|
Packit |
fd8b60 |
.. _kadmin(1):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin
|
|
Packit |
fd8b60 |
======
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SYNOPSIS
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kadmin_synopsis:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kadmin**
|
|
Packit |
fd8b60 |
[**-O**\|\ **-N**]
|
|
Packit |
fd8b60 |
[**-r** *realm*]
|
|
Packit |
fd8b60 |
[**-p** *principal*]
|
|
Packit |
fd8b60 |
[**-q** *query*]
|
|
Packit |
fd8b60 |
[[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**]
|
|
Packit |
fd8b60 |
[**-w** *password*]
|
|
Packit |
fd8b60 |
[**-s** *admin_server*\ [:*port*]]
|
|
Packit |
fd8b60 |
[command args...]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kadmin.local**
|
|
Packit |
fd8b60 |
[**-r** *realm*]
|
|
Packit |
fd8b60 |
[**-p** *principal*]
|
|
Packit |
fd8b60 |
[**-q** *query*]
|
|
Packit |
fd8b60 |
[**-d** *dbname*]
|
|
Packit |
fd8b60 |
[**-e** *enc*:*salt* ...]
|
|
Packit |
fd8b60 |
[**-m**]
|
|
Packit |
fd8b60 |
[**-x** *db_args*]
|
|
Packit |
fd8b60 |
[command args...]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kadmin_synopsis_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DESCRIPTION
|
|
Packit |
fd8b60 |
-----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin and kadmin.local are command-line interfaces to the Kerberos V5
|
|
Packit |
fd8b60 |
administration system. They provide nearly identical functionalities;
|
|
Packit |
fd8b60 |
the difference is that kadmin.local directly accesses the KDC
|
|
Packit |
fd8b60 |
database, while kadmin performs operations using :ref:`kadmind(8)`.
|
|
Packit |
fd8b60 |
Except as explicitly noted otherwise, this man page will use "kadmin"
|
|
Packit |
fd8b60 |
to refer to both versions. kadmin provides for the maintenance of
|
|
Packit |
fd8b60 |
Kerberos principals, password policies, and service key tables
|
|
Packit |
fd8b60 |
(keytabs).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The remote kadmin client uses Kerberos to authenticate to kadmind
|
|
Packit |
fd8b60 |
using the service principal ``kadmin/ADMINHOST`` (where *ADMINHOST* is
|
|
Packit |
fd8b60 |
the fully-qualified hostname of the admin server) or ``kadmin/admin``.
|
|
Packit |
fd8b60 |
If the credentials cache contains a ticket for one of these
|
|
Packit |
fd8b60 |
principals, and the **-c** credentials_cache option is specified, that
|
|
Packit |
fd8b60 |
ticket is used to authenticate to kadmind. Otherwise, the **-p** and
|
|
Packit |
fd8b60 |
**-k** options are used to specify the client Kerberos principal name
|
|
Packit |
fd8b60 |
used to authenticate. Once kadmin has determined the principal name,
|
|
Packit |
fd8b60 |
it requests a service ticket from the KDC, and uses that service
|
|
Packit |
fd8b60 |
ticket to authenticate to kadmind.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Since kadmin.local directly accesses the KDC database, it usually must
|
|
Packit |
fd8b60 |
be run directly on the master KDC with sufficient permissions to read
|
|
Packit |
fd8b60 |
the KDC database. If the KDC database uses the LDAP database module,
|
|
Packit |
fd8b60 |
kadmin.local can be run on any host which can access the LDAP server.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
OPTIONS
|
|
Packit |
fd8b60 |
-------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kadmin_options:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-r** *realm*
|
|
Packit |
fd8b60 |
Use *realm* as the default database realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-p** *principal*
|
|
Packit |
fd8b60 |
Use *principal* to authenticate. Otherwise, kadmin will append
|
|
Packit |
fd8b60 |
``/admin`` to the primary principal name of the default ccache,
|
|
Packit |
fd8b60 |
the value of the **USER** environment variable, or the username as
|
|
Packit |
fd8b60 |
obtained with getpwuid, in order of preference.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-k**
|
|
Packit |
fd8b60 |
Use a keytab to decrypt the KDC response instead of prompting for
|
|
Packit |
fd8b60 |
a password. In this case, the default principal will be
|
|
Packit |
fd8b60 |
``host/hostname``. If there is no keytab specified with the
|
|
Packit |
fd8b60 |
**-t** option, then the default keytab will be used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-t** *keytab*
|
|
Packit |
fd8b60 |
Use *keytab* to decrypt the KDC response. This can only be used
|
|
Packit |
fd8b60 |
with the **-k** option.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-n**
|
|
Packit |
fd8b60 |
Requests anonymous processing. Two types of anonymous principals
|
|
Packit |
fd8b60 |
are supported. For fully anonymous Kerberos, configure PKINIT on
|
|
Packit |
fd8b60 |
the KDC and configure **pkinit_anchors** in the client's
|
|
Packit |
fd8b60 |
:ref:`krb5.conf(5)`. Then use the **-n** option with a principal
|
|
Packit |
fd8b60 |
of the form ``@REALM`` (an empty principal name followed by the
|
|
Packit |
fd8b60 |
at-sign and a realm name). If permitted by the KDC, an anonymous
|
|
Packit |
fd8b60 |
ticket will be returned. A second form of anonymous tickets is
|
|
Packit |
fd8b60 |
supported; these realm-exposed tickets hide the identity of the
|
|
Packit |
fd8b60 |
client but not the client's realm. For this mode, use ``kinit
|
|
Packit |
fd8b60 |
-n`` with a normal principal name. If supported by the KDC, the
|
|
Packit |
fd8b60 |
principal (but not realm) will be replaced by the anonymous
|
|
Packit |
fd8b60 |
principal. As of release 1.8, the MIT Kerberos KDC only supports
|
|
Packit |
fd8b60 |
fully anonymous operation.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-c** *credentials_cache*
|
|
Packit |
fd8b60 |
Use *credentials_cache* as the credentials cache. The
|
|
Packit |
fd8b60 |
