Cradicle Explorer
darling-Heimdal
/ kadmin / kadmin.8
kadmin.8
  1  .\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan
  2  .\" (Royal Institute of Technology, Stockholm, Sweden).
  3  .\" All rights reserved.
  4  .\"
  5  .\" Redistribution and use in source and binary forms, with or without
  6  .\" modification, are permitted provided that the following conditions
  7  .\" are met:
  8  .\"
  9  .\" 1. Redistributions of source code must retain the above copyright
 10  .\"    notice, this list of conditions and the following disclaimer.
 11  .\"
 12  .\" 2. Redistributions in binary form must reproduce the above copyright
 13  .\"    notice, this list of conditions and the following disclaimer in the
 14  .\"    documentation and/or other materials provided with the distribution.
 15  .\"
 16  .\" 3. Neither the name of the Institute nor the names of its contributors
 17  .\"    may be used to endorse or promote products derived from this software
 18  .\"    without specific prior written permission.
 19  .\"
 20  .\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
 21  .\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 22  .\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 23  .\" ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
 24  .\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 25  .\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 26  .\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 27  .\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 28  .\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 29  .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 30  .\" SUCH DAMAGE.
 31  .\"
 32  .\" $Id$
 33  .\"
 34  .Dd Feb  22, 2007
 35  .Dt KADMIN 8
 36  .Os HEIMDAL
 37  .Sh NAME
 38  .Nm kadmin
 39  .Nd Kerberos administration utility
 40  .Sh SYNOPSIS
 41  .Nm
 42  .Bk -words
 43  .Op Fl p Ar string \*(Ba Fl Fl principal= Ns Ar string
 44  .Op Fl K Ar string \*(Ba Fl Fl keytab= Ns Ar string
 45  .Op Fl c Ar file \*(Ba Fl Fl config-file= Ns Ar file
 46  .Op Fl k Ar file \*(Ba Fl Fl key-file= Ns Ar file
 47  .Op Fl r Ar realm \*(Ba Fl Fl realm= Ns Ar realm
 48  .Op Fl a Ar host \*(Ba Fl Fl admin-server= Ns Ar host
 49  .Op Fl s Ar port number \*(Ba Fl Fl server-port= Ns Ar port number
 50  .Op Fl l | Fl Fl local
 51  .Op Fl h | Fl Fl help
 52  .Op Fl v | Fl Fl version
 53  .Op Ar command
 54  .Ek
 55  .Sh DESCRIPTION
 56  The
 57  .Nm
 58  program is used to make modifications to the Kerberos database, either remotely via the
 59  .Xr kadmind 8
 60  daemon, or locally (with the
 61  .Fl l
 62  option).
 63  .Pp
 64  Supported options:
 65  .Bl -tag -width Ds
 66  .It Fl p Ar string , Fl Fl principal= Ns Ar string
 67  principal to authenticate as
 68  .It Fl K Ar string , Fl Fl keytab= Ns Ar string
 69  keytab for authentication principal
 70  .It Fl c Ar file , Fl Fl config-file= Ns Ar file
 71  location of config file
 72  .It Fl k Ar file , Fl Fl key-file= Ns Ar file
 73  location of master key file
 74  .It Fl r Ar realm , Fl Fl realm= Ns Ar realm
 75  realm to use
 76  .It Fl a Ar host , Fl Fl admin-server= Ns Ar host
 77  server to contact
 78  .It Fl s Ar port number , Fl Fl server-port= Ns Ar port number
 79  port to use
 80  .It Fl l , Fl Fl local
 81  local admin mode
 82  .El
 83  .Pp
 84  If no
 85  .Ar command
 86  is given on the command line,
 87  .Nm
 88  will prompt for commands to process. Some of the commands that take
 89  one or more principals as argument
 90  .Ns ( Nm delete ,
 91  .Nm ext_keytab ,
 92  .Nm get ,
 93  .Nm modify ,
 94  and
 95  .Nm passwd )
 96  will accept a glob style wildcard, and perform the operation on all
 97  matching principals.
