KADMIN(8) KADMIN(8)
NAME
kadmin - Kerberos V5 database administration program
SYNOPSYS
kadmin [-O -N] [-r realm] [-p principal] [-q query]
[-c cachename] [-k [-t keytab] [-w password] [-s
adminserver[:port]
kadmin.local [-r realm] [-p principal] [-q query]
[-d dbname] [-e "enc:salt ..."] [-m]
DESCRIPTION
kadmin and kadmin.local are command-line interfaces to the Kerberos V5
KADM5 administration system. Both kadmin and kadmin.local provide
identical functionalities; the difference is that kadmin.local runs on
the master KDC and does not use Kerberos to authenticate to the data-
base. Except as explicitly noted otherwise, this man page will use
kadmin to refer to both versions. kadmin provides for the maintenance
of Kerberos principals, KADM5 policies, and service key tables
(keytabs).
The remote version uses Kerberos authentication and an encrypted RPC,
to operate securely from anywhere on the network. It authenticates to
the KADM5 server using the service principal kadmin/admin. If the cre-
dentials cache contains a ticket for the kadmin/admin principal, and
the -c credentialscache option is specified, that ticket is used to
authenticate to KADM5. Otherwise, the -p and -k options are used to
specify the client Kerberos principal name used to authenticate. Once
kadmin has determined the principal name, it requests a kadmin/admin
Kerberos service ticket from the KDC, and uses that service ticket to
authenticate to KADM5.
The local client kadmin.local, is intended to run directly on the mas-
ter KDC without Kerberos authentication. The local version provides
all of the functionality of the now obsolete kdb5edit(8), except for
database dump and load, which is now provided by the kdb5util(8) util-
ity.
OPTIONS
-r realm
Use realm as the default database realm.
-p principal
Use principal to authenticate. Otherwise, kadmin will append
"/admin" to the primary principal name of the default ccache,
the value of the USER environment variable, or the username as
obtained with getpwuid, in order of preference.
-k Use a keytab to decrypt the KDC response instead of prompting
for a password on the TY. In this case, the default principal
will be host/hostname. If there is not a keytab specified with
the -t option, then the default keytab will be used.
-t keytab
Use keytab to decrypt the KDC response. This can only be used
with the -k option.
-c credentialscache
Use credentialscache as the credentials cache. The creden-
tialscache should contain a service ticket for the kadmin/admin
service; it can be acquired with the kinit(1) program. If this
option is not specified, kadmin requests a new service ticket
from the KDC, and stores it in its own temporary ccache.
-w password
Use password instead of prompting for one on the TY. Note:
placing the password for a Kerberos principal with administra-
tion access into a shell script can be dangerous if unauthorized
users gain read access to the script.
-q query
pass query directly to kadmin, which will perform query and then
exit. This can be useful for writing scripts.
-d dbname
Specifies the name of the Kerberos database.
-s adminserver[:port]
Specifies the admin server which kadmin should contact.
-m Do not authenticate using a keytab. This option will cause kad-
min to prompt for the master database password.
-e enc:saltlist
Sets the list of encryption types and salt types to be used for
any new keys created.
-O Force use of old AUTHGSAPI authentication flavor.
-N Prevent fallback to AUTHGSAPI authentication flavor.
DATE FORMAT
Various commands in kadmin can take a variety of date formats, specify-
ing durations or absolute times. Examples of valid formats are:
1 month ago
2 hours ago
400000 seconds ago
last year
this Monday
next Monday
yesterday
tomorrow
now
second Monday
a fortnight ago
3/31/92 10:00:07 PST
January 23, 1987 10:05pm
22:00 GMT
Dates which do not have the "ago" specifier default to being absolute
dates, unless they appear in a field where a duration is expected. In
that case the time specifier will be interpreted as relative. Specify-
ing "ago" in a duration may result in unexpected behavior.
COMANDS
addprincipal [options] newprinc
creates the principal newprinc, prompting twice for a password.
If no policy is specified with the -policy option, and the pol-
icy named "default" exists, then that policy is assigned to the
principal; note that the assignment of the policy "default" only
occurs automatically when a principal is first created, so the
policy "default" must already exist for the assignment to occur.
This assignment of "default" can be suppressed with the -clear-
policy option. This command requires the add privilege. This
command has the aliases addprinc and ank. The options are:
-expire expdate
expiration date of the principal
-pwexpire pwexpdate
password expiration date
-maxlife maxlife
maximum ticket life for the principal
-maxrenewlife maxrenewlife
maximum renewable life of tickets for the principal
-kvno kvno
explicity set the key version number.
