|
Packit |
fd8b60 |
.. _kdb5_util(8):
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kdb5_util
|
|
Packit |
fd8b60 |
=========
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SYNOPSIS
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_synopsis:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**kdb5_util**
|
|
Packit |
fd8b60 |
[**-r** *realm*]
|
|
Packit |
fd8b60 |
[**-d** *dbname*]
|
|
Packit |
fd8b60 |
[**-k** *mkeytype*]
|
|
Packit |
fd8b60 |
[**-kv** *mkeyVNO*]
|
|
Packit |
fd8b60 |
[**-M** *mkeyname*]
|
|
Packit |
fd8b60 |
[**-m**]
|
|
Packit |
fd8b60 |
[**-sf** *stashfilename*]
|
|
Packit |
fd8b60 |
[**-P** *password*]
|
|
Packit |
fd8b60 |
[**-x** *db_args*]
|
|
Packit |
fd8b60 |
*command* [*command_options*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_synopsis_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
DESCRIPTION
|
|
Packit |
fd8b60 |
-----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
kdb5_util allows an administrator to perform maintenance procedures on
|
|
Packit |
fd8b60 |
the KDC database. Databases can be created, destroyed, and dumped to
|
|
Packit |
fd8b60 |
or loaded from ASCII files. kdb5_util can create a Kerberos master
|
|
Packit |
fd8b60 |
key stash file or perform live rollover of the master key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
When kdb5_util is run, it attempts to acquire the master key and open
|
|
Packit |
fd8b60 |
the database. However, execution continues regardless of whether or
|
|
Packit |
fd8b60 |
not kdb5_util successfully opens the database, because the database
|
|
Packit |
fd8b60 |
may not exist yet or the stash file may be corrupt.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Note that some KDC database modules may not support all kdb5_util
|
|
Packit |
fd8b60 |
commands.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
COMMAND-LINE OPTIONS
|
|
Packit |
fd8b60 |
--------------------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_options:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-r** *realm*
|
|
Packit |
fd8b60 |
specifies the Kerberos realm of the database.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-d** *dbname*
|
|
Packit |
fd8b60 |
specifies the name under which the principal database is stored;
|
|
Packit |
fd8b60 |
by default the database is that listed in :ref:`kdc.conf(5)`. The
|
|
Packit |
fd8b60 |
password policy database and lock files are also derived from this
|
|
Packit |
fd8b60 |
value.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-k** *mkeytype*
|
|
Packit |
fd8b60 |
specifies the key type of the master key in the database. The
|
|
Packit |
fd8b60 |
default is given by the **master_key_type** variable in
|
|
Packit |
fd8b60 |
:ref:`kdc.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-kv** *mkeyVNO*
|
|
Packit |
fd8b60 |
Specifies the version number of the master key in the database;
|
|
Packit |
fd8b60 |
the default is 1. Note that 0 is not allowed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-M** *mkeyname*
|
|
Packit |
fd8b60 |
principal name for the master key in the database. If not
|
|
Packit |
fd8b60 |
specified, the name is determined by the **master_key_name**
|
|
Packit |
fd8b60 |
variable in :ref:`kdc.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-m**
|
|
Packit |
fd8b60 |
specifies that the master database password should be read from
|
|
Packit |
fd8b60 |
the keyboard rather than fetched from a file on disk.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-sf** *stash_file*
|
|
Packit |
fd8b60 |
specifies the stash filename of the master database password. If
|
|
Packit |
fd8b60 |
not specified, the filename is determined by the
|
|
Packit |
fd8b60 |
**key_stash_file** variable in :ref:`kdc.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-P** *password*
|
|
Packit |
fd8b60 |
specifies the master database password. Using this option may
|
|
Packit |
fd8b60 |
expose the password to other users on the system via the process
|
|
Packit |
fd8b60 |
list.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-x** *db_args*
|
|
Packit |
fd8b60 |
specifies database-specific options. See :ref:`kadmin(1)` for
|
|
Packit |
fd8b60 |
supported options.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_options_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
COMMANDS
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
create
|
|
Packit |
fd8b60 |
