LinuxGuruz
  • Last 5 Forum Topics
    Replies
    Views
    Last post


The Web Only This Site
  • BOOKMARK

  • ADD TO FAVORITES

  • REFERENCES


  • MARC

    Mailing list ARChives
    - Search by -
     Subjects
     Authors
     Bodies





    FOLDOC

    Computing Dictionary




  • Text Link Ads






  • LINUX man pages
  • Linux Man Page Viewer


    The following form allows you to view linux man pages.

    Command:

    kadmin

    
    
    

    SYNOPSIS

           kadmin [-O | -N] [-r realm] [-p principal] [-q query]
                  [[-c cache_name] | [-k [-t keytab]] | -n] [-w password] [-s
                  admin_server[:port]
    
           kadmin.local    [-r realm] [-p principal] [-q query]
                           [-d dbname] [-e "enc:salt ..."] [-m] [-x db_args]
    
    
    

    DESCRIPTION

           kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
           KADM5  administration  system.   Both  kadmin  and kadmin.local provide
           identical functionalities; the difference is that kadmin.local runs  on
           the  master  KDC  if  the  database is db2 and does not use Kerberos to
           authenticate to the database. Except  as  explicitly  noted  otherwise,
           this  man  page will use kadmin to refer to both versions.  kadmin pro-
           vides for the maintenance of Kerberos principals, KADM5  policies,  and
           service key tables (keytabs).
    
           The  remote  version uses Kerberos authentication and an encrypted RPC,
           to operate securely from anywhere on the network.  It authenticates  to
           the KADM5 server using the service principal kadmin/admin.  If the cre-
           dentials cache contains a ticket for the  kadmin/admin  principal,  and
           the  -c  credentials_cache  option is specified, that ticket is used to
           authenticate to KADM5.  Otherwise, the -p and -k options  are  used  to
           specify  the client Kerberos principal name used to authenticate.  Once
           kadmin has determined the principal name, it  requests  a  kadmin/admin
           Kerberos  service  ticket from the KDC, and uses that service ticket to
           authenticate to KADM5.
    
           If the database is db2, the local client kadmin.local, is  intended  to
           run  directly  on  the master KDC without Kerberos authentication.  The
           local version provides all of the functionality  of  the  now  obsolete
           kdb5_edit(8),  except for database dump and load, which is now provided
           by the kdb5_util(8) utility.
    
           If the database is LDAP, kadmin.local need not be run on the KDC.
    
           kadmin.local can be configured to log updates for incremental  database
           propagation.   Incremental  propagation  allows  slave  KDC  servers to
           receive principal and policy updates incrementally instead of receiving
           full  dumps  of  the  database.   This  facility  can be enabled in the
           kdc.conf file with the iprop_enable option.  See the kdc.conf  documen-
           tation for other options for tuning incremental propagation parameters.
    
    
    

    OPTIONS

           -r realm
                  Use realm as the default database realm.
    
           -p principal
                  Use principal to authenticate.  Otherwise,  kadmin  will  append
                  "/admin"  to  the  primary principal name of the default ccache,
                  option  with  a principal of the form @REALM (an empty principal
                  name followed by the at-sign and a realm name).  If permitted by
                  the KDC, an anonymous ticket will be returned.  A second form of
                  anonymous tickets is supported; these realm-exposed tickets hide
                  the identity of the client but not the client's realm.  For this
                  mode, use kinit -n with a normal principal name.   If  supported
                  by  the  KDC,  the principal (but not realm) will be replaced by
                  the anonymous principal.  As of release 1.8,  the  MIT  Kerberos
                  KDC only supports fully anonymous operation.
    
           -c credentials_cache
                  Use  credentials_cache  as  the  credentials cache.  The creden-
                  tials_cache should contain a service ticket for the kadmin/admin
                  service;  it can be acquired with the kinit(1) program.  If this
                  option is not specified, kadmin requests a  new  service  ticket
                  from the KDC, and stores it in its own temporary ccache.
    
