepw@ATHENA.MIT.EDU
767
If you specify which principals to dump, you must use the full
768
principal, as in the following example. (The line beginning with => is
769
a continuation of the previous line.):
771
shell% kdb5_util dump -verbose dumpfile K/M@ATHENA.MIT.EDU
772
=> kadmin/admin@ATHENA.MIT.EDU
773
kadmin/admin@ATHENA.MIT.EDU
777
Otherwise, the principals will not match those in the database and will
780
shell% kdb5_util dump -verbose dumpfile K/M kadmin/admin
783
If you do not specify a dump file, `kdb5_util' will dump the database
784
to the standard output.
786
There is currently a bug where the default dump format omits the
787
per-principal policy information. In order to dump all the data
788
contained in the Kerberos database, you must perform a normal dump (with
789
no option flags) and an additional dump using the "-ov" flag to a
793
File: krb5-admin.info, Node: Restoring a Kerberos Database from a Dump File, Next: Creating a Stash File, Prev: Dumping a Kerberos Database to a File, Up: Global Operations on the Kerberos Database
795
Restoring a Kerberos Database from a Dump File
796
----------------------------------------------
798
To restore a Kerberos database dump from a file, use the `kdb5_util'
799
`load' command on one of the KDCs. The syntax is:
801
kdb5_util load [-old] [-b6] [-b7] [-ov] [-verbose]
802
[-update] [-hash] dumpfilename dbname [admin_dbname]
804
The `kdb5_util load' command takes the following options:
807
requires the dump to be in the Kerberos 5 Beta 5 and earlier dump
808
format ("kdb5_edit load_dump version 2.0").
811
requires the dump to be in the Kerberos 5 Beta 6 format ("kdb5_edit
812
load_dump version 3.0").
815
requires the dump to be in the Kerberos 5 Beta 7 format ("kdb5_edit
816
load_dump version 4").
819
requires the dump to be in ovsec_adm_export format.
822
causes the name of each principal and policy to be printed as it is
826
causes records from the dump file to be updated in or added to the
827
existing database. This is useful in conjunction with an
828
ovsec_adm_export format dump if you want to preserve per-principal
829
policy information, since the current default format does not
833
causes the database to be stored as a hash rather than a binary
838
shell% kdb5_util load dumpfile principal
841
shell% kdb5_util load -update dumpfile principal
844
If the database file exists, and the -update flag was not given,
845
`kdb5_util' will overwrite the existing database.
848
File: krb5-admin.info, Node: Creating a Stash File, Next: Creating and Destroying a Kerberos Database, Prev: Restoring a Kerberos Database from a Dump File, Up: Global Operations on the Kerberos Database
850
Creating a Stash File
851
---------------------
853
A stash file allows a KDC to authenticate itself to the database
854
utilities, such as `kadmin', `kadmind', `krb5kdc', and `kdb5_util'.
856
To create a stash file, use the `kdb5_util' `stash' command. The
859
kdb5_util stash [-f keyfile]
863
shell% kdb5_util stash
864
kdb5_util: Cannot find/read stored master key while reading master key
865
kdb5_util: Warning: proceeding without master key
866
Enter KDC database master key: <= Type the KDC database master password.
869
If you do not specify a stash file, `kdb5_util' will stash the key in
870
the file specified in your `kdc.conf' file.
873
File: krb5-admin.info, Node: Creating and Destroying a Kerberos Database, Prev: Creating a Stash File, Up: Global Operations on the Kerberos Database
875
Creating and Destroying a Kerberos Database
876
-------------------------------------------
878
If you need to create a new Kerberos database, use the `kdb5_util'
879
`create' command. The syntax is:
881
kdb5_util create [-s]
883
If you specify the `-s' option, `kdb5_util' will stash a copy of the
884
master key in a stash file. (*Note Creating a Stash File::.) For
887
shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU create -s
888
kdb5_util: No such file or directory while setting active database to
889
=> '/usr/local/var/krb5kdc/principal'
890
Initializing database '/usr/local/var/krb5kdc/principal' for
891
=> realm 'ATHENA.MIT.EDU',
892
master key name 'K/M@ATHENA.MIT.EDU'
893
You will be prompted for the database Master Password.
894
It is important that you NOT FORGET this password.
