source-git / krb5

Clone
Source Code
GIT

Blame doc/admin/admin_commands/kdb5_util.rst

c8 c8s master
  1.   c8
  2.   doc
  3.   admin
  4.   admin_commands
  5.   kdb5_util.rst
Blob History Raw
Packit Service 99d1c0 
.. _kdb5_util(8):
Packit Service 99d1c0
Packit Service 99d1c0 
kdb5_util
Packit Service 99d1c0 
=========
Packit Service 99d1c0
Packit Service 99d1c0 
SYNOPSIS
Packit Service 99d1c0 
--------
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_synopsis:
Packit Service 99d1c0
Packit Service 99d1c0 
**kdb5_util**
Packit Service 99d1c0 
[**-r** *realm*]
Packit Service 99d1c0 
[**-d** *dbname*]
Packit Service 99d1c0 
[**-k** *mkeytype*]
Packit Service 99d1c0 
[**-kv** *mkeyVNO*]
Packit Service 99d1c0 
[**-M** *mkeyname*]
Packit Service 99d1c0 
[**-m**]
Packit Service 99d1c0 
[**-sf** *stashfilename*]
Packit Service 99d1c0 
[**-P** *password*]
Packit Service 99d1c0 
[**-x** *db_args*]
Packit Service 99d1c0 
*command* [*command_options*]
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_synopsis_end:
Packit Service 99d1c0
Packit Service 99d1c0 
DESCRIPTION
Packit Service 99d1c0 
-----------
Packit Service 99d1c0
Packit Service 99d1c0 
kdb5_util allows an administrator to perform maintenance procedures on
Packit Service 99d1c0 
the KDC database.  Databases can be created, destroyed, and dumped to
Packit Service 99d1c0 
or loaded from ASCII files.  kdb5_util can create a Kerberos master
Packit Service 99d1c0 
key stash file or perform live rollover of the master key.
Packit Service 99d1c0
Packit Service 99d1c0 
When kdb5_util is run, it attempts to acquire the master key and open
Packit Service 99d1c0 
the database.  However, execution continues regardless of whether or
Packit Service 99d1c0 
not kdb5_util successfully opens the database, because the database
Packit Service 99d1c0 
may not exist yet or the stash file may be corrupt.
Packit Service 99d1c0
Packit Service 99d1c0 
Note that some KDC database modules may not support all kdb5_util
Packit Service 99d1c0 
commands.
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
COMMAND-LINE OPTIONS
Packit Service 99d1c0 
--------------------
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_options:
Packit Service 99d1c0
Packit Service 99d1c0 
**-r** *realm*
Packit Service 99d1c0 
    specifies the Kerberos realm of the database.
Packit Service 99d1c0
Packit Service 99d1c0 
**-d** *dbname*
Packit Service 99d1c0 
    specifies the name under which the principal database is stored;
Packit Service 99d1c0 
    by default the database is that listed in :ref:`kdc.conf(5)`.  The
Packit Service 99d1c0 
    password policy database and lock files are also derived from this
Packit Service 99d1c0 
    value.
Packit Service 99d1c0
Packit Service 99d1c0 
**-k** *mkeytype*
Packit Service 99d1c0 
    specifies the key type of the master key in the database.  The
Packit Service 99d1c0 
    default is given by the **master_key_type** variable in
Packit Service 99d1c0 
    :ref:`kdc.conf(5)`.
Packit Service 99d1c0
Packit Service 99d1c0 
**-kv** *mkeyVNO*
Packit Service 99d1c0 
    Specifies the version number of the master key in the database;
Packit Service 99d1c0 
    the default is 1.  Note that 0 is not allowed.
Packit Service 99d1c0
Packit Service 99d1c0 
**-M** *mkeyname*
Packit Service 99d1c0 
    principal name for the master key in the database.  If not
Packit Service 99d1c0 
    specified, the name is determined by the **master_key_name**
Packit Service 99d1c0 
    variable in :ref:`kdc.conf(5)`.