-policy policy
policy used by this principal. If no policy is supplied,
then if the policy "default" exists and the -clearpolicy
is not also specified, then the policy "default" is used;
otherwise, the principal will have no policy, and a warn-
ing message will be printed.
-clearpolicy
-clearpolicy prevents the policy "default" from being
assigned when -policy is not specified. This option has
no effect if the policy "default" does not exist.
{-]}allowpostdated
-allowpostdated prohibits this principal from obtaining
postdated tickets. (Sets the KRB5KDBDISALOWPOSTDATED
flag.) ]allowpostdated clears this flag.
{-]}allowforwardable
-allowforwardable prohibits this principal from obtain-
ing forwardable tickets. (Sets the KRB5KDBDISAL-
LOWFORWARDABLE flag.) ]allowforwardable clears this
flag.
{-]}allowrenewable
-allowrenewable prohibits this principal from obtaining
renewable tickets. (Sets the KRB5KDBDISALOWRENEWABLE
flag.) ]allowrenewable clears this flag.
{-]}allowproxiable
-allowproxiable prohibits this principal from obtaining
proxiable tickets. (Sets the KRB5KDBDISALOWPROXIABLE
flag.) ]allowproxiable clears this flag.
{-]}allowdupskey
-allowdupskey Disables user-to-user authentication for
this principal by prohibiting this principal from obtain-
ing a session key for another user. (Sets the
KRB5KDBDISALOWDUPSKEY flag.) ]allowdupskey clears
this flag.
{-]}requirespreauth
]requirespreauth requires this principal to preauthenti-
cate before being allowed to kinit. (Sets the
KRB5KDBREQUIRESPREAUTH flag.) -requirespreauth
clears this flag.
{-]}requireshwauth
]requireshwauth requires this principal to preauthenti-
cate using a hardware device before being allowed to
kinit. (Sets the KRB5KDBREQUIRESHWAUTH flag.)
-requireshwauth clears this flag.
{-]}allowsvr
-allowsvr prohibits the issuance of service tickets for
this principal. (Sets the KRB5KDBDISALOWSVR flag.)
]allowsvr clears this flag.
{-]}allowtgsreq
-allowtgsreq specifies that a Ticket-Granting Service
(TGS) request for a service ticket for this principal is
not permitted. This option is useless for most things.
]allowtgsreq clears this flag. The default is
]allowtgsreq. In effect, -allowtgsreq sets the
KRB5KDBDISALOWTGTBASED flag on the principal in the
database.
{-]}allowtix
-allowtix forbids the issuance of any tickets for this
principal. ]allowtix clears this flag. The default is
]allowtix. In effect, -allowtix sets the KRB5KDBDIS-
ALOWALTIX flag on the principal in the database.
{-]}needchange
]needchange sets a flag in attributes field to force a
password change; -needchange clears it. The default is
-needchange. In effect, ]needchange sets the
KRB5KDBREQUIRESPWCHANGE flag on the principal in the
database.
{-]}passwordchangingservice
]passwordchangingservice sets a flag in the attributes
field marking this as a password change service principal
(useless for most things). -passwordchangingservice
clears the flag. This flag intentionally has a long
name. The default is -passwordchangingservice. In
effect, ]passwordchangingservice sets the
KRB5KDBPWCHANGESERVICE flag on the principal in the
database.
-randkey
sets the key of the principal to a random value
-pw password
sets the key of the principal to the specified string and
does not prompt for a password. Note: using this option
in a shell script can be dangerous if unauthorized users
gain read access to the script.
-e "enc:salt ..."
uses the specified list of enctype-salttype pairs for
setting the key of the principal. The quotes are neces-
sary if there are multiple enctype-salttype pairs. This
will not function against kadmin daemons earlier than
krb5-1.2.
EXAMPLE:
kadmin: addprinc tlyu/admin
WARNING: no policy specified for "tlyu/admin@BLEP.COM";
defaulting to no policy.