cache should contain a service ticket for the ``kadmin/ADMINHOST``
|
|
Packit |
fd8b60 |
(where *ADMINHOST* is the fully-qualified hostname of the admin
|
|
Packit |
fd8b60 |
server) or ``kadmin/admin`` service; it can be acquired with the
|
|
Packit |
fd8b60 |
:ref:`kinit(1)` program. If this option is not specified, kadmin
|
|
Packit |
fd8b60 |
requests a new service ticket from the KDC, and stores it in its
|
|
Packit |
fd8b60 |
own temporary ccache.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-w** *password*
|
|
Packit |
fd8b60 |
Use *password* instead of prompting for one. Use this option with
|
|
Packit |
fd8b60 |
care, as it may expose the password to other users on the system
|
|
Packit |
fd8b60 |
via the process list.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-q** *query*
|
|
Packit |
fd8b60 |
Perform the specified query and then exit.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-d** *dbname*
|
|
Packit |
fd8b60 |
Specifies the name of the KDC database. This option does not
|
|
Packit |
fd8b60 |
apply to the LDAP database module.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-s** *admin_server*\ [:*port*]
|
|
Packit |
fd8b60 |
Specifies the admin server which kadmin should contact.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-m**
|
|
Packit |
fd8b60 |
If using kadmin.local, prompt for the database master password
|
|
Packit |
fd8b60 |
instead of reading it from a stash file.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-e** "*enc*:*salt* ..."
|
|
Packit |
fd8b60 |
Sets the keysalt list to be used for any new keys created. See
|
|
Packit |
fd8b60 |
:ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible
|
|
Packit |
fd8b60 |
values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-O**
|
|
Packit |
fd8b60 |
Force use of old AUTH_GSSAPI authentication flavor.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-N**
|
|
Packit |
fd8b60 |
Prevent fallback to AUTH_GSSAPI authentication flavor.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x** *db_args*
|
|
Packit |
fd8b60 |
Specifies the database specific arguments. See the next section
|
|
Packit |
fd8b60 |
for supported options.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kadmin_options_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Starting with release 1.14, if any command-line arguments remain after
|
|
Packit |
fd8b60 |
the options, they will be treated as a single query to be executed.
|
|
Packit |
fd8b60 |
This mode of operation is intended for scripts and behaves differently
|
|
Packit |
fd8b60 |
from the interactive mode in several respects:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
* Query arguments are split by the shell, not by kadmin.
|
|
Packit |
fd8b60 |
* Informational and warning messages are suppressed. Error messages
|
|
Packit |
fd8b60 |
and query output (e.g. for **get_principal**) will still be
|
|
Packit |
fd8b60 |
displayed.
|
|
Packit |
fd8b60 |
* Confirmation prompts are disabled (as if **-force** was given).
|
|
Packit |
fd8b60 |
Password prompts will still be issued as required.
|
|
Packit |
fd8b60 |
* The exit status will be non-zero if the query fails.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The **-q** option does not carry these behavior differences; the query
|
|
Packit |
fd8b60 |
will be processed as if it was entered interactively. The **-q**
|
|
Packit |
fd8b60 |
option cannot be used in combination with a query in the remaining
|
|
Packit |
fd8b60 |
arguments.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _dboptions:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DATABASE OPTIONS
|
|
Packit |
fd8b60 |
----------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Database options can be used to override database-specific defaults.
|
|
Packit |
fd8b60 |
Supported options for the DB2 module are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x dbname=**\ \*filename*
|
|
Packit |
fd8b60 |
Specifies the base filename of the DB2 database.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x lockiter**
|
|
Packit |
fd8b60 |
Make iteration operations hold the lock for the duration of
|
|
Packit |
fd8b60 |
the entire operation, rather than temporarily releasing the
|
|
Packit |
fd8b60 |
lock while handling each principal. This is the default
|
|
Packit |
fd8b60 |
behavior, but this option exists to allow command line
|
|
Packit |
fd8b60 |
override of a [dbmodules] setting. First introduced in
|
|
Packit |
fd8b60 |
release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x unlockiter**
|
|
Packit |
fd8b60 |
Make iteration operations unlock the database for each
|
|
Packit |
fd8b60 |
principal, instead of holding the lock for the duration of the
|
|
Packit |
fd8b60 |
entire operation. First introduced in release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Supported options for the LDAP module are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x host=**\ *ldapuri*
|
|
Packit |
fd8b60 |
Specifies the LDAP server to connect to by a LDAP URI.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x binddn=**\ *bind_dn*
|
|
Packit |
fd8b60 |
Specifies the DN used to bind to the LDAP server.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x bindpwd=**\ *password*
|
|
Packit |
fd8b60 |
Specifies the password or SASL secret used to bind to the LDAP
|
|
Packit |
fd8b60 |
server. Using this option may expose the password to other
|
|
Packit |
fd8b60 |
users on the system via the process list; to avoid this,
|
|
Packit |
fd8b60 |
instead stash the password using the **stashsrvpw** command of
|
|
Packit |
fd8b60 |
:ref:`kdb5_ldap_util(8)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x sasl_mech=**\ *mechanism*
|
|
Packit |
fd8b60 |
Specifies the SASL mechanism used to bind to the LDAP server.