           -w password
                  Use  password  instead  of  prompting for one on the TTY.  Note:
                  placing the password for a Kerberos principal  with  administra-
                  tion access into a shell script can be dangerous if unauthorized
                  users gain read access to the script.
    
           -q query
                  pass query directly to kadmin, which will perform query and then
                  exit.  This can be useful for writing scripts.
    
           -d dbname
                  Specifies  the  name of the Kerberos database.  This option does
                  not apply to the LDAP database.
    
           -s admin_server[:port]
                  Specifies the admin server which kadmin should contact.
    
           -m     Do not authenticate using a keytab.  This option will cause kad-
                  min to prompt for the master database password.
    
           -e enc:salt_list
                  Sets  the list of encryption types and salt types to be used for
                  any new keys created.
    
           -O     Force use of old AUTH_GSSAPI authentication flavor.
    
           -N     Prevent fallback to AUTH_GSSAPI authentication flavor.
    
           -x db_args
                  Specifies the database specific arguments.
    
                  Options supported for LDAP database are:
    
                  -x host=<hostname>
                         specifies the LDAP server to connect to by a LDAP URI.
    
    
    

    DATE FORMAT

           Various commands in kadmin can take a variety of date formats, specify-
           ing durations or absolute times.  Examples of valid formats are:
    
                  1 month ago
                  2 hours ago
                  400000 seconds ago
                  last year
                  this Monday
                  next Monday
                  yesterday
                  tomorrow
                  now
                  second Monday
                  a fortnight ago
                  3/31/92 10:00:07 PST
                  January 23, 1987 10:05pm
                  22:00 GMT
    
           Dates which do not have the "ago" specifier default to  being  absolute
           dates,  unless they appear in a field where a duration is expected.  In
           that case the time specifier will be interpreted as relative.  Specify-
           ing "ago" in a duration may result in unexpected behavior.
    
    
    

    COMMANDS

           add_principal [options] newprinc
                  creates  the principal newprinc, prompting twice for a password.
                  If no policy is specified with the -policy option, and the  pol-
                  icy  named "default" exists, then that policy is assigned to the
                  principal; note that the assignment of the policy "default" only
                  occurs  automatically  when a principal is first created, so the
                  policy "default" must already exist for the assignment to occur.
                  This  assignment of "default" can be suppressed with the -clear-
                  policy option.  This command requires the add  privilege.   This
                  command has the aliases addprinc and ank.  The options are:
    
                  -x db_princ_args
                         Denotes  the  database  specific options. The options for
                         LDAP database are:
    
                         -x dn=<dn>
                                 Specifies the LDAP object that will  contain  the
                                 Kerberos principal being created.
    
                         -x linkdn=<dn>
                                 Specifies the LDAP object to which the newly cre-
                                 ated Kerberos principal object will point to.
    
                         -x containerdn=<container_dn>
                                 Specifies the container object  under  which  the
                                 Kerberos principal is to be created.
    
                  -maxrenewlife maxrenewlife
                         maximum renewable life of tickets for the principal
    
                  -kvno kvno
                         explicitly set the key version number.
    
                  -policy policy
                         policy used by this principal.  If no policy is supplied,
                         then  if the policy "default" exists and the -clearpolicy
                         is not also specified, then the policy "default" is used;
                         otherwise, the principal will have no policy, and a warn-
                         ing message will be printed.
    
                  -clearpolicy
                         -clearpolicy prevents the  policy  "default"  from  being
                         assigned  when -policy is not specified.  This option has
                         no effect if the policy "default" does not exist.
    
                  {-|+}allow_postdated
                         -allow_postdated prohibits this principal from  obtaining
                         postdated tickets.  (Sets the KRB5_KDB_DISALLOW_POSTDATED
                         flag.)  +allow_postdated clears this flag.
    