895
Enter KDC database master key: <= Type the master password.
896
Re-enter KDC database master key to verify: <= Type it again.
899
If you need to destroy the current Kerberos database, use the
900
`kdb5_util' `destroy' command. The syntax is:
902
kdb5_util destroy [-f]
904
The `destroy' command destroys the database, first overwriting the disk
905
sectors and then unlinking the files. If you specify the `-f' option,
906
`kdb5_util' will not prompt you for a confirmation before destroying
909
shell% /usr/local/sbin/kdb5_util -r ATHENA.MIT.EDU destroy
910
kdb5_util: Deleting KDC database stored in /usr/local/var/krb5kdc/principal, are you sure
911
(type yes to confirm)? <== yes
912
OK, deleting database '/usr/local/var/krb5kdc/principal'...
917
File: krb5-admin.info, Node: Global Operations on the Kerberos LDAP Database, Next: Cross-realm Authentication, Prev: Global Operations on the Kerberos Database, Up: Administrating the Kerberos Database
919
Global Operations on the Kerberos LDAP Database
920
===============================================
922
The `kdb5_ldap_util' is the primary tool for administrating the
923
Kerberos LDAP database. It allows an administrator to manage realms,
924
Kerberos services ( KDC and Admin Server) and ticket policies.
927
kdb5_ldap_util [-D user_dn [-w passwd]] [-H ldap_uri] command [command_options]
930
Specifies the Distinguished Name (DN) of the user who has
931
sufficient rights to perform the operation on the LDAP server.
934
Specifies the password of user_dn. This option is not recommended.
937
Specifies the URI of the LDAP server. It is recommended to use
938
ldapi:// or ldaps:// to connect to the LDAP server.
942
* Creating a Kerberos Realm::
943
* Modifying a Kerberos Realm::
944
* Retrieving Information about a Kerberos Realm::
945
* Destroying a Kerberos Realm::
946
* Listing available Kerberos Realms::
947
* Stashing Service Object's Password::
948
* Creating and Modifying a Ticket Policy::
949
* Retrieving Information About a Ticket Policy::
950
* Destroying a Ticket Policy::
951
* Listing available Ticket Policies::
952
* Creating a Service Object (eDirectory)::
953
* Modifying a Service Object (eDirectory)::
954
* Retrieving Service Object Information (eDirectory)::
955
* Destroying a Service Object (eDirectory)::
956
* Listing Available Service Objects (eDirectory)::
957
* Passwords for Service Objects (eDirectory)::
960
File: krb5-admin.info, Node: Creating a Kerberos Realm, Next: Modifying a Kerberos Realm, Prev: Global Operations on the Kerberos LDAP Database, Up: Global Operations on the Kerberos LDAP Database
962
Creating a Kerberos Realm
963
-------------------------
965
If you need to create a new realm, use the command as follows:
967
create [-r realm] [-subtrees subtree_dn_list] [-sscope search_scope] [-containerref container_reference_dn]
968
[-k mkeytype] [-m|-P password][-sf stashlename] [-s] [-maxtktlife max_ticket_life]
969
[-maxrenewlife max_renewable_ticket_life] [ticket_flags]
971
Options to create realm in directory are as follows:
974
Specifies the Kerberos realm of the database; by default the realm
975
returned by `krb5_default_local_realm' (3) is used.
977
-subtrees subtree_dn_list
978
Specifies the list of subtrees containing principals of a realm.
979
The list contains the DN of the subtree objects separated by
983
Specifies the scope for searching the principals under the
984
subtree. The possible values are 1 or one (one level), 2 or sub
987
-containerref container_reference_dn
988
Specfies the DN of the container object in which the principals of
989
a realm will be created. If the container reference is not
990
configured for a realm, the principals will be created in the
994
Specifies the key type of the master key in the database; the
995
default is that given in `kdc.conf'.
998
Specifies that the master database password should be read from
999
the TTY rather than fetched from a file on disk.
1002
Specifies the master database password. This option is not
1006
Specifies the stash file of the master database password.
1009
Specifies that the stash file is to be created.
1011
-maxtktlife max_ticket_life
1012
Specifies maximum ticket life for principals in this realm. This
1013
value is used, if it is not set on the principal.