|
|
Packit |
fd8b60 |
The bind DN is ignored if a SASL mechanism is used. New in
|
|
Packit |
fd8b60 |
release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x sasl_authcid=**\ *name*
|
|
Packit |
fd8b60 |
Specifies the authentication name used when binding to the
|
|
Packit |
fd8b60 |
LDAP server with a SASL mechanism, if the mechanism requires
|
|
Packit |
fd8b60 |
one. New in release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x sasl_authzid=**\ *name*
|
|
Packit |
fd8b60 |
Specifies the authorization name used when binding to the LDAP
|
|
Packit |
fd8b60 |
server with a SASL mechanism. New in release 1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x sasl_realm=**\ *realm*
|
|
Packit |
fd8b60 |
Specifies the realm used when binding to the LDAP server with
|
|
Packit |
fd8b60 |
a SASL mechanism, if the mechanism uses one. New in release
|
|
Packit |
fd8b60 |
1.13.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x debug=**\ *level*
|
|
Packit |
fd8b60 |
sets the OpenLDAP client library debug level. *level* is an
|
|
Packit |
fd8b60 |
integer to be interpreted by the library. Debugging messages
|
|
Packit |
fd8b60 |
are printed to standard error. New in release 1.12.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
COMMANDS
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
When using the remote client, available commands may be restricted
|
|
Packit |
fd8b60 |
according to the privileges specified in the :ref:`kadm5.acl(5)` file
|
|
Packit |
fd8b60 |
on the admin server.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _add_principal:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
add_principal
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**add_principal** [*options*] *newprinc*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Creates the principal *newprinc*, prompting twice for a password. If
|
|
Packit |
fd8b60 |
no password policy is specified with the **-policy** option, and the
|
|
Packit |
fd8b60 |
policy named ``default`` is assigned to the principal if it exists.
|
|
Packit |
fd8b60 |
However, creating a policy named ``default`` will not automatically
|
|
Packit |
fd8b60 |
assign this policy to previously existing principals. This policy
|
|
Packit |
fd8b60 |
assignment can be suppressed with the **-clearpolicy** option.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **add** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Aliases: **addprinc**, **ank**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Options:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-expire** *expdate*
|
|
Packit |
fd8b60 |
(:ref:`getdate` string) The expiration date of the principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-pwexpire** *pwexpdate*
|
|
Packit |
fd8b60 |
(:ref:`getdate` string) The password expiration date.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-maxlife** *maxlife*
|
|
Packit |
fd8b60 |
(:ref:`duration` or :ref:`getdate` string) The maximum ticket life
|
|
Packit |
fd8b60 |
for the principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-maxrenewlife** *maxrenewlife*
|
|
Packit |
fd8b60 |
(:ref:`duration` or :ref:`getdate` string) The maximum renewable
|
|
Packit |
fd8b60 |
life of tickets for the principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-kvno** *kvno*
|
|
Packit |
fd8b60 |
The initial key version number.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-policy** *policy*
|
|
Packit |
fd8b60 |
The password policy used by this principal. If not specified, the
|
|
Packit |
fd8b60 |
policy ``default`` is used if it exists (unless **-clearpolicy**
|
|
Packit |
fd8b60 |
is specified).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-clearpolicy**
|
|
Packit |
fd8b60 |
Prevents any policy from being assigned when **-policy** is not
|
|
Packit |
fd8b60 |
specified.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_postdated**
|
|
Packit |
fd8b60 |
**-allow_postdated** prohibits this principal from obtaining
|
|
Packit |
fd8b60 |
postdated tickets. **+allow_postdated** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_forwardable**
|
|
Packit |
fd8b60 |
**-allow_forwardable** prohibits this principal from obtaining
|
|
Packit |
fd8b60 |
forwardable tickets. **+allow_forwardable** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_renewable**
|
|
Packit |
fd8b60 |
**-allow_renewable** prohibits this principal from obtaining
|
|
Packit |
fd8b60 |
renewable tickets. **+allow_renewable** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_proxiable**
|
|
Packit |
fd8b60 |
**-allow_proxiable** prohibits this principal from obtaining
|
|
Packit |
fd8b60 |
proxiable tickets. **+allow_proxiable** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_dup_skey**
|
|
Packit |
fd8b60 |
**-allow_dup_skey** disables user-to-user authentication for this
|
|
Packit |
fd8b60 |
principal by prohibiting others from obtaining a service ticket
|
|
Packit |
fd8b60 |
encrypted in this principal's TGT session key.