~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_create:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**create** [**-s**]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Creates a new database. If the **-s** option is specified, the stash
|
|
Packit |
fd8b60 |
file is also created. This command fails if the database already
|
|
Packit |
fd8b60 |
exists. If the command is successful, the database is opened just as
|
|
Packit |
fd8b60 |
if it had already existed when the program was first run.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_create_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
destroy
|
|
Packit |
fd8b60 |
~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_destroy:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**destroy** [**-f**]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Destroys the database, first overwriting the disk sectors and then
|
|
Packit |
fd8b60 |
unlinking the files, after prompting the user for confirmation. With
|
|
Packit |
fd8b60 |
the **-f** argument, does not prompt the user.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_destroy_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
stash
|
|
Packit |
fd8b60 |
~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_stash:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**stash** [**-f** *keyfile*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Stores the master principal's keys in a stash file. The **-f**
|
|
Packit |
fd8b60 |
argument can be used to override the *keyfile* specified in
|
|
Packit |
fd8b60 |
:ref:`kdc.conf(5)`.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_stash_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
dump
|
|
Packit |
fd8b60 |
~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_dump:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**dump** [**-b7**\|\ **-r13**\|\ **-r18**]
|
|
Packit |
fd8b60 |
[**-verbose**] [**-mkey_convert**] [**-new_mkey_file**
|
|
Packit |
fd8b60 |
*mkey_file*] [**-rev**] [**-recurse**] [*filename*
|
|
Packit |
fd8b60 |
[*principals*...]]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Dumps the current Kerberos and KADM5 database into an ASCII file. By
|
|
Packit |
fd8b60 |
default, the database is dumped in current format, "kdb5_util
|
|
Packit |
fd8b60 |
load_dump version 7". If filename is not specified, or is the string
|
|
Packit |
fd8b60 |
"-", the dump is sent to standard output. Options:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-b7**
|
|
Packit |
fd8b60 |
causes the dump to be in the Kerberos 5 Beta 7 format ("kdb5_util
|
|
Packit |
fd8b60 |
load_dump version 4"). This was the dump format produced on
|
|
Packit |
fd8b60 |
releases prior to 1.2.2.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-r13**
|
|
Packit |
fd8b60 |
causes the dump to be in the Kerberos 5 1.3 format ("kdb5_util
|
|
Packit |
fd8b60 |
load_dump version 5"). This was the dump format produced on
|
|
Packit |
fd8b60 |
releases prior to 1.8.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-r18**
|
|
Packit |
fd8b60 |
causes the dump to be in the Kerberos 5 1.8 format ("kdb5_util
|
|
Packit |
fd8b60 |
load_dump version 6"). This was the dump format produced on
|
|
Packit |
fd8b60 |
releases prior to 1.11.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-verbose**
|
|
Packit |
fd8b60 |
causes the name of each principal and policy to be printed as it
|
|
Packit |
fd8b60 |
is dumped.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-mkey_convert**
|
|
Packit |
fd8b60 |
prompts for a new master key. This new master key will be used to
|
|
Packit |
fd8b60 |
re-encrypt principal key data in the dumpfile. The principal keys
|
|
Packit |
fd8b60 |
themselves will not be changed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-new_mkey_file** *mkey_file*
|
|
Packit |
fd8b60 |
the filename of a stash file. The master key in this stash file
|
|
Packit |
fd8b60 |
will be used to re-encrypt the key data in the dumpfile. The key
|
|
Packit |
fd8b60 |
data in the database will not be changed.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-rev**
|
|
Packit |
fd8b60 |
dumps in reverse order. This may recover principals that do not
|
|
Packit |
fd8b60 |
dump normally, in cases where database corruption has occurred.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-recurse**
|
|
Packit |
fd8b60 |
causes the dump to walk the database recursively (btree only).