1015
-maxrenewlife max_renewable_ticket_life
1016
Specifies maximum renewable life of tickets for principals in this
1017
realm. This value is used, if it is not set on the principal.
1020
Specifies the ticket flags. If this option is not specified, by
1021
default, none of the flags are set. This means all the ticket
1022
options will be allowed and no restriction will be set. This value
1023
is used, if it is not set on the principal.
1025
The various flags are:
1026
{-|+}allow_postdated
1027
`-allow_postdated' prohibits principals from obtaining
1028
postdated tickets. (Sets the `KRB5_KDB_DISALLOW_POSTDATED'
1029
flag.).`+allow_postdated' clears this flag.
1031
{-|+}allow_forwardable
1032
`-allow_forwardable' prohibits principals from obtaining
1033
forwardable tickets. (Sets the
1034
`KRB5_KDB_DISALLOW_FORWARDABLE' flag.) `+allow_forwardable'
1037
{-|+}allow_renewable
1038
`-allow_renewable' prohibits principals from obtaining
1039
renewable tickets. (Sets the `KRB5_KDB_DISALLOW_RENEWABLE'
1040
flag.) `+allow_renewable' clears this flag.
1042
{-|+}allow_proxiable
1043
`-allow_proxiable' prohibits principals from obtaining
1044
proxiable tickets. (Sets the `KRB5_KDB_DISALLOW_PROXABLE'
1045
flag.) `+allow_proxiable' clears this flag.
1048
`-allow_dup_skey' disables user-to-user authentication for
1049
principals by prohibiting principals from obtaining a
1050
sessions key for another user. (Sets the
1051
`KRB5_KDB_DISALLOW_DUP_SKEY' flag.) `+allow_dup_skey' clears
1054
{-|+}requires_preauth
1055
`+requires_preauth' requires principals to preauthenticate
1056
before being allowed to kinit. (Sets the
1057
`KRB5_KDB_REQURES_PRE_AUTH' flag.) `-requires_preauth' clears
1060
{-|+}requires_hwauth
1061
`+requires_hwauth' requires principals to preauthenticate
1062
using a hardware device before being allowed to kinit. (Sets
1063
the `KRB5_KDB_REQURES_HW_AUTH' flag.) `-requires_hwauth'
1067
`+ok_as_delegate' sets the OK-AS-DELEGATE flag on tickets
1068
issued for use with this principal as the service, which
1069
clients may use as a hint that credentials can and should be
1070
delegated when authenticating to the service. (Sets the
1071
`KRB5_KDB_OK_AS_DELEGATE' flag.) `-ok_as_delegate' clears
1075
`-allow_svr' prohibits the issuance of service tickets for
1076
principals. (Sets the `KRB5_KDB_DISALLOW_SVR' flag.)
1077
`+allow_svr' clears this flag.
1080
`-allow_tgs_req' specifies that a "Ticket-Granting Service
1081
(TGS)" request for a service ticket for principals is not
1082
permitted. This option is useless for most
1083
things.`+allow_tgs_req' clears this flag. The default is
1084
`+allow_tgs_req'. In effect, `-allow_tgs_req' sets the
1085
`KRB5_KDB_DISALLOW_TGT_BASED' flag on principals in the
1089
`-allow_tix' forbids the issuance of any tickets for
1090
principals. `+allow_tix' clears this flag. The default is
1091
`+allow_tix'. In effect, `-allow_tix' sets the
1092
`KRB5_KDB_DISALLOW_ALL_TIX' flag on principals in the
1096
`+needchange' sets a flag in attributes field to force a
1097
password change; `-needchange' clears it. The default is
1098
`-needchange'. In effect, `+needchange' sets the
1099
`KRB5_KDB_REQURES_PWCHANGE' flag on principals in the
1102
{-|+}password_changing_service
1103
`+password_changing_service' sets a flag in the attributes
1104
field marking principal as a password change service
1105
principal (useless for most things).
1106
`-password_changing_service' clears the flag. This flag
1107
intentionally has a long name. The default is
1108
`-password_changing_service'. In effect,
1109
`+password_changing_service' sets the
1110
`KRB5_KDB_PWCHANGE_SERVICE' flag on principals in the
1115
shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2
1116
-subtree ou=users,dc=example,dc=com -r ATHENA.MIT.EDU
1117
Password for "cn=admin,dc=example,dc=com":
1118
Initializing database for realm 'ATHENA.MIT.EDU'
1119
You will be prompted for the database Master Password.