|
|
Packit |
fd8b60 |
**+allow_dup_skey** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **requires_preauth**
|
|
Packit |
fd8b60 |
**+requires_preauth** requires this principal to preauthenticate
|
|
Packit |
fd8b60 |
before being allowed to kinit. **-requires_preauth** clears this
|
|
Packit |
fd8b60 |
flag. When **+requires_preauth** is set on a service principal,
|
|
Packit |
fd8b60 |
the KDC will only issue service tickets for that service principal
|
|
Packit |
fd8b60 |
if the client's initial authentication was performed using
|
|
Packit |
fd8b60 |
preauthentication.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **requires_hwauth**
|
|
Packit |
fd8b60 |
**+requires_hwauth** requires this principal to preauthenticate
|
|
Packit |
fd8b60 |
using a hardware device before being allowed to kinit.
|
|
Packit |
fd8b60 |
**-requires_hwauth** clears this flag. When **+requires_hwauth** is
|
|
Packit |
fd8b60 |
set on a service principal, the KDC will only issue service tickets
|
|
Packit |
fd8b60 |
for that service principal if the client's initial authentication was
|
|
Packit |
fd8b60 |
performed using a hardware device to preauthenticate.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **ok_as_delegate**
|
|
Packit |
fd8b60 |
**+ok_as_delegate** sets the **okay as delegate** flag on tickets
|
|
Packit |
fd8b60 |
issued with this principal as the service. Clients may use this
|
|
Packit |
fd8b60 |
flag as a hint that credentials should be delegated when
|
|
Packit |
fd8b60 |
authenticating to the service. **-ok_as_delegate** clears this
|
|
Packit |
fd8b60 |
flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_svr**
|
|
Packit |
fd8b60 |
**-allow_svr** prohibits the issuance of service tickets for this
|
|
Packit |
fd8b60 |
principal. In release 1.17 and later, user-to-user service
|
|
Packit |
fd8b60 |
tickets are still allowed unless the **-allow_dup_skey** flag is
|
|
Packit |
fd8b60 |
also set. **+allow_svr** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_tgs_req**
|
|
Packit |
fd8b60 |
**-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)
|
|
Packit |
fd8b60 |
request for a service ticket for this principal is not permitted.
|
|
Packit |
fd8b60 |
**+allow_tgs_req** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **allow_tix**
|
|
Packit |
fd8b60 |
**-allow_tix** forbids the issuance of any tickets for this
|
|
Packit |
fd8b60 |
principal. **+allow_tix** clears this flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **needchange**
|
|
Packit |
fd8b60 |
**+needchange** forces a password change on the next initial
|
|
Packit |
fd8b60 |
authentication to this principal. **-needchange** clears this
|
|
Packit |
fd8b60 |
flag.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **password_changing_service**
|
|
Packit |
fd8b60 |
**+password_changing_service** marks this principal as a password
|
|
Packit |
fd8b60 |
change service principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **ok_to_auth_as_delegate**
|
|
Packit |
fd8b60 |
**+ok_to_auth_as_delegate** allows this principal to acquire
|
|
Packit |
fd8b60 |
forwardable tickets to itself from arbitrary users, for use with
|
|
Packit |
fd8b60 |
constrained delegation.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **no_auth_data_required**
|
|
Packit |
fd8b60 |
**+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from
|
|
Packit |
fd8b60 |
being added to service tickets for the principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
{-\|+}\ **lockdown_keys**
|
|
Packit |
fd8b60 |
**+lockdown_keys** prevents keys for this principal from leaving
|
|
Packit |
fd8b60 |
the KDC via kadmind. The chpass and extract operations are denied
|
|
Packit |
fd8b60 |
for a principal with this attribute. The chrand operation is
|
|
Packit |
fd8b60 |
allowed, but will not return the new keys. The delete and rename
|
|
Packit |
fd8b60 |
operations are also denied if this attribute is set, in order to
|
|
Packit |
fd8b60 |
prevent a malicious administrator from replacing principals like
|
|
Packit |
fd8b60 |
krbtgt/* or kadmin/* with new principals without the attribute.
|
|
Packit |
fd8b60 |
This attribute can be set via the network protocol, but can only
|
|
Packit |
fd8b60 |
be removed using kadmin.local.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-randkey**
|
|
Packit |
fd8b60 |
Sets the key of the principal to a random value.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-nokey**
|
|
Packit |
fd8b60 |
Causes the principal to be created with no key. New in release
|
|
Packit |
fd8b60 |
1.12.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-pw** *password*
|
|
Packit |
fd8b60 |
Sets the password of the principal to the specified string and
|
|
Packit |
fd8b60 |
does not prompt for a password. Note: using this option in a
|
|
Packit |
fd8b60 |
shell script may expose the password to other users on the system
|
|
Packit |
fd8b60 |
via the process list.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-e** *enc*:*salt*,...