Packit Service 99d1c0
Packit Service 99d1c0 
**-m**
Packit Service 99d1c0 
    specifies that the master database password should be read from
Packit Service 99d1c0 
    the keyboard rather than fetched from a file on disk.
Packit Service 99d1c0
Packit Service 99d1c0 
**-sf** *stash_file*
Packit Service 99d1c0 
    specifies the stash filename of the master database password.  If
Packit Service 99d1c0 
    not specified, the filename is determined by the
Packit Service 99d1c0 
    **key_stash_file** variable in :ref:`kdc.conf(5)`.
Packit Service 99d1c0
Packit Service 99d1c0 
**-P** *password*
Packit Service 99d1c0 
    specifies the master database password.  Using this option may
Packit Service 99d1c0 
    expose the password to other users on the system via the process
Packit Service 99d1c0 
    list.
Packit Service 99d1c0
Packit Service 99d1c0 
**-x** *db_args*
Packit Service 99d1c0 
    specifies database-specific options.  See :ref:`kadmin(1)` for
Packit Service 99d1c0 
    supported options.
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_options_end:
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
COMMANDS
Packit Service 99d1c0 
--------
Packit Service 99d1c0
Packit Service 99d1c0 
create
Packit Service 99d1c0 
~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_create:
Packit Service 99d1c0
Packit Service 99d1c0 
    **create** [**-s**]
Packit Service 99d1c0
Packit Service 99d1c0 
Creates a new database.  If the **-s** option is specified, the stash
Packit Service 99d1c0 
file is also created.  This command fails if the database already
Packit Service 99d1c0 
exists.  If the command is successful, the database is opened just as
Packit Service 99d1c0 
if it had already existed when the program was first run.
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_create_end:
Packit Service 99d1c0
Packit Service 99d1c0 
destroy
Packit Service 99d1c0 
~~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_destroy:
Packit Service 99d1c0
Packit Service 99d1c0 
    **destroy** [**-f**]
Packit Service 99d1c0
Packit Service 99d1c0 
Destroys the database, first overwriting the disk sectors and then
Packit Service 99d1c0 
unlinking the files, after prompting the user for confirmation.  With
Packit Service 99d1c0 
the **-f** argument, does not prompt the user.
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_destroy_end:
Packit Service 99d1c0
Packit Service 99d1c0 
stash
Packit Service 99d1c0 
~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_stash:
Packit Service 99d1c0
Packit Service 99d1c0 
    **stash** [**-f** *keyfile*]
Packit Service 99d1c0
Packit Service 99d1c0 
Stores the master principal's keys in a stash file.  The **-f**
Packit Service 99d1c0 
argument can be used to override the *keyfile* specified in
Packit Service 99d1c0 
:ref:`kdc.conf(5)`.
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_stash_end:
Packit Service 99d1c0
Packit Service 99d1c0 
dump
Packit Service 99d1c0 
~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_dump:
Packit Service 99d1c0
Packit Service 99d1c0 
    **dump** [**-b7**\|\ **-r13**\|\ **-r18**]
Packit Service 99d1c0 
    [**-verbose**] [**-mkey_convert**] [**-new_mkey_file**
Packit Service 99d1c0 
    *mkey_file*] [**-rev**] [**-recurse**] [*filename*
Packit Service 99d1c0 
    [*principals*...]]
Packit Service 99d1c0
Packit Service 99d1c0 
Dumps the current Kerberos and KADM5 database into an ASCII file.  By
Packit Service 99d1c0 
default, the database is dumped in current format, "kdb5_util
Packit Service 99d1c0 
load_dump version 7".  If filename is not specified, or is the string
Packit Service 99d1c0 
"-", the dump is sent to standard output.  Options:
Packit Service 99d1c0
Packit Service 99d1c0 
**-b7**
Packit Service 99d1c0 
    causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
Packit Service 99d1c0 
    load_dump version 4").  This was the dump format produced on
Packit Service 99d1c0 
    releases prior to 1.2.2.