|
|
Packit |
fd8b60 |
This may recover principals that do not dump normally, in cases
|
|
Packit |
fd8b60 |
where database corruption has occurred. In cases of such
|
|
Packit |
fd8b60 |
corruption, this option will probably retrieve more principals
|
|
Packit |
fd8b60 |
than the **-rev** option will.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. versionchanged:: 1.15
|
|
Packit |
fd8b60 |
Release 1.15 restored the functionality of the **-recurse**
|
|
Packit |
fd8b60 |
option.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. versionchanged:: 1.5
|
|
Packit |
fd8b60 |
The **-recurse** option ceased working until release 1.15,
|
|
Packit |
fd8b60 |
doing a normal dump instead of a recursive traversal.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_dump_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
load
|
|
Packit |
fd8b60 |
~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_load:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**load** [**-b7**\|\ **-r13**\|\ **-r18**] [**-hash**]
|
|
Packit |
fd8b60 |
[**-verbose**] [**-update**] *filename*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Loads a database dump from the named file into the named database. If
|
|
Packit |
fd8b60 |
no option is given to determine the format of the dump file, the
|
|
Packit |
fd8b60 |
format is detected automatically and handled as appropriate. Unless
|
|
Packit |
fd8b60 |
the **-update** option is given, **load** creates a new database
|
|
Packit |
fd8b60 |
containing only the data in the dump file, overwriting the contents of
|
|
Packit |
fd8b60 |
any previously existing database. Note that when using the LDAP KDC
|
|
Packit |
fd8b60 |
database module, the **-update** flag is required.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Options:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-b7**
|
|
Packit |
fd8b60 |
requires the database to be in the Kerberos 5 Beta 7 format
|
|
Packit |
fd8b60 |
("kdb5_util load_dump version 4"). This was the dump format
|
|
Packit |
fd8b60 |
produced on releases prior to 1.2.2.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-r13**
|
|
Packit |
fd8b60 |
requires the database to be in Kerberos 5 1.3 format ("kdb5_util
|
|
Packit |
fd8b60 |
load_dump version 5"). This was the dump format produced on
|
|
Packit |
fd8b60 |
releases prior to 1.8.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-r18**
|
|
Packit |
fd8b60 |
requires the database to be in Kerberos 5 1.8 format ("kdb5_util
|
|
Packit |
fd8b60 |
load_dump version 6"). This was the dump format produced on
|
|
Packit |
fd8b60 |
releases prior to 1.11.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-hash**
|
|
Packit |
fd8b60 |
stores the database in hash format, if using the DB2 database
|
|
Packit |
fd8b60 |
type. If this option is not specified, the database will be
|
|
Packit |
fd8b60 |
stored in btree format. This option is not recommended, as
|
|
Packit |
fd8b60 |
databases stored in hash format are known to corrupt data and lose
|
|
Packit |
fd8b60 |
principals.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-verbose**
|
|
Packit |
fd8b60 |
causes the name of each principal and policy to be printed as it
|
|
Packit |
fd8b60 |
is dumped.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-update**
|
|
Packit |
fd8b60 |
records from the dump file are added to or updated in the existing
|
|
Packit |
fd8b60 |
database. Otherwise, a new database is created containing only
|
|
Packit |
fd8b60 |
what is in the dump file and the old one destroyed upon successful
|
|
Packit |
fd8b60 |
completion.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
.. _kdb5_util_load_end:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ark
|
|
Packit |
fd8b60 |
~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**ark** [**-e** *enc*:*salt*,...] *principal*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Adds new random keys to *principal* at the next available key version
|
|
Packit |
fd8b60 |
number. Keys for the current highest key version number will be
|
|
Packit |
fd8b60 |
preserved. The **-e** option specifies the list of encryption and
|
|
Packit |
fd8b60 |
salt types to be used for the new keys.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
add_mkey
|
|
Packit |
fd8b60 |
~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**add_mkey** [**-e** *etype*] [**-s**]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Adds a new master key to the master key principal, but does not mark
|
|
Packit |
fd8b60 |
it as active. Existing master keys will remain. The **-e** option
|
|
Packit |
fd8b60 |
specifies the encryption type of the new master key; see
|
|
Packit |
fd8b60 |
:ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of possible
|
|
Packit |
fd8b60 |
values. The **-s** option stashes the new master key in the stash
|
|
Packit |
fd8b60 |
file, which will be created if it doesn't already exist.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
After a new master key is added, it should be propagated to replica
|
|
Packit |
fd8b60 |
servers via a manual or periodic invocation of :ref:`kprop(8)`. Then,
|
|
Packit |
fd8b60 |
the stash files on the replica servers should be updated with the
|
|
Packit |
fd8b60 |
kdb5_util **stash** command. Once those steps are complete, the key
|
|
Packit |
fd8b60 |
is ready to be marked active with the kdb5_util **use_mkey** command.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
use_mkey
|
|
Packit |
fd8b60 |
~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**use_mkey** *mkeyVNO* [*time*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Sets the activation time of the master key specified by *mkeyVNO*.