|
|
Packit |
fd8b60 |
Uses the specified keysalt list for setting the keys of the
|
|
Packit |
fd8b60 |
principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
|
|
Packit |
fd8b60 |
list of possible values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x** *db_princ_args*
|
|
Packit |
fd8b60 |
Indicates database-specific options. The options for the LDAP
|
|
Packit |
fd8b60 |
database module are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x dn=**\ *dn*
|
|
Packit |
fd8b60 |
Specifies the LDAP object that will contain the Kerberos
|
|
Packit |
fd8b60 |
principal being created.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x linkdn=**\ *dn*
|
|
Packit |
fd8b60 |
Specifies the LDAP object to which the newly created Kerberos
|
|
Packit |
fd8b60 |
principal object will point.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x containerdn=**\ *container_dn*
|
|
Packit |
fd8b60 |
Specifies the container object under which the Kerberos
|
|
Packit |
fd8b60 |
principal is to be created.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x tktpolicy=**\ *policy*
|
|
Packit |
fd8b60 |
Associates a ticket policy to the Kerberos principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. note::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
- The **containerdn** and **linkdn** options cannot be
|
|
Packit |
fd8b60 |
specified with the **dn** option.
|
|
Packit |
fd8b60 |
- If the *dn* or *containerdn* options are not specified while
|
|
Packit |
fd8b60 |
adding the principal, the principals are created under the
|
|
Packit |
fd8b60 |
principal container configured in the realm or the realm
|
|
Packit |
fd8b60 |
container.
|
|
Packit |
fd8b60 |
- *dn* and *containerdn* should be within the subtrees or
|
|
Packit |
fd8b60 |
principal container configured in the realm.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: addprinc jennifer
|
|
Packit |
fd8b60 |
No policy specified for "jennifer@ATHENA.MIT.EDU";
|
|
Packit |
fd8b60 |
defaulting to no policy.
|
|
Packit |
fd8b60 |
Enter password for principal jennifer@ATHENA.MIT.EDU:
|
|
Packit |
fd8b60 |
Re-enter password for principal jennifer@ATHENA.MIT.EDU:
|
|
Packit |
fd8b60 |
Principal "jennifer@ATHENA.MIT.EDU" created.
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _add_principal_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _modify_principal:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
modify_principal
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**modify_principal** [*options*] *principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Modifies the specified principal, changing the fields as specified.
|
|
Packit |
fd8b60 |
The options to **add_principal** also apply to this command, except
|
|
Packit |
fd8b60 |
for the **-randkey**, **-pw**, and **-e** options. In addition, the
|
|
Packit |
fd8b60 |
option **-clearpolicy** will clear the current policy of a principal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the *modify* privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **modprinc**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Options (in addition to the **addprinc** options):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-unlock**
|
|
Packit |
fd8b60 |
Unlocks a locked principal (one which has received too many failed
|
|
Packit |
fd8b60 |
authentication attempts without enough time between them according
|
|
Packit |
fd8b60 |
to its password policy) so that it can successfully authenticate.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _modify_principal_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _rename_principal:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
rename_principal
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**rename_principal** [**-force**] *old_principal* *new_principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Renames the specified *old_principal* to *new_principal*. This
|
|
Packit |
fd8b60 |
command prompts for confirmation, unless the **-force** option is
|
|
Packit |
fd8b60 |
given.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **add** and **delete** privileges.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **renprinc**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _rename_principal_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _delete_principal:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
delete_principal
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**delete_principal** [**-force**] *principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Deletes the specified *principal* from the database. This command
|
|
Packit |
fd8b60 |
prompts for deletion, unless the **-force** option is given.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **delete** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **delprinc**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _delete_principal_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _change_password:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
change_password
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**change_password** [*options*] *principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Changes the password of *principal*. Prompts for a new password if
|
|
Packit |
fd8b60 |
neither **-randkey** or **-pw** is specified.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **changepw** privilege, or that the
|
|
Packit |
fd8b60 |
principal running the program is the same as the principal being
|
|
Packit |
fd8b60 |
changed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **cpw**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following options are available:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-randkey**
|
|
Packit |
fd8b60 |
Sets the key of the principal to a random value.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-pw** *password*
|
|
Packit |
fd8b60 |
Set the password to the specified string. Using this option in a
|
|
Packit |
fd8b60 |
script may expose the password to other users on the system via
|
|
Packit |
fd8b60 |
the process list.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-e** *enc*:*salt*,...
|
|
Packit |
fd8b60 |
Uses the specified keysalt list for setting the keys of the
|
|
Packit |
fd8b60 |
principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
|
|
Packit |
fd8b60 |
list of possible values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-keepold**
|
|
Packit |
fd8b60 |
Keeps the existing keys in the database. This flag is usually not
|
|
Packit |
fd8b60 |
necessary except perhaps for ``krbtgt`` principals.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: cpw systest
|
|
Packit |
fd8b60 |
Enter password for principal systest@BLEEP.COM:
|
|
Packit |
fd8b60 |
Re-enter password for principal systest@BLEEP.COM:
|
|
Packit |
fd8b60 |
Password for systest@BLEEP.COM changed.