                  {-|+}allow_forwardable
                         -allow_forwardable prohibits this principal from  obtain-
                         ing   forwardable  tickets.   (Sets  the  KRB5_KDB_DISAL-
                         LOW_FORWARDABLE flag.)   +allow_forwardable  clears  this
                         flag.
    
                  {-|+}allow_renewable
                         -allow_renewable  prohibits this principal from obtaining
                         renewable tickets.  (Sets the KRB5_KDB_DISALLOW_RENEWABLE
                         flag.)  +allow_renewable clears this flag.
    
                  {-|+}allow_proxiable
                         -allow_proxiable  prohibits this principal from obtaining
                         proxiable tickets.  (Sets the KRB5_KDB_DISALLOW_PROXIABLE
                         flag.)  +allow_proxiable clears this flag.
    
                  {-|+}allow_dup_skey
                         -allow_dup_skey  Disables user-to-user authentication for
                         this principal by prohibiting this principal from obtain-
                         ing   a   session   key  for  another  user.   (Sets  the
                         KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears
                         this flag.
    
                  {-|+}requires_preauth
                         +requires_preauth requires this principal to preauthenti-
                         cate  before  being  allowed   to   kinit.    (Sets   the
                         KRB5_KDB_REQUIRES_PRE_AUTH    flag.)    -requires_preauth
                         clears this flag.
    
                  {-|+}allow_svr
                         -allow_svr prohibits the issuance of service tickets  for
                         this  principal.   (Sets the KRB5_KDB_DISALLOW_SVR flag.)
                         +allow_svr clears this flag.
    
                  {-|+}allow_tgs_req
                         -allow_tgs_req specifies that a  Ticket-Granting  Service
                         (TGS)  request for a service ticket for this principal is
                         not permitted.  This option is useless for  most  things.
                         +allow_tgs_req   clears   this   flag.   The  default  is
                         +allow_tgs_req.   In  effect,  -allow_tgs_req  sets   the
                         KRB5_KDB_DISALLOW_TGT_BASED  flag on the principal in the
                         database.
    
                  {-|+}allow_tix
                         -allow_tix forbids the issuance of any tickets  for  this
                         principal.   +allow_tix clears this flag.  The default is
                         +allow_tix.  In effect, -allow_tix sets the KRB5_KDB_DIS-
                         ALLOW_ALL_TIX flag on the principal in the database.
    
                  {-|+}needchange
                         +needchange  sets  a  flag in attributes field to force a
                         password change; -needchange clears it.  The  default  is
                         -needchange.     In    effect,   +needchange   sets   the
                         KRB5_KDB_REQUIRES_PWCHANGE flag on the principal  in  the
                         database.
    
                  {-|+}password_changing_service
                         +password_changing_service  sets a flag in the attributes
                         field marking this as a password change service principal
                         (useless  for  most  things).  -password_changing_service
                         clears the flag.  This  flag  intentionally  has  a  long
                         name.   The  default  is  -password_changing_service.  In
                         effect,     +password_changing_service      sets      the
                         KRB5_KDB_PWCHANGE_SERVICE  flag  on  the principal in the
                         database.
    
                  -randkey
                         sets the key of the principal to a random value
    
                  -pw password
                         sets the key of the principal to the specified string and
                         does not prompt for a password.  Note:  using this option
                         in a shell script can be dangerous if unauthorized  users
                         gain read access to the script.
    
                  -e "enc:salt ..."
                         uses  the  specified  list  of enctype-salttype pairs for
                         setting the key of the principal.  The quotes are  neces-
                         sary  if there are multiple enctype-salttype pairs.  This
                         will not function against  kadmin  daemons  earlier  than
                         krb5-1.2.
                         Re-enter password for principal mwm_user@BLEEP.COM:
                         Principal "mwm_user@BLEEP.COM" created.
                         kadmin:
    
                  ERRORS:
                         KADM5_AUTH_ADD (requires "add" privilege)
                         KADM5_BAD_MASK (shouldn't happen)
                         KADM5_DUP (principal exists already)
                         KADM5_UNK_POLICY (policy does not exist)
                         KADM5_PASS_Q_* (password quality violations)
    
           delete_principal [-force] principal
                  deletes the specified principal from the database.  This command
                  prompts for deletion, unless the -force option  is  given.  This
                  command requires the delete privilege.  Aliased to delprinc.
    