Packit Service 99d1c0
Packit Service 99d1c0 
**-r13**
Packit Service 99d1c0 
    causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
Packit Service 99d1c0 
    load_dump version 5").  This was the dump format produced on
Packit Service 99d1c0 
    releases prior to 1.8.
Packit Service 99d1c0
Packit Service 99d1c0 
**-r18**
Packit Service 99d1c0 
    causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
Packit Service 99d1c0 
    load_dump version 6").  This was the dump format produced on
Packit Service 99d1c0 
    releases prior to 1.11.
Packit Service 99d1c0
Packit Service 99d1c0 
**-verbose**
Packit Service 99d1c0 
    causes the name of each principal and policy to be printed as it
Packit Service 99d1c0 
    is dumped.
Packit Service 99d1c0
Packit Service 99d1c0 
**-mkey_convert**
Packit Service 99d1c0 
    prompts for a new master key.  This new master key will be used to
Packit Service 99d1c0 
    re-encrypt principal key data in the dumpfile.  The principal keys
Packit Service 99d1c0 
    themselves will not be changed.
Packit Service 99d1c0
Packit Service 99d1c0 
**-new_mkey_file** *mkey_file*
Packit Service 99d1c0 
    the filename of a stash file.  The master key in this stash file
Packit Service 99d1c0 
    will be used to re-encrypt the key data in the dumpfile.  The key
Packit Service 99d1c0 
    data in the database will not be changed.
Packit Service 99d1c0
Packit Service 99d1c0 
**-rev**
Packit Service 99d1c0 
    dumps in reverse order.  This may recover principals that do not
Packit Service 99d1c0 
    dump normally, in cases where database corruption has occurred.
Packit Service 99d1c0
Packit Service 99d1c0 
**-recurse**
Packit Service 99d1c0 
    causes the dump to walk the database recursively (btree only).
Packit Service 99d1c0 
    This may recover principals that do not dump normally, in cases
Packit Service 99d1c0 
    where database corruption has occurred.  In cases of such
Packit Service 99d1c0 
    corruption, this option will probably retrieve more principals
Packit Service 99d1c0 
    than the **-rev** option will.
Packit Service 99d1c0
Packit Service 99d1c0 
    .. versionchanged:: 1.15
Packit Service 99d1c0 
        Release 1.15 restored the functionality of the **-recurse**
Packit Service 99d1c0 
        option.
Packit Service 99d1c0
Packit Service 99d1c0 
    .. versionchanged:: 1.5
Packit Service 99d1c0 
        The **-recurse** option ceased working until release 1.15,
Packit Service 99d1c0 
        doing a normal dump instead of a recursive traversal.
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_dump_end:
Packit Service 99d1c0
Packit Service 99d1c0 
load
Packit Service 99d1c0 
~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_load:
Packit Service 99d1c0
Packit Service 99d1c0 
    **load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**]
Packit Service 99d1c0 
    [**-verbose**] [**-update**] *filename*
Packit Service 99d1c0
Packit Service 99d1c0 
Loads a database dump from the named file into the named database.  If
Packit Service 99d1c0 
no option is given to determine the format of the dump file, the
Packit Service 99d1c0 
format is detected automatically and handled as appropriate.  Unless
Packit Service 99d1c0 
the **-update** option is given, **load** creates a new database
Packit Service 99d1c0 
containing only the data in the dump file, overwriting the contents of
Packit Service 99d1c0 
any previously existing database.  Note that when using the LDAP KDC
Packit Service 99d1c0 
database module, the **-update** flag is required.
Packit Service 99d1c0
Packit Service 99d1c0 
Options:
Packit Service 99d1c0
Packit Service 99d1c0 
**-b7**
Packit Service 99d1c0 
    requires the database to be in the Kerberos 5 Beta 7 format
Packit Service 99d1c0 
    ("kdb5_util load_dump version 4").  This was the dump format
Packit Service 99d1c0 
    produced on releases prior to 1.2.2.
Packit Service 99d1c0
Packit Service 99d1c0 
**-r13**
Packit Service 99d1c0 
    requires the database to be in Kerberos 5 1.3 format ("kdb5_util
Packit Service 99d1c0 
    load_dump version 5").  This was the dump format produced on
Packit Service 99d1c0 
    releases prior to 1.8.