 98  .Pp
 99  Commands include:
100  .\" not using a list here, since groff apparently gets confused
101  .\" with nested Xo/Xc
102  .Pp
103  .Nm add
104  .Op Fl r | Fl Fl random-key
105  .Op Fl Fl random-password
106  .Op Fl p Ar string \*(Ba Fl Fl password= Ns Ar string
107  .Op Fl Fl key= Ns Ar string
108  .Op Fl Fl max-ticket-life= Ns Ar lifetime
109  .Op Fl Fl max-renewable-life= Ns Ar lifetime
110  .Op Fl Fl attributes= Ns Ar attributes
111  .Op Fl Fl expiration-time= Ns Ar time
112  .Op Fl Fl pw-expiration-time= Ns Ar time
113  .Ar principal...
114  .Bd -ragged -offset indent
115  Adds a new principal to the database. The options not passed on the
116  command line will be promped for.
117  .Ed
118  .Pp
119  .Nm add_enctype
120  .Op Fl r | Fl Fl random-key
121  .Ar principal enctypes...
122  .Pp
123  .Bd -ragged -offset indent
124  Adds a new encryption type to the principal, only random key are
125  supported.
126  .Ed
127  .Pp
128  .Nm delete
129  .Ar principal...
130  .Bd -ragged -offset indent
131  Removes a principal.
132  .Ed
133  .Pp
134  .Nm del_enctype
135  .Ar principal enctypes...
136  .Bd -ragged -offset indent
137  Removes some enctypes from a principal; this can be useful if the
138  service belonging to the principal is known to not handle certain
139  enctypes.
140  .Ed
141  .Pp
142  .Nm ext_keytab
143  .Oo Fl k Ar string \*(Ba Xo
144  .Fl Fl keytab= Ns Ar string
145  .Xc
146  .Oc
147  .Ar principal...
148  .Bd -ragged -offset indent
149  Creates a keytab with the keys of the specified principals.  Requires
150  get-keys rights.
151  .Ed
152  .Pp
153  .Nm get
154  .Op Fl l | Fl Fl long
155  .Op Fl s | Fl Fl short
156  .Op Fl t | Fl Fl terse
157  .Op Fl o Ar string | Fl Fl column-info= Ns Ar string
158  .Ar principal...
159  .Bd -ragged -offset indent
160  Lists the matching principals, short prints the result as a table,
161  while long format produces a more verbose output. Which columns to
162  print can be selected with the
163  .Fl o
164  option. The argument is a comma separated list of column names
165  optionally appended with an equal sign
166  .Pq Sq =
167  and a column header. Which columns are printed by default differ
168  slightly between short and long output.
169  .Pp
170  The default terse output format is similar to
171  .Fl s o Ar principal= ,
172  just printing the names of matched principals.
173  .Pp
174  Possible column names include:
175  .Li principal ,
176  .Li princ_expire_time ,
177  .Li pw_expiration ,
178  .Li last_pwd_change ,
179  .Li max_life ,
180  .Li max_rlife ,
181  .Li mod_time ,
182  .Li mod_name ,
183  .Li attributes ,
184  .Li kvno ,
185  .Li mkvno ,
186  .Li last_success ,
187  .Li last_failed ,
188  .Li fail_auth_count ,
189  .Li policy ,
190  and
191  .Li keytypes .
192  .Ed
193  .Pp
194  .Nm modify
195  .Oo Fl a Ar attributes \*(Ba Xo
196  .Fl Fl attributes= Ns Ar attributes
197  .Xc
198  .Oc
199  .Op Fl Fl max-ticket-life= Ns Ar lifetime
200  .Op Fl Fl max-renewable-life= Ns Ar lifetime
201  .Op Fl Fl expiration-time= Ns Ar time
202  .Op Fl Fl pw-expiration-time= Ns Ar time
203  .Op Fl Fl kvno= Ns Ar number
204  .Ar principal...
205  .Bd -ragged -offset indent
206  Modifies certain attributes of a principal. If run without command
207  line options, you will be prompted. With command line options, it will
208  only change the ones specified.
