System Administration Commands kdb5util(1M)
NAME
kdb5util - Kerberos Database maintenance utility
SYNOPSIS
/usr/sbin/kdb5util [-d dbname] [-f stashfilename]
[-k mkeytype] [-m ] [-M mkeyname] [-P password] [-r realm]
[-x dbargs]... cmd
DESCRIPTION
The kdb5util utility enables you to create, dump, load, and
destroy the Kerberos V5 database. You can also use kdb5util
to create a stash file containing the Kerberos database mas-
ter key.
OPTIONS
The following options are supported:
-d dbname
Specify the database name. .db is appended to whatever
name is specified. You can specify an absolute path. If
you do not specify the -d option, the default database
name is /var/krb5/principal.
-f stashfilename
Specify the stash file name. You can specify an absolute
path.
-k mkeytype
Specify the master key type. Valid values are des3-cbc-
sha1, des-cbc-crc, des-cbc-md5, des-cbc-raw, arcfour-
hmac-md5, arcfour-hmac-md5-exp, aes128-cts-hmac-sha1-96,
and aes256-cts-hmac-sha1-96.
-m
Enter the master key manually.
-M mkeyname
Specify the master key name.
-P password
SunOS 5.11 Last change: 29 Feb 2008 1
System Administration Commands kdb5util(1M)
Use the specified password instead of the stash file.
-r realm
Use realm as the default database realm.
-x dbargs
Pass database-specific arguments to kadmin. Supported
arguments are for LDAP and the Berkeley-db2 plug-in.
These arguments are:
binddn=binddn
LDAP simple bind DN for authorization on the direc-
tory server. Overrides the ldapkadminddn parameter
setting in krb5.conf(4).
bindpwd=bindpwd
Bind password.
dbname=name
For the Berkeley-db2 plug-in, specifies a name for
the Kerberos database.
nconns=num
Maximum number of server connections.
port=num
Directory server connection port.
OPERANDS
The following operands are supported:
cmd
Specifies whether to create, destroy, dump, or load the
database, or to create a stash file.
You can specify the following commands:
SunOS 5.11 Last change: 29 Feb 2008 2
System Administration Commands kdb5util(1M)
create -s
Creates the database specified by the -d option. You
will be prompted for the database master password.
If you specify -s, a stash file is created as speci-
fied by the -f option. If you did not specify -f,
the default stash file name is /var/krb5/.k5.realm.
If you use the -f, -k, or -M options when you create
a database, then you must use the same options when
modifying or destroying the database.
destroy
Destroys the database specified by the -d option.
stash
Creates a stash file. If -f was not specified, the
default stash file name is /var/krb5/.k5.realm. You
will be prompted for the master database password.
This command is useful when you want to generate the
stash file from the password.
dump [-old] [-b6] [-b7] [-ov] [-verbose] [-mkeyconvert]
[-newmkeyfile mkeyfile] [-rev] [-recurse] [filename
[principals...]
Dumps the current Kerberos and KADM5 database into
an ASCI file. By default, the database is dumped in
current format, "kdb5util loaddumpversion 5". If
filename is not specified or is the string "-", the
dump is sent to standard output. Options are as fol-
lows:
-old
Causes the dump to be in the Kerberos 5 Beta 5
and earlier dump format ("kdb5edit loaddump
version 2.0").
-b6
Causes the dump to be in the Kerberos 5 Beta 6
format ("kdb5edit loaddump version 3.0").
-b7
SunOS 5.11 Last change: 29 Feb 2008 3
System Administration Commands kdb5util(1M)
Causes the dump to be in the Kerberos 5 Beta 7
format ("kdb5util loaddump version 4"). This
was the dump format produced on releases prior
to 1.2.2.
-ov
Causes the dump to be in ovsecadmexport for-
mat.
-verbose
Causes the name of each principal and policy to
be displayed as it is dumped.
-mkeyconvert
Prompts for a new master key. This new master
key will be used to re-encrypt the key data in
the dumpfile. The key data in the database will
not be changed.
-newmkeyfile mkeyfile
The filename of a stash file. The master key in
this stash file will be used to re-encrypt the
key data in the dumpfile. The key data in the
database will not be changed.
-rev
Dumps in reverse order. This might recover prin-
cipals that do not dump normally, in cases where
database corruption has occured.
-recurse
Causes the dump to walk the database recursively
(btree only). This might recover principals that
do not dump normally, in cases where database
corruption has occurred. In cases of such corr-
uption, this option will probably retrieve more
principals than will the -rev option.
SunOS 5.11 Last change: 29 Feb 2008 4
System Administration Commands kdb5util(1M)
load [-old] [-b6] [-b7] [-ov] [-hash] [-verbose] [-
update] filename dbname [admindbname]
Loads a database dump from filename into dbname.
Unless the -old or -b6 option is specified, the for-
mat of the dump file is detected automatically and
handled appropriately. Unless the -update option is
specified, load creates a new database containing
only the principals in the dump file, overwriting
the contents of any existing database. The -old
option requires the database to be in the Kerberos 5
Beta 5 or earlier format ("kdb5edit loaddump ver-
sion 2.0").
-b6
Requires the database to be in the Kerberos 5
Beta 6 format ("kdb5edit loaddump version
3.0").
-b7
Requires the database to be in the Kerberos 5
Beta 7 format ("kdb5util loaddump version 4").
-ov
Requires the database to be in ovsecadmimport
format. Must be used with the -update option.
-hash
Requires the database to be stored as a hash. If
this option is not specified, the database will
be stored as a btree. This option is not recom-
mended, as databases stored in hash format are
known to corrupt data and lose principals.
-verbose
Causes the name of each principal and policy to
be displayed as it is dumped.
-update
Records from the dump file are added to or
updated in the existing database. Otherwise, a
SunOS 5.11 Last change: 29 Feb 2008 5
System Administration Commands kdb5util(1M)
new database is created containing only what is
in the dump file and the old one is destroyed
upon successful completion.
filename
Required argument that specifies a path to a
file containing database dump.
dbname
Required argument that overrides the value
specified on the command line or overrides the
default.
admindbname
Optional argument that is derived from dbname if
not specified.
EXAMPLES
Example 1 Creating File that Contains Information about Two
Principals
The following example creates a file named slavedata that
contains the information about two principals, jdb@ACME.COM
and pak@ACME.COM.
# /usr/krb5/bin/kdb5util dump -verbose slavedata
jdb@ACME.COM pak@ACME.COM
FILES
/var/krb5/principal
Kerberos principal database.
/var/krb5/principal.kadm5
Kerberos administrative database. Contains policy infor-
mation.
SunOS 5.11 Last change: 29 Feb 2008 6
System Administration Commands kdb5util(1M)
/var/krb5/principal.kadm5.lock
Lock file for the Kerberos administrative database. This
file works backwards from most other lock files (that
is, kadmin exits with an error if this file does not
exist).
/var/krb5/principal.ulog
The update log file for incremental propagation.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWkdcu
Interface Stability Evolving
SEE ALSO
kpasswd(1), gkadmin(1M), kadmin(1M), kadmind(1M),
kadmin.local(1M), kdb5ldaputil(1M), kproplog(1M),
kadm5.acl(4), kdc.conf(4), attributes(5), kerberos(5)
SunOS 5.11 Last change: 29 Feb 2008 7
|