|
|
Packit |
fd8b60 |
Once a master key becomes active, it will be used to encrypt newly
|
|
Packit |
fd8b60 |
created principal keys. If no *time* argument is given, the current
|
|
Packit |
fd8b60 |
time is used, causing the specified master key version to become
|
|
Packit |
fd8b60 |
active immediately. The format for *time* is :ref:`getdate` string.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
After a new master key becomes active, the kdb5_util
|
|
Packit |
fd8b60 |
**update_princ_encryption** command can be used to update all
|
|
Packit |
fd8b60 |
principal keys to be encrypted in the new master key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
list_mkeys
|
|
Packit |
fd8b60 |
~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**list_mkeys**
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
List all master keys, from most recent to earliest, in the master key
|
|
Packit |
fd8b60 |
principal. The output will show the kvno, enctype, and salt type for
|
|
Packit |
fd8b60 |
each mkey, similar to the output of :ref:`kadmin(1)` **getprinc**. A
|
|
Packit |
fd8b60 |
``*`` following an mkey denotes the currently active master key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
purge_mkeys
|
|
Packit |
fd8b60 |
~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**purge_mkeys** [**-f**] [**-n**] [**-v**]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Delete master keys from the master key principal that are not used to
|
|
Packit |
fd8b60 |
protect any principals. This command can be used to remove old master
|
|
Packit |
fd8b60 |
keys all principal keys are protected by a newer master key.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-f**
|
|
Packit |
fd8b60 |
does not prompt for confirmation.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-n**
|
|
Packit |
fd8b60 |
performs a dry run, showing master keys that would be purged, but
|
|
Packit |
fd8b60 |
not actually purging any keys.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-v**
|
|
Packit |
fd8b60 |
gives more verbose output.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
update_princ_encryption
|
|
Packit |
fd8b60 |
~~~~~~~~~~~~~~~~~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**update_princ_encryption** [**-f**] [**-n**] [**-v**]
|
|
Packit |
fd8b60 |
[*princ-pattern*]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Update all principal records (or only those matching the
|
|
Packit |
fd8b60 |
*princ-pattern* glob pattern) to re-encrypt the key data using the
|
|
Packit |
fd8b60 |
active database master key, if they are encrypted using a different
|
|
Packit |
fd8b60 |
version, and give a count at the end of the number of principals
|
|
Packit |
fd8b60 |
updated. If the **-f** option is not given, ask for confirmation
|
|
Packit |
fd8b60 |
before starting to make changes. The **-v** option causes each
|
|
Packit |
fd8b60 |
principal processed to be listed, with an indication as to whether it
|
|
Packit |
fd8b60 |
needed updating or not. The **-n** option performs a dry run, only
|
|
Packit |
fd8b60 |
showing the actions which would have been taken.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
tabdump
|
|
Packit |
fd8b60 |
~~~~~~~
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**tabdump** [**-H**] [**-c**] [**-e**] [**-n**] [**-o** *outfile*]
|
|
Packit |
fd8b60 |
*dumptype*
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Dump selected fields of the database in a tabular format suitable for
|
|
Packit |
fd8b60 |
reporting (e.g., using traditional Unix text processing tools) or
|
|
Packit |
fd8b60 |
importing into relational databases. The data format is tab-separated
|
|
Packit |
fd8b60 |
(default), or optionally comma-separated (CSV), with a fixed number of
|
|
Packit |
fd8b60 |
columns. The output begins with a header line containing field names,
|
|
Packit |
fd8b60 |
unless suppression is requested using the **-H** option.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
The *dumptype* parameter specifies the name of an output table (see
|
|
Packit |
fd8b60 |
below).