1120
It is important that you NOT FORGET this password.
1121
Enter KDC database master key:
1122
Re-enter KDC database master key to verify:
1127
* eDirectory Options (Creating a Kerberos Realm)::
1130
File: krb5-admin.info, Node: eDirectory Options (Creating a Kerberos Realm), Prev: Creating a Kerberos Realm, Up: Creating a Kerberos Realm
1135
-kdcdn kdc_servce_list
1136
Specifies the list of KDC service objects serving the realm. The
1137
list contains the DNs of the KDC service objects separated by
1140
-admindn admin_service_list
1141
Specifies the list of Administration service objects serving the
1142
realm. The list contains the DNs of the Administration service
1143
objects separated by colon(:).
1145
shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu create -sscope 2
1146
-subtree ou=users,dc=example,dc=com -kdcdn cn=krbkdc,dc=example,dc=com -admindn cn=krbadmin,dc=example,dc=com -r ATHENA.MIT.EDU
1147
Password for "cn=admin,dc=example,dc=com":
1148
Initializing database for realm 'ATHENA.MIT.EDU'
1149
You will be prompted for the database Master Password.
1150
It is important that you NOT FORGET this password.
1151
Enter KDC database master key:
1152
Re-enter KDC database master key to verify:
1156
File: krb5-admin.info, Node: Modifying a Kerberos Realm, Next: Retrieving Information about a Kerberos Realm, Prev: Creating a Kerberos Realm, Up: Global Operations on the Kerberos LDAP Database
1158
Modifying a Kerberos Realm
1159
--------------------------
1161
If you need to modify a realm, use the command as follows:
1164
modify [-r realm] [-subtrees subtree_dn] [-sscope search_scope][-containerref container_reference_dn]
1165
[-maxtktlifemax_ticket_life][-maxrenewlife max_renewable_ticket_life] [-ticket_flags]
1166
Options to modify realm in directory are as follows:
1169
Specifies the Kerberos realm of the database; by default the realm
1170
returned by krb5_default_local_realm (3) is used.
1172
-subtrees subtree_dn_list
1173
Specifies the list of subtrees containing principal objects in the
1174
realm.The list contains the DN of the subtree objects separated by
1175
colon(:). This list replaces the existing list.
1177
-sscope search_scope
1178
Specifies the scope for searching the principals under the
1179
subtrees. The possible values are 1 or one (one level), 2 or sub
1182
-containerref container_reference_dn
1183
Specifies the Distinguished Name (DN) of the container object in
1184
which the principals of a realm will be created.
1186
-maxtktlife max_ticket_life
1187
Specifies maximum ticket life for principals in this realm. This
1188
value is used, if it is not set on the principal.
1190
-maxrenewlife max_renewable_ticket_life
1191
Specifies maximum renewable life of tickets for principals in this
1192
realm. This value is used, if it is not set on the principal.
1195
Specifies the ticket flags. If this option is not specified, by
1196
default, none of the flags are set. This means all the ticket
1197
options will be allowed and no restriction will be set. This
1198
value is used, if it is not set on the principal.
1200
The various flags are:
1201
{-|+}allow_postdated
1202
`-allow_postdated' prohibits principals from obtaining
1203
postdated tickets. (Sets the `KRB5_KDB_DISALLOW_POSTDATED'
1204
flag.).`+allow_postdated' clears this flag.
1206
{-|+}allow_forwardable
1207
`-allow_forwardable' prohibits principals from obtaining
1208
forwardable tickets. (Sets the
1209
`KRB5_KDB_DISALLOW_FORWARDABLE' flag.) `+allow_forwardable'
1212
{-|+}allow_renewable
1213
`-allow_renewable' prohibits principals from obtaining
1214
renewable tickets. (Sets the `KRB5_KDB_DISALLOW_RENEWABLE'
1215
flag.) `+allow_renewable' clears this flag.
1217
{-|+}allow_proxiable
1218
`-allow_proxiable' prohibits principals from obtaining
1219
proxiable tickets. (Sets the `KRB5_KDB_DISALLOW_PROXABLE'
1220
flag.) `+allow_proxiable' clears this flag.