Packit Service 99d1c0
Packit Service 99d1c0 
**-r18**
Packit Service 99d1c0 
    requires the database to be in Kerberos 5 1.8 format ("kdb5_util
Packit Service 99d1c0 
    load_dump version 6").  This was the dump format produced on
Packit Service 99d1c0 
    releases prior to 1.11.
Packit Service 99d1c0
Packit Service 99d1c0 
**-hash**
Packit Service 99d1c0 
    stores the database in hash format, if using the DB2 database
Packit Service 99d1c0 
    type.  If this option is not specified, the database will be
Packit Service 99d1c0 
    stored in btree format.  This option is not recommended, as
Packit Service 99d1c0 
    databases stored in hash format are known to corrupt data and lose
Packit Service 99d1c0 
    principals.
Packit Service 99d1c0
Packit Service 99d1c0 
**-verbose**
Packit Service 99d1c0 
    causes the name of each principal and policy to be printed as it
Packit Service 99d1c0 
    is dumped.
Packit Service 99d1c0
Packit Service 99d1c0 
**-update**
Packit Service 99d1c0 
    records from the dump file are added to or updated in the existing
Packit Service 99d1c0 
    database.  Otherwise, a new database is created containing only
Packit Service 99d1c0 
    what is in the dump file and the old one destroyed upon successful
Packit Service 99d1c0 
    completion.
Packit Service 99d1c0
Packit Service 99d1c0 
.. _kdb5_util_load_end:
Packit Service 99d1c0
Packit Service 99d1c0 
ark
Packit Service 99d1c0 
~~~
Packit Service 99d1c0
Packit Service 99d1c0 
    **ark** [**-e** *enc*:*salt*,...] *principal*
Packit Service 99d1c0
Packit Service 99d1c0 
Adds new random keys to *principal* at the next available key version
Packit Service 99d1c0 
number.  Keys for the current highest key version number will be
Packit Service 99d1c0 
preserved.  The **-e** option specifies the list of encryption and
Packit Service 99d1c0 
salt types to be used for the new keys.
Packit Service 99d1c0
Packit Service 99d1c0 
add_mkey
Packit Service 99d1c0 
~~~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
    **add_mkey** [**-e** *etype*] [**-s**]
Packit Service 99d1c0
Packit Service 99d1c0 
Adds a new master key to the master key principal, but does not mark
Packit Service 99d1c0 
it as active.  Existing master keys will remain.  The **-e** option
Packit Service 99d1c0 
specifies the encryption type of the new master key; see
Packit Service 99d1c0 
:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible
Packit Service 99d1c0 
values.  The **-s** option stashes the new master key in the stash
Packit Service 99d1c0 
file, which will be created if it doesn't already exist.
Packit Service 99d1c0
Packit Service 99d1c0 
After a new master key is added, it should be propagated to replica
Packit Service 99d1c0 
servers via a manual or periodic invocation of :ref:`kprop(8)`.  Then,
Packit Service 99d1c0 
the stash files on the replica servers should be updated with the
Packit Service 99d1c0 
kdb5_util **stash** command.  Once those steps are complete, the key
Packit Service 99d1c0 
is ready to be marked active with the kdb5_util **use_mkey** command.
Packit Service 99d1c0
Packit Service 99d1c0 
use_mkey
Packit Service 99d1c0 
~~~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
    **use_mkey** *mkeyVNO* [*time*]
Packit Service 99d1c0
Packit Service 99d1c0 
Sets the activation time of the master key specified by *mkeyVNO*.
Packit Service 99d1c0 
Once a master key becomes active, it will be used to encrypt newly
Packit Service 99d1c0 
created principal keys.  If no *time* argument is given, the current
Packit Service 99d1c0 
time is used, causing the specified master key version to become
Packit Service 99d1c0 
active immediately.  The format for *time* is :ref:`getdate` string.