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _change_password_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _purgekeys:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
purgekeys
|
|
Packit |
fd8b60 |
~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Purges previously retained old keys (e.g., from **change_password
|
|
Packit |
fd8b60 |
-keepold**) from *principal*. If **-keepkvno** is specified, then
|
|
Packit |
fd8b60 |
only purges keys with kvnos lower than *oldest_kvno_to_keep*. If
|
|
Packit |
fd8b60 |
**-all** is specified, then all keys are purged. The **-all** option
|
|
Packit |
fd8b60 |
is new in release 1.12.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **modify** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _purgekeys_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _get_principal:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
get_principal
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**get_principal** [**-terse**] *principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Gets the attributes of principal. With the **-terse** option, outputs
|
|
Packit |
fd8b60 |
fields as quoted tab-separated strings.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **inquire** privilege, or that the principal
|
|
Packit |
fd8b60 |
running the the program to be the same as the one being listed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **getprinc**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Examples::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: getprinc tlyu/admin
|
|
Packit |
fd8b60 |
Principal: tlyu/admin@BLEEP.COM
|
|
Packit |
fd8b60 |
Expiration date: [never]
|
|
Packit |
fd8b60 |
Last password change: Mon Aug 12 14:16:47 EDT 1996
|
|
Packit |
fd8b60 |
Password expiration date: [never]
|
|
Packit |
fd8b60 |
Maximum ticket life: 0 days 10:00:00
|
|
Packit |
fd8b60 |
Maximum renewable life: 7 days 00:00:00
|
|
Packit |
fd8b60 |
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
|
|
Packit |
fd8b60 |
Last successful authentication: [never]
|
|
Packit |
fd8b60 |
Last failed authentication: [never]
|
|
Packit |
fd8b60 |
Failed password attempts: 0
|
|
Packit |
fd8b60 |
Number of keys: 1
|
|
Packit |
fd8b60 |
Key: vno 1, aes256-cts-hmac-sha384-192
|
|
Packit |
fd8b60 |
MKey: vno 1
|
|
Packit |
fd8b60 |
Attributes:
|
|
Packit |
fd8b60 |
Policy: [none]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: getprinc -terse systest
|
|
Packit |
fd8b60 |
systest@BLEEP.COM 3 86400 604800 1
|
|
Packit |
fd8b60 |
785926535 753241234 785900000
|
|
Packit |
fd8b60 |
tlyu/admin@BLEEP.COM 786100034 0 0
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _get_principal_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _list_principals:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
list_principals
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**list_principals** [*expression*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Retrieves all or some principal names. *expression* is a shell-style
|
|
Packit |
fd8b60 |
glob expression that can contain the wild-card characters ``?``,
|
|
Packit |
fd8b60 |
``*``, and ``[]``. All principal names matching the expression are
|
|
Packit |
fd8b60 |
printed. If no expression is provided, all principal names are
|
|
Packit |
fd8b60 |
printed. If the expression does not contain an ``@`` character, an
|
|
Packit |
fd8b60 |
``@`` character followed by the local realm is appended to the
|
|
Packit |
fd8b60 |
expression.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **list** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **listprincs**, **get_principals**, **get_princs**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: listprincs test*
|
|
Packit |
fd8b60 |
test3@SECURE-TEST.OV.COM
|
|
Packit |
fd8b60 |
test2@SECURE-TEST.OV.COM
|
|
Packit |
fd8b60 |
test1@SECURE-TEST.OV.COM
|
|
Packit |
fd8b60 |
testuser@SECURE-TEST.OV.COM
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _list_principals_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _get_strings:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
get_strings
|
|
Packit |
fd8b60 |
~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**get_strings** *principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Displays string attributes on *principal*.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **inquire** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **getstr**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _get_strings_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _set_string:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set_string
|
|
Packit |
fd8b60 |
~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**set_string** *principal* *name* *value*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Sets a string attribute on *principal*. String attributes are used to
|
|
Packit |
fd8b60 |
supply per-principal configuration to the KDC and some KDC plugin
|
|
Packit |
fd8b60 |
modules. The following string attribute names are recognized by the
|
|
Packit |
fd8b60 |
KDC:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**require_auth**
|
|
Packit |
fd8b60 |
Specifies an authentication indicator which is required to
|
|
Packit |
fd8b60 |
authenticate to the principal as a service. Multiple indicators
|
|
Packit |
fd8b60 |
can be specified, separated by spaces; in this case any of the
|
|
Packit |
fd8b60 |
specified indicators will be accepted. (New in release 1.14.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**session_enctypes**
|
|
Packit |
fd8b60 |
Specifies the encryption types supported for session keys when the
|
|
Packit |
fd8b60 |
principal is authenticated to as a server. See
|
|
Packit |
fd8b60 |
:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the
|
|
Packit |
fd8b60 |
accepted values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**otp**
|
|
Packit |
fd8b60 |
Enables One Time Passwords (OTP) preauthentication for a client
|
|
Packit |
fd8b60 |
*principal*. The *value* is a JSON string representing an array
|
|
Packit |
fd8b60 |
of objects, each having optional ``type`` and ``username`` fields.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**pkinit_cert_match**
|
|
Packit |
fd8b60 |
Specifies a matching expression that defines the certificate
|
|
Packit |
fd8b60 |
attributes required for the client certificate used by the
|
|
Packit |
fd8b60 |
principal during PKINIT authentication. The matching expression
|
|
Packit |
fd8b60 |
is in the same format as those used by the **pkinit_cert_match**
|
|
Packit |
fd8b60 |
option in :ref:`krb5.conf(5)`. (New in release 1.16.)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **modify** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **setstr**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set_string host/foo.mit.edu session_enctypes aes128-cts
|
|
Packit |
fd8b60 |
set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _set_string_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _del_string:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
del_string
|
|
Packit |
fd8b60 |