Enter password for principal tlyu/admin@BLEP.COM:
Re-enter password for principal tlyu/admin@BLEP.COM:
Principal "tlyu/admin@BLEP.COM" created.
kadmin:
ERORS:
KADM5AUTHAD (requires "add" privilege)
KADM5BADMASK (shouldn't happen)
KADM5DUP (principal exists already)
KADM5UNKPOLICY (policy does not exist)
KADM5PASQ* (password quality violations)
deleteprincipal [-force] principal
deletes the specified principal from the database. This command
prompts for deletion, unless the -force option is given. This
command requires the delete privilege. Aliased to delprinc.
EXAMPLE:
kadmin: delprinc mwmuser
Are you sure you want to delete the principal
"mwmuser@BLEP.COM"? (yes/no): yes
Principal "mwmuser@BLEP.COM" deleted.
Make sure that you have removed this principal from
all ACLs before reusing.
kadmin:
ERORS:
KADM5AUTHDELETE (reequires "delete" privilege)
KADM5UNKPRINC (principal does not exist)
modifyprincipal [options] principal
modifies the specified principal, changing the fields as speci-
fied. The options are as above for addprincipal, except that
password changing and flags related to password changing are
forbidden by this command. In addition, the option -clearpolicy
will clear the current policy of a principal. This command
requires the modify privilege. Aliased to modprinc.
ERORS:
KADM5AUTHMODIFY (requires "modify" privilege)
KADM5UNKPRINC (principal does not exist)
KADM5UNKPOLICY (policy does not exist)
KADM5BADMASK (shouldn't happen)
changepassword [options] principal
changes the password of principal. Prompts for a new password
if neither -randkey or -pw is specified. Requires the changepw
privilege, or that the principal that is running the program to
be the same as the one changed. Aliased to cpw. The following
options are available:
-randkey
sets the key of the principal to a random value
-pw password
set the password to the specified string. Not recom-
mended.
-e "enc:salt ..."
uses the specified list of enctype-salttype pairs for
setting the key of the principal. The quotes are neces-
sary if there are multiple enctype-salttype pairs. This
will not function against kadmin daemons earlier than
krb5-1.2.
-keepold
Keeps the previous kvno's keys around. There is no easy
way to delete the old keys, and this flag is usually not
necessary except perhaps for TGS keys. Don't use this
flag unless you know what you're doing.
EXAMPLE:
kadmin: cpw systest
Enter password for principal systest@BLEP.COM:
Re-enter password for principal systest@BLEP.COM:
Password for systest@BLEP.COM changed.
kadmin:
ERORS:
KADM5AUTHMODIFY (requires the modify privilege)
KADM5UNKPRINC (principal does not exist)
KADM5PASQ* (password policy violation errors)
KADM5PADREUSE (password is in principal's password
history)
KADM5PASTOSON (current password minimum life not
expired)
getprincipal [-terse] principal
gets the attributes of principal. Requires the inquire privi-
lege, or that the principal that is running the the program to
be the same as the one being listed. With the -terse option,
outputs fields as quoted tab-separated strings. Alias getprinc.
EXAMPLES:
kadmin: getprinc tlyu/admin
Principal: tlyu/admin@BLEP.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEP.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2
Key: vno 1, DES cbc mode with CRC-32, no salt
Key: vno 1, DES cbc mode with CRC-32, Version 4
Attributes:
Policy: [none]
kadmin: getprinc -terse systest
systest@BLEP.COM 3 86400 604800 1
785926535 753241234 785900000
tlyu/admin@BLEP.COM 786100034 0 0
kadmin:
ERORS:
KADM5AUTHGET (requires the get (inquire) privilege)
KADM5UNKPRINC (principal does not exist)
listprincipals [expression]
Retrieves all or some principal names. Expression is a shell-
style glob expression that can contain the wild-card characters
?, *, and []'s. All principal names matching the expression are
printed. If no expression is provided, all principal names are
printed. If the expression does not contain an "@" character,
an "@" character followed by the local realm is appended to the
expression. Requires the list priviledge. Alias listprincs,
getprincipals, getprincs.
EXAMPLES:
kadmin: listprincs test*
test3@SECURE-TEST.OV.COM
test2@SECURE-TEST.OV.COM
test1@SECURE-TEST.OV.COM
testuser@SECURE-TEST.OV.COM
kadmin:
addpolicy [options] policy
adds the named policy to the policy database. Requires the add
privilege. Aliased to addpol. The following options are avail-
able:
-maxlife time
sets the maximum lifetime of a password
-minlife time
sets the minimum lifetime of a password
-minlength length
sets the minimum length of a password
-minclasses number
sets the minimum number of character classes allowed in a
password
-history number
sets the number of past keys kept for a principal
ERORS:
KADM5AUTHAD (requires the add privilege)
KADM5DUP (policy already exists)
deletepolicy [-force] policy
deletes the named policy. Prompts for confirmation before dele-
tion. The command will fail if the policy is in use by any
principals. Requires the delete privilege. Alias delpol.