1223
`-allow_dup_skey' Disables user-to-user authentication for
1224
principals by prohibiting principals from obtaining a
1225
sessions key for another user. (Sets the
1226
`KRB5_KDB_DISALLOW_DUP_SKEY' flag.). `+allow_dup_skey' clears
1229
{-|+}requires_preauth
1230
`+requires_preauth' requires principals to preauthenticate
1231
before being allowed to kinit. Sets the
1232
`KRB5_KDB_REQURES_PRE_AUTH' flag.`-requires_preauth' clears
1235
{-|+}requires_hwauth
1236
`+requires_hwauth' requires principals to preauthenticate
1237
using a hardware device before being allowed to kinit. (Sets
1238
the `KRB5_KDB_REQURES_HW_AUTH' flag.)`-requires_hwauth'
1242
`-allow_svr' prohibits the issuance of service tickets for
1243
principals. (Sets the `KRB5_KDB_DISALLOW_SVR' flag.)
1244
`+allow_svr' clears This flag.
1247
`-allow_tgs_req' specifies that a "Ticket-Granting Service
1248
(TGS)" request for a service ticket for principals is not
1249
permitted. This option is useless for most
1250
things.`+allow_tgs_req' clears this flag. The default is.
1251
`+allow_tgs_req'. In effect, `-allow_tgs_req' sets the
1252
`KRB5_KDB_DISALLOW_TGT_BASED' flag on principals in the
1256
`-allow_tix' forbids the issuance of any tickets for
1257
principals. `+allow_tix' clears this flag. The default is
1258
`+allow_tix'. In effect, `-allow_tix' sets the
1259
`KRB5_KDB_DISALLOW_ALL_TIX' flag on principals in the
1263
`+needchange' sets a flag in attributes field to force a
1264
password change; `-needchange' clears it. The default is
1265
`-needchange'. In effect,`+needchange' sets the
1266
`KRB5_KDB_REQURES_PWCHANGE' flag on principals in the
1269
{-|+}password_changing_service
1270
`+password_changing_service' sets a flag in the attributes
1271
field marking principal as a password change service
1272
principal (useless for most
1273
things).`-password_changing_service' clears the flag. This
1274
flag intentionally has a long name. The default is
1275
`-password_changing_service' In effect,
1276
`+password_changing_service' sets the
1277
`KRB5_KDB_PWCHANGE_SERVICE' flag on principals in the
1282
shell% kdb5_ldap_util -D cn=admin,dc=example,dc=com -H ldaps://ldap-server1.mit.edu
1283
modify -r ATHENA.MIT.EDU +requires_preauth
1284
Password for "cn=admin,dc=example,dc=com":
1289
* eDirectory Options (Modifying a Kerberos Realm)::
1293
File: krb5-admin.info, Node: eDirectory Options (Modifying a Kerberos Realm), Prev: Modifying a Kerberos Realm, Up: Modifying a Kerberos Realm
1298
-kdcdn kdc_service_list
1299
Specifies the list of KDC service objects serving the realm. The
1300
list contains the DNs of the KDC service objects separated by a
1301
colon (:). This list replaces the existing list.
1303
-clearkdcdn kdc_service_list
1304
Specifies the list of KDC service objects that need to be removed
1305
from the existing list. The list contains the DNs of the KDC
1306
service objects separated by a colon (:).
1308
-addkdcdn kdc_service_list
1309
Specifies the list of KDC service objects that need to be added to
1310
the existing list. The list contains the DNs of the KDC service
1311
objects separated by a colon (:).
1313
-admindn admin_service_list
1314
Specifies the list of Administration service objects serving the
1315
realm. The list contains the DNs of the Administration service
1316
objects separated by a colon (:). This list replaces the existing
1319
-clearadmindn admin_service_list
1320
Specifies the list of Administration service objects that need to
1321
be removed from the existing list. The list contains the DNs of
1322
the Administration service objects separated by a colon (:).
1324
-addadmindn admin_service_list
1325
Specifies the list of Administration service objects that need to
1326
be added to the existing list. The list contains the DNs of the
1327
Administration service objects separated by a colon (:).
added
removed
doc/krb5-admin.info-3