                  EXAMPLE:
                         kadmin: delprinc mwm_user
                         Are you sure you want to delete the principal
                         "mwm_user@BLEEP.COM"? (yes/no): yes
                         Principal "mwm_user@BLEEP.COM" deleted.
                         Make sure that you have removed this principal from
                         all ACLs before reusing.
                         kadmin:
    
                  ERRORS:
                         KADM5_AUTH_DELETE (requires "delete" privilege)
                         KADM5_UNK_PRINC (principal does not exist)
    
           modify_principal [options] principal
                  modifies  the specified principal, changing the fields as speci-
                  fied.  The options are as above for add_principal,  except  that
                  password  changing  and  flags  related to password changing are
                  forbidden by this command.  In addition, the option -clearpolicy
                  will  clear  the  current  policy  of a principal.  This command
                  requires the modify privilege.  Aliased to modprinc.
    
                  -x db_princ_args
                         Denotes the database specific options.  The  options  for
                         LDAP database are:
    
                         -x tktpolicy=<policy>
                                 Associates  a ticket policy to the Kerberos prin-
                                 cipal.
    
                         -x linkdn=<dn>
                                 Associates  a  Kerberos  principal  with  a  LDAP
                                 object.  This  option is honored only if the Ker-
                                 beros principal is not already associated with  a
                                 LDAP object.
    
                  changes  the  password of principal.  Prompts for a new password
                  if neither -randkey or -pw is specified.  Requires the  changepw
                  privilege,  or that the principal that is running the program to
                  be the same as the one changed.  Aliased to cpw.  The  following
                  options are available:
    
                  -randkey
                         sets the key of the principal to a random value
    
                  -pw password
                         set  the  password  to  the specified string.  Not recom-
                         mended.
    
                  -e "enc:salt ..."
                         uses the specified list  of  enctype-salttype  pairs  for
                         setting  the key of the principal.  The quotes are neces-
                         sary if there are multiple enctype-salttype pairs.   This
                         will  not  function  against  kadmin daemons earlier than
                         krb5-1.2.
    
                  -keepold
                         Keeps the previous kvno's keys around.  This flag is usu-
                         ally  not  necessary  except perhaps for TGS keys.  Don't
                         use this flag unless you know  what  you're  doing.  This
                         option is not supported for the LDAP database.
    
                  EXAMPLE:
                         kadmin: cpw systest
                         Enter password for principal systest@BLEEP.COM:
                         Re-enter password for principal systest@BLEEP.COM:
                         Password for systest@BLEEP.COM changed.
                         kadmin:
    
                  ERRORS:
                         KADM5_AUTH_MODIFY (requires the modify privilege)
                         KADM5_UNK_PRINC (principal does not exist)
                         KADM5_PASS_Q_* (password policy violation errors)
                         KADM5_PADD_REUSE (password is in principal's password
                         history)
                         KADM5_PASS_TOOSOON (current password minimum life not
                         expired)
    
           purgekeys [-keepkvno oldest_kvno_to_keep] principal
                  purges  previously retained old keys (e.g., from change_password
                  -keepold) from principal.  If -keepkvno is specified, then  only
                  purges keys with kvnos lower than oldest_kvno_to_keep.
    