EXAMPLE:
kadmin: delpolicy guests
Are you sure you want to delete the policy "guests"?
(yes/no): yes
kadmin:
ERORS:
KADM5AUTHDELETE (requires the delete privilege)
KADM5UNKPOLICY (policy does not exist)
KADM5POLICYREF (reference count on policy is not zero)
modifypolicy [options] policy
modifies the named policy. Options are as above for addpolicy.
Requires the modify privilege. Alias modpol.
ERORS:
KADM5AUTHMODIFY (requires the modify privilege)
KADM5UNKPOLICY (policy does not exist)
getpolicy [-terse] policy
displays the values of the named policy. Requires the inquire
privilege. With the -terse flag, outputs the fields as quoted
strings separated by tabs. Alias getpol.
EXAMPLES:
kadmin: getpolicy admin
Policy: admin
Maximum password life: 180 days 00:00:00
Minimum password life: 00:00:00
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 17
kadmin: getpolicy -terse admin
admin 15552000 0 6 2 5 17
kadmin:
ERORS:
KADM5AUTHGET (requires the get privilege)
KADM5UNKPOLICY (policy does not exist)
listpolicies [expression]
Retrieves all or some policy names. Expression is a shell-style
glob expression that can contain the wild-card characters ?, *,
and []'s. All policy names matching the expression are printed.
If no expression is provided, all existing policy names are
printed. Requires the list priviledge. Alias listpols,
getpolicies, getpols.
EXAMPLES:
kadmin: listpols
test-pol
dict-only
once-a-min
test-pol-nopw
kadmin: listpols t*
test-pol
test-pol-nopw
kadmin:
ktadd [-k keytab] [-q] [-e keysaltlist]
[principal -glob princ-exp] [...]
Adds a principal or all principals matching princ-exp to a
keytab, randomizing each principal's key in the process.
Requires the inquire and changepw privileges. An entry for each
of the principal's unique encryption types is added, ignoring
multiple keys with the same encryption type but different salt
types. If the -k argument is not specified, the default keytab
/etc/krb5.keytab is used. If the -q option is specified, less
verbose status information is displayed.
The -glob option requires the list privilege. princ-exp follows
the same rules described for the listprincipals command.
EXAMPLE:
kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
kvno 3, encryption type DES-CBC-CRC added to keytab
WRFILE:/tmp/foo-new-keytab
kadmin:
ktremove [-k keytab] [-q] principal [kvno all old]
Removes entries for the specified principal from a keytab.
Requires no permissions, since this does not require database
access. If the string "all" is specified, all entries for that
principal are removed; if the string "old" is specified, all
entries for that principal except those with the highest kvno
are removed. Otherwise, the value specified is parsed as an
integer, and all entries whose kvno match that integer are
removed. If the -k argument is not specifeid, the default
keytab /etc/krb5.keytab is used. If the -q option is specified,
less verbose status information is displayed.
EXAMPLE:
kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
Entry for principal kadmin/admin with kvno 3 removed
from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
kadmin:
FILES
principal.db default name for Kerberos principal database
.kadm5 KADM5 administrative database. (This would be
"principal.kadm5", if you use the default database
name.) Contains policy information.
.kadm5.lock lock file for the KADM5 administrative database.
This file works backwards from most other lock
files. I.e., kadmin will exit with an error if
this file does not exist.
kadm5.acl file containing list of principals and their kad-
min administrative privileges. See kadmind(8) for
a description.
kadm5.keytab keytab file for kadmin/admin principal.
kadm5.dict file containing dictionary of strings explicitly
disallowed as passwords.
HISTORY
The kadmin prorgam was originally written by Tom Yu at MIT, as an
interface to the OpenVision Kerberos administration program.
SEE ALSO
kerberos(1), kpasswd(1), kadmind(8)
BUGS
Command output needs to be cleaned up.
There is no way to delete a key kept around from a "-keepold" option to
a password-changing command, other than to do a password change without
the "-keepold" option, which will of course cause problems if the key
is a TGS key. There will be more powerful key-manipulation commands in
the future.
KADMIN(8)
|