Packit Service 99d1c0
Packit Service 99d1c0 
After a new master key becomes active, the kdb5_util
Packit Service 99d1c0 
**update_princ_encryption** command can be used to update all
Packit Service 99d1c0 
principal keys to be encrypted in the new master key.
Packit Service 99d1c0
Packit Service 99d1c0 
list_mkeys
Packit Service 99d1c0 
~~~~~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
    **list_mkeys**
Packit Service 99d1c0
Packit Service 99d1c0 
List all master keys, from most recent to earliest, in the master key
Packit Service 99d1c0 
principal.  The output will show the kvno, enctype, and salt type for
Packit Service 99d1c0 
each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**.  A
Packit Service 99d1c0 
``*`` following an mkey denotes the currently active master key.
Packit Service 99d1c0
Packit Service 99d1c0 
purge_mkeys
Packit Service 99d1c0 
~~~~~~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
    **purge_mkeys** [**-f**] [**-n**] [**-v**]
Packit Service 99d1c0
Packit Service 99d1c0 
Delete master keys from the master key principal that are not used to
Packit Service 99d1c0 
protect any principals.  This command can be used to remove old master
Packit Service 99d1c0 
keys all principal keys are protected by a newer master key.
Packit Service 99d1c0
Packit Service 99d1c0 
**-f**
Packit Service 99d1c0 
    does not prompt for confirmation.
Packit Service 99d1c0
Packit Service 99d1c0 
**-n**
Packit Service 99d1c0 
    performs a dry run, showing master keys that would be purged, but
Packit Service 99d1c0 
    not actually purging any keys.
Packit Service 99d1c0
Packit Service 99d1c0 
**-v**
Packit Service 99d1c0 
    gives more verbose output.
Packit Service 99d1c0
Packit Service 99d1c0 
update_princ_encryption
Packit Service 99d1c0 
~~~~~~~~~~~~~~~~~~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
    **update_princ_encryption** [**-f**] [**-n**] [**-v**]
Packit Service 99d1c0 
    [*princ-pattern*]
Packit Service 99d1c0
Packit Service 99d1c0 
Update all principal records (or only those matching the
Packit Service 99d1c0 
*princ-pattern* glob pattern) to re-encrypt the key data using the
Packit Service 99d1c0 
active database master key, if they are encrypted using a different
Packit Service 99d1c0 
version, and give a count at the end of the number of principals
Packit Service 99d1c0 
updated.  If the **-f** option is not given, ask for confirmation
Packit Service 99d1c0 
before starting to make changes.  The **-v** option causes each
Packit Service 99d1c0 
principal processed to be listed, with an indication as to whether it
Packit Service 99d1c0 
needed updating or not.  The **-n** option performs a dry run, only
Packit Service 99d1c0 
showing the actions which would have been taken.
Packit Service 99d1c0
Packit Service 99d1c0 
tabdump
Packit Service 99d1c0 
~~~~~~~
Packit Service 99d1c0
Packit Service 99d1c0 
    **tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*]
Packit Service 99d1c0 
    *dumptype*
Packit Service 99d1c0
Packit Service 99d1c0 
Dump selected fields of the database in a tabular format suitable for
Packit Service 99d1c0 
reporting (e.g., using traditional Unix text processing tools) or
Packit Service 99d1c0 
importing into relational databases.  The data format is tab-separated
Packit Service 99d1c0 
(default), or optionally comma-separated (CSV), with a fixed number of
Packit Service 99d1c0 
columns.  The output begins with a header line containing field names,
Packit Service 99d1c0 
unless suppression is requested using the **-H** option.
Packit Service 99d1c0
Packit Service 99d1c0 
The *dumptype* parameter specifies the name of an output table (see
Packit Service 99d1c0 
below).