           get_principal [-terse] principal
                  gets  the  attributes of principal.  Requires the inquire privi-
                  lege, or that the principal that is running the the  program  to
                  be  the  same  as the one being listed.  With the -terse option,
                  outputs fields as quoted tab-separated strings.  Alias getprinc.
                         Number of keys: 2
                         Key: vno 1, DES cbc mode with CRC-32, no salt
                         Key: vno 1, DES cbc mode with CRC-32, Version 4
                         Attributes:
                         Policy: [none]
                         kadmin: getprinc -terse systest
                         systest@BLEEP.COM   3    86400     604800    1
                         785926535 753241234 785900000
                         tlyu/admin@BLEEP.COM     786100034 0    0
                         kadmin:
    
                  ERRORS:
                         KADM5_AUTH_GET (requires the get (inquire) privilege)
                         KADM5_UNK_PRINC (principal does not exist)
    
           list_principals [expression]
                  Retrieves  all  or some principal names.  Expression is a shell-
                  style glob expression that can contain the wild-card  characters
                  ?, *, and []'s.  All principal names matching the expression are
                  printed.  If no expression is provided, all principal names  are
                  printed.   If  the expression does not contain an "@" character,
                  an "@" character followed by the local realm is appended to  the
                  expression.   Requires  the  list  privilege.  Alias listprincs,
                  get_principals, get_princs.
    
                  EXAMPLES:
                         kadmin:  listprincs test*
                         test3@SECURE-TEST.OV.COM
                         test2@SECURE-TEST.OV.COM
                         test1@SECURE-TEST.OV.COM
                         testuser@SECURE-TEST.OV.COM
                         kadmin:
    
           get_strings principal
                  displays string attributes on principal.  String attributes  are
                  used  to  supply  per-principal configuration to some KDC plugin
                  modules.  Alias getstrs.
    
           set_string principal key value
                  sets a string attribute on principal.  Alias setstr.
    
           del_string principal key
                  deletes a string attribute from principal.  Alias delstr.
    
           add_policy [options] policy
                  adds the named policy to the policy database.  Requires the  add
                  privilege.  Aliased to addpol.  The following options are avail-
                  able:
    
                  -maxlife time
                         sets the maximum lifetime of a password
    
                  -maxfailure maxnumber
                         sets the maximum number of authentication failures before
                         the  principal  is  locked.   Authentication failures are
                         only tracked for principals which require  preauthentica-
                         tion.
    
                  -failurecountinterval failuretime
                         sets  the allowable time between authentication failures.
                         If an authentication failure  happens  after  failuretime
                         has  elapsed  since  the  previous failure, the number of
                         authentication failures is reset to 1.  A  failure  count
                         interval of 0 means forever.
    
                  -lockoutduration lockouttime
                         sets  the duration for which the principal is locked from
                         authenticating if too many authentication failures  occur
                         without the specified failure count interval elapsing.  A
                         duration of 0 means forever.
    
                  EXAMPLES:
                         kadmin: add_policy -maxlife "2 days" -minlength 5 guests
                         kadmin:
    
                  ERRORS:
                         KADM5_AUTH_ADD (requires the add privilege)
                         KADM5_DUP (policy already exists)
    
           delete_policy [-force] policy
                  deletes the named policy.  Prompts for confirmation before dele-
                  tion.   The  command  will  fail  if the policy is in use by any
                  principals.  Requires the delete privilege.  Alias delpol.
    
                  EXAMPLE:
                         kadmin: del_policy guests
                         Are you sure you want to delete the policy "guests"?
                         (yes/no): yes
                         kadmin:
    
                  ERRORS:
                         KADM5_AUTH_DELETE (requires the delete privilege)
                         KADM5_UNK_POLICY (policy does not exist)
                         KADM5_POLICY_REF (reference count on policy is not zero)
    
           modify_policy [options] policy
                  modifies the named policy.  Options are as above for add_policy.
                  Requires the modify privilege.  Alias modpol.
    