~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**del_string** *principal* *key*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Deletes a string attribute from *principal*.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **delete** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **delstr**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _del_string_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _add_policy:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
add_policy
|
|
Packit |
fd8b60 |
~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**add_policy** [*options*] *policy*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Adds a password policy named *policy* to the database.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **add** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **addpol**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The following options are available:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-maxlife** *time*
|
|
Packit |
fd8b60 |
(:ref:`duration` or :ref:`getdate` string) Sets the maximum
|
|
Packit |
fd8b60 |
lifetime of a password.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-minlife** *time*
|
|
Packit |
fd8b60 |
(:ref:`duration` or :ref:`getdate` string) Sets the minimum
|
|
Packit |
fd8b60 |
lifetime of a password.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-minlength** *length*
|
|
Packit |
fd8b60 |
Sets the minimum length of a password.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-minclasses** *number*
|
|
Packit |
fd8b60 |
Sets the minimum number of character classes required in a
|
|
Packit |
fd8b60 |
password. The five character classes are lower case, upper case,
|
|
Packit |
fd8b60 |
numbers, punctuation, and whitespace/unprintable characters.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-history** *number*
|
|
Packit |
fd8b60 |
Sets the number of past keys kept for a principal. This option is
|
|
Packit |
fd8b60 |
not supported with the LDAP KDC database module.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _policy_maxfailure:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-maxfailure** *maxnumber*
|
|
Packit |
fd8b60 |
Sets the number of authentication failures before the principal is
|
|
Packit |
fd8b60 |
locked. Authentication failures are only tracked for principals
|
|
Packit |
fd8b60 |
which require preauthentication. The counter of failed attempts
|
|
Packit |
fd8b60 |
resets to 0 after a successful attempt to authenticate. A
|
|
Packit |
fd8b60 |
*maxnumber* value of 0 (the default) disables lockout.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _policy_failurecountinterval:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-failurecountinterval** *failuretime*
|
|
Packit |
fd8b60 |
(:ref:`duration` or :ref:`getdate` string) Sets the allowable time
|
|
Packit |
fd8b60 |
between authentication failures. If an authentication failure
|
|
Packit |
fd8b60 |
happens after *failuretime* has elapsed since the previous
|
|
Packit |
fd8b60 |
failure, the number of authentication failures is reset to 1. A
|
|
Packit |
fd8b60 |
*failuretime* value of 0 (the default) means forever.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _policy_lockoutduration:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-lockoutduration** *lockouttime*
|
|
Packit |
fd8b60 |
(:ref:`duration` or :ref:`getdate` string) Sets the duration for
|
|
Packit |
fd8b60 |
which the principal is locked from authenticating if too many
|
|
Packit |
fd8b60 |
authentication failures occur without the specified failure count
|
|
Packit |
fd8b60 |
interval elapsing. A duration of 0 (the default) means the
|
|
Packit |
fd8b60 |
principal remains locked out until it is administratively unlocked
|
|
Packit |
fd8b60 |
with ``modprinc -unlock``.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-allowedkeysalts**
|
|
Packit |
fd8b60 |
Specifies the key/salt tuples supported for long-term keys when
|
|
Packit |
fd8b60 |
setting or changing a principal's password/keys. See
|
|
Packit |
fd8b60 |
:ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the
|
|
Packit |
fd8b60 |
accepted values, but note that key/salt tuples must be separated
|
|
Packit |
fd8b60 |
with commas (',') only. To clear the allowed key/salt policy use
|
|
Packit |
fd8b60 |
a value of '-'.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: add_policy -maxlife "2 days" -minlength 5 guests
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _add_policy_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _modify_policy:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
modify_policy
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**modify_policy** [*options*] *policy*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Modifies the password policy named *policy*. Options are as described
|
|
Packit |
fd8b60 |
for **add_policy**.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **modify** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **modpol**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _modify_policy_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _delete_policy:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
delete_policy
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**delete_policy** [**-force**] *policy*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Deletes the password policy named *policy*. Prompts for confirmation
|
|
Packit |
fd8b60 |
before deletion. The command will fail if the policy is in use by any
|
|
Packit |
fd8b60 |
principals.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **delete** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: **delpol**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: del_policy guests
|
|
Packit |
fd8b60 |
Are you sure you want to delete the policy "guests"?
|
|
Packit |
fd8b60 |
(yes/no): yes
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _delete_policy_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _get_policy:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
get_policy
|
|
Packit |
fd8b60 |
~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**get_policy** [ **-terse** ] *policy*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Displays the values of the password policy named *policy*. With the
|
|
Packit |
fd8b60 |
**-terse** flag, outputs the fields as quoted strings separated by
|
|
Packit |
fd8b60 |
tabs.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **inquire** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Alias: getpol
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Examples::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: get_policy admin
|
|
Packit |
fd8b60 |
Policy: admin
|
|
Packit |
fd8b60 |
Maximum password life: 180 days 00:00:00
|
|
Packit |
fd8b60 |
Minimum password life: 00:00:00
|
|
Packit |
fd8b60 |
Minimum password length: 6
|
|
Packit |
fd8b60 |
Minimum number of password character classes: 2
|
|
Packit |
fd8b60 |
Number of old keys kept: 5
|
|
Packit |
fd8b60 |
Reference count: 17
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: get_policy -terse admin
|
|
Packit |
fd8b60 |
admin 15552000 0 6 2 5 17
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The "Reference count" is the number of principals using that policy.