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Options:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-H**
|
|
Packit |
fd8b60 |
suppress writing the field names in a header line
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-c**
|
|
Packit |
fd8b60 |
use comma separated values (CSV) format, with minimal quoting,
|
|
Packit |
fd8b60 |
instead of the default tab-separated (unquoted, unescaped) format
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-e**
|
|
Packit |
fd8b60 |
write empty hexadecimal string fields as empty fields instead of
|
|
Packit |
fd8b60 |
as "-1".
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-n**
|
|
Packit |
fd8b60 |
produce numeric output for fields that normally have symbolic
|
|
Packit |
fd8b60 |
output, such as enctypes and flag names. Also requests output of
|
|
Packit |
fd8b60 |
time stamps as decimal POSIX time_t values.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**-o** *outfile*
|
|
Packit |
fd8b60 |
write the dump to the specified output file instead of to standard
|
|
Packit |
fd8b60 |
output
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Dump types:
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**keydata**
|
|
Packit |
fd8b60 |
principal encryption key information, including actual key data
|
|
Packit |
fd8b60 |
(which is still encrypted in the master key)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**name**
|
|
Packit |
fd8b60 |
principal name
|
|
Packit |
fd8b60 |
**keyindex**
|
|
Packit |
fd8b60 |
index of this key in the principal's key list
|
|
Packit |
fd8b60 |
**kvno**
|
|
Packit |
fd8b60 |
key version number
|
|
Packit |
fd8b60 |
**enctype**
|
|
Packit |
fd8b60 |
encryption type
|
|
Packit |
fd8b60 |
**key**
|
|
Packit |
fd8b60 |
key data as a hexadecimal string
|
|
Packit |
fd8b60 |
**salttype**
|
|
Packit |
fd8b60 |
salt type
|
|
Packit |
fd8b60 |
**salt**
|
|
Packit |
fd8b60 |
salt data as a hexadecimal string
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**keyinfo**
|
|
Packit |
fd8b60 |
principal encryption key information (as in **keydata** above),
|
|
Packit |
fd8b60 |
excluding actual key data
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**princ_flags**
|
|
Packit |
fd8b60 |
principal boolean attributes. Flag names print as hexadecimal
|
|
Packit |
fd8b60 |
numbers if the **-n** option is specified, and all flag positions
|
|
Packit |
fd8b60 |
are printed regardless of whether or not they are set. If **-n**
|
|
Packit |
fd8b60 |
is not specified, print all known flag names for each principal,
|
|
Packit |
fd8b60 |
but only print hexadecimal flag names if the corresponding flag is
|
|
Packit |
fd8b60 |
set.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**name**
|
|
Packit |
fd8b60 |
principal name
|
|
Packit |
fd8b60 |
**flag**
|
|
Packit |
fd8b60 |
flag name
|
|
Packit |
fd8b60 |
**value**
|
|
Packit |
fd8b60 |
boolean value (0 for clear, or 1 for set)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**princ_lockout**
|
|
Packit |
fd8b60 |
state information used for tracking repeated password failures
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**name**
|
|
Packit |
fd8b60 |
principal name
|
|
Packit |
fd8b60 |
**last_success**
|
|
Packit |
fd8b60 |
time stamp of most recent successful authentication
|
|
Packit |
fd8b60 |
**last_failed**
|
|
Packit |
fd8b60 |
time stamp of most recent failed authentication