                  ERRORS:
                         KADM5_AUTH_MODIFY (requires the modify privilege)
                         Number of old keys kept: 5
                         Reference count: 17
                         kadmin: get_policy -terse admin
                         admin     15552000  0    6    2    5    17
                         kadmin:
    
                  ERRORS:
                         KADM5_AUTH_GET (requires the get privilege)
                         KADM5_UNK_POLICY (policy does not exist)
    
           list_policies [expression]
                  Retrieves all or some policy names.  Expression is a shell-style
                  glob expression that can contain the wild-card characters ?,  *,
                  and []'s.  All policy names matching the expression are printed.
                  If no expression is provided,  all  existing  policy  names  are
                  printed.    Requires   the   list  privilege.   Alias  listpols,
                  get_policies, getpols.
    
                  EXAMPLES:
                         kadmin:  listpols
                         test-pol
                         dict-only
                         once-a-min
                         test-pol-nopw
                         kadmin:  listpols t*
                         test-pol
                         test-pol-nopw
                         kadmin:
    
           ktadd [-k keytab] [-q] [-e keysaltlist]
                  [-norandkey] [[principal | -glob princ-exp] [...]
                  Adds a principal or  all  principals  matching  princ-exp  to  a
                  keytab.   It  randomizes each principal's key in the process, to
                  prevent a compromised admin account from reading out all of  the
                  keys  from the database.  However, kadmin.local has the -norand-
                  key option, which leaves the  keys  and  their  version  numbers
                  unchanged,  similar to the Kerberos V4 ext_srvtab command.  That
                  allows users to continue to use the passwords they know to login
                  normally,  while simultaneously allowing scripts to login to the
                  same account using a keytab.  There is no  significant  security
                  risk  added  since  kadmin.local  must be run by root on the KDC
                  anyway.
    
                  Requires the inquire and changepw privileges.  An entry for each
                  of  the  principal's  unique encryption types is added, ignoring
                  multiple keys with the same encryption type but  different  salt
                  types.   If the -k argument is not specified, the default keytab
                  /etc/krb5.keytab is used.  If the -q option is  specified,  less
                  verbose status information is displayed.
    
                  The -glob option requires the list privilege.  princ-exp follows
                  principal  are  removed;  if  the string "old" is specified, all
                  entries for that principal except those with  the  highest  kvno
                  are  removed.   Otherwise,  the  value specified is parsed as an
                  integer, and all entries  whose  kvno  match  that  integer  are
                  removed.   If  the  -k  argument  is  not specified, the default
                  keytab /etc/krb5.keytab is used.  If the -q option is specified,
                  less verbose status information is displayed.
    
                  EXAMPLE:
                         kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
                         Entry for principal kadmin/admin with kvno 3 removed
                              from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
                         kadmin:
    
    
    

    FILES

           principal.db         default name for Kerberos principal database
    
           <dbname>.kadm5       KADM5  administrative  database.   (This  would be
                                "principal.kadm5", if you use the default database
                                name.)  Contains policy information.
    
           <dbname>.kadm5.lock  lock  file  for the KADM5 administrative database.
                                This file works backwards  from  most  other  lock
                                files.   I.e.,  kadmin  will exit with an error if
                                this file does not exist.
    
           Note:                The  above  three  files  are  specific   to   db2
                                database.
    
           kadm5.acl            file  containing list of principals and their kad-
                                min administrative privileges.  See kadmind(8) for
                                a description.
    
           kadm5.keytab         keytab file for kadmin/admin principal.
    
           kadm5.dict           file  containing  dictionary of strings explicitly
                                disallowed as passwords.
    
    
    

    HISTORY

           The kadmin program was originally written by  Tom  Yu  at  MIT,  as  an
           interface to the OpenVision Kerberos administration program.
    
    
    

    SEE ALSO

           kerberos(1), kpasswd(1), kadmind(8)
    
    
    

    BUGS

           Command output needs to be cleaned up.
    
                                                                         KADMIN(1)
    
  • MORE RESOURCE


  • Linux

    The Distributions





    Linux

    The Software





    Linux

    The News



  • MARKETING






  • Toll Free

webmaster@linuxguruz.com
Copyright © 1999 - 2016 by LinuxGuruz