KADMIN(1) | General Commands Manual | KADMIN(1) |
kadmin
— Kerberos
administration utility
kadmin |
[-p
string | --principal= string]
[-K string | --keytab= string]
[-c file | --config-file= file]
[-k file | --key-file= file]
[-r realm | --realm= realm]
[-a host | --admin-server= host]
[-s port number | --server-port= port number]
[-l | --local ]
[-h | --help ]
[-v | --version ]
[command] |
The kadmin
program is used to make
modifications to the Kerberos database, either remotely via the
kadmind(8) daemon, or locally (with the
-l
option).
Supported options:
-p
string,
--principal=
string-K
string,
--keytab=
string-c
file,
--config-file=
file-k
file,
--key-file=
file-r
realm,
--realm=
realm-a
host,
--admin-server=
host-s
port number,
--server-port=
port number-l
,
--local
If no command is given on the command line,
kadmin
will prompt for commands to process. Some of
the commands that take one or more principals as argument
(delete
, ext_keytab
,
get
, modify
, and
passwd
) will accept a glob style wildcard, and
perform the operation on all matching principals.
Commands include:
add
[-r
|
--random-key
]
[--random-password
] [-p
string |
--password=
string]
[--key=
string]
[--max-ticket-life=
lifetime]
[--max-renewable-life=
lifetime]
[--attributes=
attributes]
[--expiration-time=
time]
[--pw-expiration-time=
time]
[--policy=
policy-name]
principal...
default
’.add_enctype
[-r
|
--random-key
] principal
enctypes...
delete
principal...
del_enctype
principal
enctypes...
ext_keytab
[-k
string |
--keytab=
string]
principal...
get
[-l
|
--long
] [-s
|
--short
] [-t
|
--terse
] [-o
string |
--column-info=
string]
principal...
-o
option.
The argument is a comma separated list of column names optionally appended
with an equal sign (‘=’) and a column header. Which columns are
printed by default differ slightly between short and long output.
The default terse output format is similar to
-s
-o
principal=, just printing the names of matched
principals.
Possible column names include: principal
,
princ_expire_time
,
pw_expiration
,
last_pwd_change
, max_life
,
max_rlife
, mod_time
,
mod_name
, attributes
,
kvno
, mkvno
,
last_success
, last_failed
,
fail_auth_count
, policy
, and
keytypes
.
modify
[-a
attributes |
--attributes=
attributes]
[--max-ticket-life=
lifetime]
[--max-renewable-life=
lifetime]
[--expiration-time=
time]
[--pw-expiration-time=
time]
[--kvno=
number]
[--policy=
policy-name]
principal...
Only policy supported by Heimdal is
‘default
’.
Possible attributes are: new-princ
,
support-desmd5
,
pwchange-service
,
disallow-svr
,
requires-pw-change
,
requires-hw-auth
,
requires-pre-auth
,
disallow-all-tix
,
disallow-dup-skey
,
disallow-proxiable
,
disallow-renewable
,
disallow-tgt-based
,
disallow-forwardable
,
disallow-postdated
Attributes may be negated with a "-", e.g.,
kadmin -l modify -a -disallow-proxiable user
passwd
[--keepold
]
[-r
| --random-key
]
[--random-password
] [-p
string |
--password=
string]
[--key=
string]
principal...
password-quality
principal password
privileges
add
,
add_enctype
, change-password
,
delete
, del_enctype
,
get
, get-keys
,
list
, and modify
.rename
from to
check
[realm]
When running in local mode, the following commands can also be used:
dump
[-d
|
--decrypt
]
[-f
format |
--format=
format]
[dump-file]
--decrypt
is used. If
--format=MIT
is used then the dump will be in MIT
format. Otherwise it will be in Heimdal format.init
[--realm-max-ticket-life=
string]
[--realm-max-renewable-life=
string]
realm
load
file
merge
file
load
but just
modifies the database with the entries in the dump file.stash
[-e
enctype |
--enctype=
enctype]
[-k
keyfile |
--key-file=
keyfile]
[--convert-file
]
[--master-key-fd=
fd]
February 22, 2007 | HEIMDAL |