|
|
Packit |
fd8b60 |
**fail_count**
|
|
Packit |
fd8b60 |
count of failed attempts
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**princ_meta**
|
|
Packit |
fd8b60 |
principal metadata
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**name**
|
|
Packit |
fd8b60 |
principal name
|
|
Packit |
fd8b60 |
**modby**
|
|
Packit |
fd8b60 |
name of last principal to modify this principal
|
|
Packit |
fd8b60 |
**modtime**
|
|
Packit |
fd8b60 |
timestamp of last modification
|
|
Packit |
fd8b60 |
**lastpwd**
|
|
Packit |
fd8b60 |
timestamp of last password change
|
|
Packit |
fd8b60 |
**policy**
|
|
Packit |
fd8b60 |
policy object name
|
|
Packit |
fd8b60 |
**mkvno**
|
|
Packit |
fd8b60 |
key version number of the master key that encrypts this
|
|
Packit |
fd8b60 |
principal's key data
|
|
Packit |
fd8b60 |
**hist_kvno**
|
|
Packit |
fd8b60 |
key version number of the history key that encrypts the key
|
|
Packit |
fd8b60 |
history data for this principal
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**princ_stringattrs**
|
|
Packit |
fd8b60 |
string attributes (key/value pairs)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**name**
|
|
Packit |
fd8b60 |
principal name
|
|
Packit |
fd8b60 |
**key**
|
|
Packit |
fd8b60 |
attribute name
|
|
Packit |
fd8b60 |
**value**
|
|
Packit |
fd8b60 |
attribute value
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**princ_tktpolicy**
|
|
Packit |
fd8b60 |
per-principal ticket policy data, including maximum ticket
|
|
Packit |
fd8b60 |
lifetimes
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
**name**
|
|
Packit |
fd8b60 |
principal name
|
|
Packit |
fd8b60 |
**expiration**
|
|
Packit |
fd8b60 |
principal expiration date
|
|
Packit |
fd8b60 |
**pw_expiration**
|
|
Packit |
fd8b60 |
password expiration date
|
|
Packit |
fd8b60 |
**max_life**
|
|
Packit |
fd8b60 |
maximum ticket lifetime
|
|
Packit |
fd8b60 |
**max_renew_life**
|
|
Packit |
fd8b60 |
maximum renewable ticket lifetime
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
Examples::
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
$ kdb5_util tabdump -o keyinfo.txt keyinfo
|
|
Packit |
fd8b60 |
$ cat keyinfo.txt
|
|
Packit |
fd8b60 |
name keyindex kvno enctype salttype salt
|
|
Packit |
fd8b60 |
K/M@EXAMPLE.COM 0 1 aes256-cts-hmac-sha384-192 normal -1
|
|
Packit |
fd8b60 |
foo@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
|
|
Packit |
fd8b60 |
bar@EXAMPLE.COM 0 1 aes128-cts-hmac-sha1-96 normal -1
|
|
Packit |
fd8b60 |
$ sqlite3
|
|
Packit |
fd8b60 |
sqlite> .mode tabs
|
|
Packit |
fd8b60 |
sqlite> .import keyinfo.txt keyinfo
|
|
Packit |
fd8b60 |
sqlite> select * from keyinfo where enctype like 'aes256-%';
|
|
Packit |
fd8b60 |
K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
|
|
Packit |
fd8b60 |
sqlite> .quit
|
|
Packit |
fd8b60 |
$ awk -F'\t' '$4 ~ /aes256-/ { print }' keyinfo.txt
|
|
Packit |
fd8b60 |
K/M@EXAMPLE.COM 1 1 aes256-cts-hmac-sha384-192 normal -1
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
ENVIRONMENT
|
|
Packit |
fd8b60 |
-----------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
See :ref:`kerberos(7)` for a description of Kerberos environment
|
|
Packit |
fd8b60 |
variables.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
SEE ALSO
|
|
Packit |
fd8b60 |
--------
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
:ref:`kadmin(1)`, :ref:`kerberos(7)`
|