209  .Pp
210  Possible attributes are:
211  .Li new-princ ,
212  .Li support-desmd5 ,
213  .Li pwchange-service ,
214  .Li disallow-svr ,
215  .Li requires-pw-change ,
216  .Li requires-hw-auth ,
217  .Li requires-pre-auth ,
218  .Li disallow-all-tix ,
219  .Li disallow-dup-skey ,
220  .Li disallow-proxiable ,
221  .Li disallow-renewable ,
222  .Li disallow-tgt-based ,
223  .Li disallow-forwardable ,
224  .Li disallow-postdated
225  .Pp
226  Attributes may be negated with a "-", e.g.,
227  .Pp
228  kadmin -l modify -a -disallow-proxiable user
229  .Ed
230  .Pp
231  .Nm passwd
232  .Op Fl Fl keepold
233  .Op Fl r | Fl Fl random-key
234  .Op Fl Fl random-password
235  .Oo Fl p Ar string \*(Ba Xo
236  .Fl Fl password= Ns Ar string
237  .Xc
238  .Oc
239  .Op Fl Fl key= Ns Ar string
240  .Ar principal...
241  .Bd -ragged -offset indent
242  Changes the password of an existing principal.
243  .Ed
244  .Pp
245  .Nm password-quality
246  .Ar principal
247  .Ar password
248  .Bd -ragged -offset indent
249  Run the password quality check function locally.
250  You can run this on the host that is configured to run the kadmind
251  process to verify that your configuration file is correct.
252  The verification is done locally, if kadmin is run in remote mode,
253  no rpc call is done to the server.
254  .Ed
255  .Pp
256  .Nm privileges
257  .Bd -ragged -offset indent
258  Lists the operations you are allowed to perform. These include
259  .Li add ,
260  .Li add_enctype ,
261  .Li change-password ,
262  .Li delete ,
263  .Li del_enctype ,
264  .Li get ,
265  .Li get-keys ,
266  .Li list ,
267  and
268  .Li modify .
269  .Ed
270  .Pp
271  .Nm rename
272  .Ar from to
273  .Bd -ragged -offset indent
274  Renames a principal. This is normally transparent, but since keys are
275  salted with the principal name, they will have a non-standard salt,
276  and clients which are unable to cope with this will fail. Kerberos 4
277  suffers from this.
278  .Ed
279  .Pp
280  .Nm check
281  .Op Ar realm
282  .Pp
283  .Bd -ragged -offset indent
284  Check database for strange configurations on important principals. If
285  no realm is given, the default realm is used.
286  .Ed
287  .Pp
288  When running in local mode, the following commands can also be used:
289  .Pp
290  .Nm dump
291  .Op Fl d | Fl Fl decrypt
292  .Op Ar dump-file
293  .Bd -ragged -offset indent
294  Writes the database in
295  .Dq human readable
296  form to the specified file, or standard out. If the database is
297  encrypted, the dump will also have encrypted keys, unless
298  .Fl Fl decrypt
299  is used.
300  .Ed
301  .Pp
302  .Nm init
303  .Op Fl Fl realm-max-ticket-life= Ns Ar string
304  .Op Fl Fl realm-max-renewable-life= Ns Ar string
305  .Ar realm
306  .Bd -ragged -offset indent
307  Initializes the Kerberos database with entries for a new realm. It's
308  possible to have more than one realm served by one server.
309  .Ed
310  .Pp
311  .Nm load
312  .Ar file
313  .Bd -ragged -offset indent
314  Reads a previously dumped database, and re-creates that database from
315  scratch.
316  .Ed
317  .Pp
318  .Nm merge
319  .Ar file
320  .Bd -ragged -offset indent
321  Similar to
322  .Nm load
323  but just modifies the database with the entries in the dump file.
324  .Ed
325  .Pp
326  .Nm stash
327  .Oo Fl e Ar enctype \*(Ba Xo
328  .Fl Fl enctype= Ns Ar enctype
329  .Xc
330  .Oc
331  .Oo Fl k Ar keyfile \*(Ba Xo
332  .Fl Fl key-file= Ns Ar keyfile
333  .Xc
334  .Oc
335  .Op Fl -convert-file
336  .Op Fl -master-key-fd= Ns Ar fd
337  .Op Fl -random-password
338  .Op Fl -no-print-password
339  .Pp
340  .Bd -ragged -offset indent
341  Writes the Kerberos master key to a file used by the KDC.
342  .Ed
343  .\".Sh ENVIRONMENT
344  .\".Sh FILES
345  .\".Sh EXAMPLES
346  .\".Sh DIAGNOSTICS
347  .Sh SEE ALSO
348  .Xr kadmind 8 ,
349  .Xr kdc 8
350  .\".Sh STANDARDS
351  .\".Sh HISTORY
352  .\".Sh AUTHORS
353  .\".Sh BUGS