Packit Service 99d1c0
Packit Service 99d1c0 
Options:
Packit Service 99d1c0
Packit Service 99d1c0 
**-H**
Packit Service 99d1c0 
    suppress writing the field names in a header line
Packit Service 99d1c0
Packit Service 99d1c0 
**-c**
Packit Service 99d1c0 
    use comma separated values (CSV) format, with minimal quoting,
Packit Service 99d1c0 
    instead of the default tab-separated (unquoted, unescaped) format
Packit Service 99d1c0
Packit Service 99d1c0 
**-e**
Packit Service 99d1c0 
    write empty hexadecimal string fields as empty fields instead of
Packit Service 99d1c0 
    as "-1".
Packit Service 99d1c0
Packit Service 99d1c0 
**-n**
Packit Service 99d1c0 
    produce numeric output for fields that normally have symbolic
Packit Service 99d1c0 
    output, such as enctypes and flag names.  Also requests output of
Packit Service 99d1c0 
    time stamps as decimal POSIX time_t values.
Packit Service 99d1c0
Packit Service 99d1c0 
**-o** *outfile*
Packit Service 99d1c0 
    write the dump to the specified output file instead of to standard
Packit Service 99d1c0 
    output
Packit Service 99d1c0
Packit Service 99d1c0 
Dump types:
Packit Service 99d1c0
Packit Service 99d1c0 
**keydata**
Packit Service 99d1c0 
    principal encryption key information, including actual key data
Packit Service 99d1c0 
    (which is still encrypted in the master key)
Packit Service 99d1c0
Packit Service 99d1c0 
    **name**
Packit Service 99d1c0 
        principal name
Packit Service 99d1c0 
    **keyindex**
Packit Service 99d1c0 
        index of this key in the principal's key list
Packit Service 99d1c0 
    **kvno**
Packit Service 99d1c0 
        key version number
Packit Service 99d1c0 
    **enctype**
Packit Service 99d1c0 
        encryption type
Packit Service 99d1c0 
    **key**
Packit Service 99d1c0 
        key data as a hexadecimal string
Packit Service 99d1c0 
    **salttype**
Packit Service 99d1c0 
        salt type
Packit Service 99d1c0 
    **salt**
Packit Service 99d1c0 
        salt data as a hexadecimal string
Packit Service 99d1c0
Packit Service 99d1c0 
**keyinfo**
Packit Service 99d1c0 
    principal encryption key information (as in **keydata** above),
Packit Service 99d1c0 
    excluding actual key data
Packit Service 99d1c0
Packit Service 99d1c0 
**princ_flags**
Packit Service 99d1c0 
    principal boolean attributes.  Flag names print as hexadecimal
Packit Service 99d1c0 
    numbers if the **-n** option is specified, and all flag positions
Packit Service 99d1c0 
    are printed regardless of whether or not they are set.  If **-n**
Packit Service 99d1c0 
    is not specified, print all known flag names for each principal,
Packit Service 99d1c0 
    but only print hexadecimal flag names if the corresponding flag is
Packit Service 99d1c0 
    set.
Packit Service 99d1c0
Packit Service 99d1c0 
    **name**
Packit Service 99d1c0 
        principal name
Packit Service 99d1c0 
    **flag**
Packit Service 99d1c0 
        flag name
Packit Service 99d1c0 
    **value**
Packit Service 99d1c0 
        boolean value (0 for clear, or 1 for set)
Packit Service 99d1c0
Packit Service 99d1c0 
**princ_lockout**
Packit Service 99d1c0 
    state information used for tracking repeated password failures
Packit Service 99d1c0
Packit Service 99d1c0 
    **name**
Packit Service 99d1c0 
        principal name
Packit Service 99d1c0 
    **last_success**
Packit Service 99d1c0 
        time stamp of most recent successful authentication
Packit Service 99d1c0 
    **last_failed**
Packit Service 99d1c0 
        time stamp of most recent failed authentication
Packit Service 99d1c0 
    **fail_count**
Packit Service 99d1c0 