|
|
Packit |
fd8b60 |
With the LDAP KDC database module, the reference count field is not
|
|
Packit |
fd8b60 |
meaningful.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _get_policy_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _list_policies:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
list_policies
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**list_policies** [*expression*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Retrieves all or some policy names. *expression* is a shell-style
|
|
Packit |
fd8b60 |
glob expression that can contain the wild-card characters ``?``,
|
|
Packit |
fd8b60 |
``*``, and ``[]``. All policy names matching the expression are
|
|
Packit |
fd8b60 |
printed. If no expression is provided, all existing policy names are
|
|
Packit |
fd8b60 |
printed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **list** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Aliases: **listpols**, **get_policies**, **getpols**.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Examples::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: listpols
|
|
Packit |
fd8b60 |
test-pol
|
|
Packit |
fd8b60 |
dict-only
|
|
Packit |
fd8b60 |
once-a-min
|
|
Packit |
fd8b60 |
test-pol-nopw
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: listpols t*
|
|
Packit |
fd8b60 |
test-pol
|
|
Packit |
fd8b60 |
test-pol-nopw
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _list_policies_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _ktadd:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ktadd
|
|
Packit |
fd8b60 |
~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
| **ktadd** [options] *principal*
|
|
Packit |
fd8b60 |
| **ktadd** [options] **-glob** *princ-exp*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Adds a *principal*, or all principals matching *princ-exp*, to a
|
|
Packit |
fd8b60 |
keytab file. Each principal's keys are randomized in the process.
|
|
Packit |
fd8b60 |
The rules for *princ-exp* are described in the **list_principals**
|
|
Packit |
fd8b60 |
command.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
This command requires the **inquire** and **changepw** privileges.
|
|
Packit |
fd8b60 |
With the **-glob** form, it also requires the **list** privilege.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The options are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-k[eytab]** *keytab*
|
|
Packit |
fd8b60 |
Use *keytab* as the keytab file. Otherwise, the default keytab is
|
|
Packit |
fd8b60 |
used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-e** *enc*:*salt*,...
|
|
Packit |
fd8b60 |
Uses the specified keysalt list for setting the new keys of the
|
|
Packit |
fd8b60 |
principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
|
|
Packit |
fd8b60 |
list of possible values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-q**
|
|
Packit |
fd8b60 |
Display less verbose information.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-norandkey**
|
|
Packit |
fd8b60 |
Do not randomize the keys. The keys and their version numbers stay
|
|
Packit |
fd8b60 |
unchanged. This option cannot be specified in combination with the
|
|
Packit |
fd8b60 |
**-e** option.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
An entry for each of the principal's unique encryption types is added,
|
|
Packit |
fd8b60 |
ignoring multiple keys with the same encryption type but different
|
|
Packit |
fd8b60 |
salt types.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
|
|
Packit |
fd8b60 |
Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
|
|
Packit |
fd8b60 |
encryption type aes256-cts-hmac-sha1-96 added to keytab
|
|
Packit |
fd8b60 |
FILE:/tmp/foo-new-keytab
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _ktadd_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _ktremove:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ktremove
|
|
Packit |
fd8b60 |
~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ktremove** [options] *principal* [*kvno* | *all* | *old*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Removes entries for the specified *principal* from a keytab. Requires
|
|
Packit |
fd8b60 |
no permissions, since this does not require database access.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
If the string "all" is specified, all entries for that principal are
|
|
Packit |
fd8b60 |
removed; if the string "old" is specified, all entries for that
|
|
Packit |
fd8b60 |
principal except those with the highest kvno are removed. Otherwise,
|
|
Packit |
fd8b60 |
the value specified is parsed as an integer, and all entries whose
|
|
Packit |
fd8b60 |
kvno match that integer are removed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The options are:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-k[eytab]** *keytab*
|
|
Packit |
fd8b60 |
Use *keytab* as the keytab file. Otherwise, the default keytab is
|
|
Packit |
fd8b60 |
used.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-q**
|
|
Packit |
fd8b60 |
Display less verbose information.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Example::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kadmin: ktremove kadmin/admin all
|
|
Packit |
fd8b60 |
Entry for principal kadmin/admin with kvno 3 removed from keytab
|
|
Packit |
fd8b60 |
FILE:/etc/krb5.keytab
|
|
Packit |
fd8b60 |
kadmin:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _ktremove_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
lock
|
|
Packit |
fd8b60 |
~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Lock database exclusively. Use with extreme caution! This command
|
|
Packit |
fd8b60 |
only works with the DB2 KDC database module.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
unlock
|
|
Packit |
fd8b60 |
~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Release the exclusive database lock.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
list_requests
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Lists available for kadmin requests.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Aliases: **lr**, **?**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
quit
|
|
Packit |
fd8b60 |
~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Exit program. If the database was locked, the lock is released.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Aliases: **exit**, **q**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
HISTORY
|
|
Packit |
fd8b60 |
-------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The kadmin program was originally written by Tom Yu at MIT, as an
|
|
Packit |
fd8b60 |
interface to the OpenVision Kerberos administration program.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ENVIRONMENT
|
|
Packit |
fd8b60 |
-----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
See :ref:`kerberos(7)` for a description of Kerberos environment
|
|
Packit |
fd8b60 |
variables.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SEE ALSO
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
:ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)`
|