        count of failed attempts
Packit Service 99d1c0
Packit Service 99d1c0 
**princ_meta**
Packit Service 99d1c0 
    principal metadata
Packit Service 99d1c0
Packit Service 99d1c0 
    **name**
Packit Service 99d1c0 
        principal name
Packit Service 99d1c0 
    **modby**
Packit Service 99d1c0 
        name of last principal to modify this principal
Packit Service 99d1c0 
    **modtime**
Packit Service 99d1c0 
        timestamp of last modification
Packit Service 99d1c0 
    **lastpwd**
Packit Service 99d1c0 
        timestamp of last password change
Packit Service 99d1c0 
    **policy**
Packit Service 99d1c0 
        policy object name
Packit Service 99d1c0 
    **mkvno**
Packit Service 99d1c0 
        key version number of the master key that encrypts this
Packit Service 99d1c0 
        principal's key data
Packit Service 99d1c0 
    **hist_kvno**
Packit Service 99d1c0 
        key version number of the history key that encrypts the key
Packit Service 99d1c0 
        history data for this principal
Packit Service 99d1c0
Packit Service 99d1c0 
**princ_stringattrs**
Packit Service 99d1c0 
    string attributes (key/value pairs)
Packit Service 99d1c0
Packit Service 99d1c0 
    **name**
Packit Service 99d1c0 
        principal name
Packit Service 99d1c0 
    **key**
Packit Service 99d1c0 
        attribute name
Packit Service 99d1c0 
    **value**
Packit Service 99d1c0 
        attribute value
Packit Service 99d1c0
Packit Service 99d1c0 
**princ_tktpolicy**
Packit Service 99d1c0 
    per-principal ticket policy data, including maximum ticket
Packit Service 99d1c0 
    lifetimes
Packit Service 99d1c0
Packit Service 99d1c0 
    **name**
Packit Service 99d1c0 
        principal name
Packit Service 99d1c0 
    **expiration**
Packit Service 99d1c0 
        principal expiration date
Packit Service 99d1c0 
    **pw_expiration**
Packit Service 99d1c0 
        password expiration date
Packit Service 99d1c0 
    **max_life**
Packit Service 99d1c0 
        maximum ticket lifetime
Packit Service 99d1c0 
    **max_renew_life**
Packit Service 99d1c0 
        maximum renewable ticket lifetime
Packit Service 99d1c0
Packit Service 99d1c0 
Examples::
Packit Service 99d1c0
Packit Service 99d1c0 
    $ kdb5_util tabdump -o keyinfo.txt keyinfo
Packit Service 99d1c0 
    $ cat keyinfo.txt
Packit Service 99d1c0 
    name	keyindex	kvno	enctype	salttype	salt
Packit Service 99d1c0 
    K/M@EXAMPLE.COM	0	1	aes256-cts-hmac-sha384-192	normal	-1
Packit Service 99d1c0 
    foo@EXAMPLE.COM	0	1	aes128-cts-hmac-sha1-96	normal	-1
Packit Service 99d1c0 
    bar@EXAMPLE.COM	0	1	aes128-cts-hmac-sha1-96	normal	-1
Packit Service 99d1c0 
    $ sqlite3
Packit Service 99d1c0 
    sqlite> .mode tabs
Packit Service 99d1c0 
    sqlite> .import keyinfo.txt keyinfo
Packit Service 99d1c0 
    sqlite> select * from keyinfo where enctype like 'aes256-%';
Packit Service 99d1c0 
    K/M@EXAMPLE.COM	1	1	aes256-cts-hmac-sha384-192	normal	-1
Packit Service 99d1c0 
    sqlite> .quit
Packit Service 99d1c0 
    $ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt
Packit Service 99d1c0 
    K/M@EXAMPLE.COM	1	1	aes256-cts-hmac-sha384-192	normal	-1
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
ENVIRONMENT
Packit Service 99d1c0 
-----------
Packit Service 99d1c0
Packit Service 99d1c0 
See :ref:`kerberos(7)` for a description of Kerberos environment
Packit Service 99d1c0 
variables.
Packit Service 99d1c0
Packit Service 99d1c0
Packit Service 99d1c0 
SEE ALSO
Packit Service 99d1c0 
--------
Packit Service 99d1c0
Packit Service 99d1c0 
:ref:`kadmin(1)`, :ref:`kerberos(7)`

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation