16 [[**-c** *cache_name*]\|[**-k** [**-t** *keytab*]]\|\ **-n**]
18 [**-s** *admin_server*\ [:*port*]]
26 [**-e** *enc*:*salt* ...]
31 .. _kadmin_synopsis_end:
37 kadmin and kadmin.local are command-line interfaces to the Kerberos V5
38 administration system. They provide nearly identical functionalities;
39 the difference is that kadmin.local directly accesses the KDC
40 database, while kadmin performs operations using :ref:`kadmind(8)`.
41 Except as explicitly noted otherwise, this man page will use "kadmin"
42 to refer to both versions. kadmin provides for the maintenance of
43 Kerberos principals, password policies, and service key tables
46 The remote kadmin client uses Kerberos to authenticate to kadmind
47 using the service principal ``kadmin/admin`` or ``kadmin/ADMINHOST``
48 (where *ADMINHOST* is the fully-qualified hostname of the admin
49 server). If the credentials cache contains a ticket for one of these
50 principals, and the **-c** credentials_cache option is specified, that
51 ticket is used to authenticate to kadmind. Otherwise, the **-p** and
52 **-k** options are used to specify the client Kerberos principal name
53 used to authenticate. Once kadmin has determined the principal name,
54 it requests a service ticket from the KDC, and uses that service
55 ticket to authenticate to kadmind.
57 Since kadmin.local directly accesses the KDC database, it usually must
58 be run directly on the primary KDC with sufficient permissions to read
59 the KDC database. If the KDC database uses the LDAP database module,
60 kadmin.local can be run on any host which can access the LDAP server.
69 Use *realm* as the default database realm.
72 Use *principal* to authenticate. Otherwise, kadmin will append
73 ``/admin`` to the primary principal name of the default ccache,
74 the value of the **USER** environment variable, or the username as
75 obtained with getpwuid, in order of preference.
78 Use a keytab to decrypt the KDC response instead of prompting for
79 a password. In this case, the default principal will be
80 ``host/hostname``. If there is no keytab specified with the
81 **-t** option, then the default keytab will be used.
84 Use *keytab* to decrypt the KDC response. This can only be used
85 with the **-k** option.
88 Requests anonymous processing. Two types of anonymous principals
89 are supported. For fully anonymous Kerberos, configure PKINIT on
90 the KDC and configure **pkinit_anchors** in the client's
91 :ref:`krb5.conf(5)`. Then use the **-n** option with a principal
92 of the form ``@REALM`` (an empty principal name followed by the
93 at-sign and a realm name). If permitted by the KDC, an anonymous
94 ticket will be returned. A second form of anonymous tickets is
95 supported; these realm-exposed tickets hide the identity of the
96 client but not the client's realm. For this mode, use ``kinit
97 -n`` with a normal principal name. If supported by the KDC, the
98 principal (but not realm) will be replaced by the anonymous
99 principal. As of release 1.8, the MIT Kerberos KDC only supports
100 fully anonymous operation.
102 **-c** *credentials_cache*
103 Use *credentials_cache* as the credentials cache. The cache
104 should contain a service ticket for the ``kadmin/admin`` or
105 ``kadmin/ADMINHOST`` (where *ADMINHOST* is the fully-qualified
106 hostname of the admin server) service; it can be acquired with the
107 :ref:`kinit(1)` program. If this option is not specified, kadmin
108 requests a new service ticket from the KDC, and stores it in its
109 own temporary ccache.
112 Use *password* instead of prompting for one. Use this option with
113 care, as it may expose the password to other users on the system
114 via the process list.
117 Perform the specified query and then exit.
120 Specifies the name of the KDC database. This option does not
121 apply to the LDAP database module.
123 **-s** *admin_server*\ [:*port*]
124 Specifies the admin server which kadmin should contact.
127 If using kadmin.local, prompt for the database master password
128 instead of reading it from a stash file.
130 **-e** "*enc*:*salt* ..."
131 Sets the keysalt list to be used for any new keys created. See
132 :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of possible
136 Force use of old AUTH_GSSAPI authentication flavor.
139 Prevent fallback to AUTH_GSSAPI authentication flavor.
142 Specifies the database specific arguments. See the next section
143 for supported options.
145 .. _kadmin_options_end:
147 Starting with release 1.14, if any command-line arguments remain after
148 the options, they will be treated as a single query to be executed.
149 This mode of operation is intended for scripts and behaves differently
150 from the interactive mode in several respects:
152 * Query arguments are split by the shell, not by kadmin.
153 * Informational and warning messages are suppressed. Error messages
154 and query output (e.g. for **get_principal**) will still be
156 * Confirmation prompts are disabled (as if **-force** was given).
157 Password prompts will still be issued as required.
158 * The exit status will be non-zero if the query fails.
160 The **-q** option does not carry these behavior differences; the query
161 will be processed as if it was entered interactively. The **-q**
162 option cannot be used in combination with a query in the remaining
170 Database options can be used to override database-specific defaults.
171 Supported options for the DB2 module are:
173 **-x dbname=**\ \*filename*
174 Specifies the base filename of the DB2 database.
177 Make iteration operations hold the lock for the duration of
178 the entire operation, rather than temporarily releasing the
179 lock while handling each principal. This is the default
180 behavior, but this option exists to allow command line
181 override of a [dbmodules] setting. First introduced in
185 Make iteration operations unlock the database for each
186 principal, instead of holding the lock for the duration of the
187 entire operation. First introduced in release 1.13.
189 Supported options for the LDAP module are:
191 **-x host=**\ *ldapuri*
192 Specifies the LDAP server to connect to by a LDAP URI.
194 **-x binddn=**\ *bind_dn*
195 Specifies the DN used to bind to the LDAP server.
197 **-x bindpwd=**\ *password*
198 Specifies the password or SASL secret used to bind to the LDAP
199 server. Using this option may expose the password to other
200 users on the system via the process list; to avoid this,
201 instead stash the password using the **stashsrvpw** command of
202 :ref:`kdb5_ldap_util(8)`.
204 **-x sasl_mech=**\ *mechanism*
205 Specifies the SASL mechanism used to bind to the LDAP server.
206 The bind DN is ignored if a SASL mechanism is used. New in
209 **-x sasl_authcid=**\ *name*
210 Specifies the authentication name used when binding to the
211 LDAP server with a SASL mechanism, if the mechanism requires
212 one. New in release 1.13.
214 **-x sasl_authzid=**\ *name*
215 Specifies the authorization name used when binding to the LDAP
216 server with a SASL mechanism. New in release 1.13.
218 **-x sasl_realm=**\ *realm*
219 Specifies the realm used when binding to the LDAP server with
220 a SASL mechanism, if the mechanism uses one. New in release
223 **-x debug=**\ *level*
224 sets the OpenLDAP client library debug level. *level* is an
225 integer to be interpreted by the library. Debugging messages
226 are printed to standard error. New in release 1.12.
232 When using the remote client, available commands may be restricted
233 according to the privileges specified in the :ref:`kadm5.acl(5)` file
241 **add_principal** [*options*] *newprinc*
243 Creates the principal *newprinc*, prompting twice for a password. If
244 no password policy is specified with the **-policy** option, and the
245 policy named ``default`` is assigned to the principal if it exists.
246 However, creating a policy named ``default`` will not automatically
247 assign this policy to previously existing principals. This policy
248 assignment can be suppressed with the **-clearpolicy** option.
250 This command requires the **add** privilege.
252 Aliases: **addprinc**, **ank**
256 **-expire** *expdate*
257 (:ref:`getdate` string) The expiration date of the principal.
259 **-pwexpire** *pwexpdate*
260 (:ref:`getdate` string) The password expiration date.
262 **-maxlife** *maxlife*
263 (:ref:`duration` or :ref:`getdate` string) The maximum ticket life
266 **-maxrenewlife** *maxrenewlife*
267 (:ref:`duration` or :ref:`getdate` string) The maximum renewable
268 life of tickets for the principal.
271 The initial key version number.
274 The password policy used by this principal. If not specified, the
275 policy ``default`` is used if it exists (unless **-clearpolicy**
279 Prevents any policy from being assigned when **-policy** is not
282 {-\|+}\ **allow_postdated**
283 **-allow_postdated** prohibits this principal from obtaining
284 postdated tickets. **+allow_postdated** clears this flag.
286 {-\|+}\ **allow_forwardable**
287 **-allow_forwardable** prohibits this principal from obtaining
288 forwardable tickets. **+allow_forwardable** clears this flag.
290 {-\|+}\ **allow_renewable**
291 **-allow_renewable** prohibits this principal from obtaining
292 renewable tickets. **+allow_renewable** clears this flag.
294 {-\|+}\ **allow_proxiable**
295 **-allow_proxiable** prohibits this principal from obtaining
296 proxiable tickets. **+allow_proxiable** clears this flag.
298 {-\|+}\ **allow_dup_skey**
299 **-allow_dup_skey** disables user-to-user authentication for this
300 principal by prohibiting others from obtaining a service ticket
301 encrypted in this principal's TGT session key.
302 **+allow_dup_skey** clears this flag.
304 {-\|+}\ **requires_preauth**
305 **+requires_preauth** requires this principal to preauthenticate
306 before being allowed to kinit. **-requires_preauth** clears this
307 flag. When **+requires_preauth** is set on a service principal,
308 the KDC will only issue service tickets for that service principal
309 if the client's initial authentication was performed using
312 {-\|+}\ **requires_hwauth**
313 **+requires_hwauth** requires this principal to preauthenticate
314 using a hardware device before being allowed to kinit.
315 **-requires_hwauth** clears this flag. When **+requires_hwauth** is
316 set on a service principal, the KDC will only issue service tickets
317 for that service principal if the client's initial authentication was
318 performed using a hardware device to preauthenticate.
320 {-\|+}\ **ok_as_delegate**
321 **+ok_as_delegate** sets the **okay as delegate** flag on tickets
322 issued with this principal as the service. Clients may use this
323 flag as a hint that credentials should be delegated when
324 authenticating to the service. **-ok_as_delegate** clears this
327 {-\|+}\ **allow_svr**
328 **-allow_svr** prohibits the issuance of service tickets for this
329 principal. In release 1.17 and later, user-to-user service
330 tickets are still allowed unless the **-allow_dup_skey** flag is
331 also set. **+allow_svr** clears this flag.
333 {-\|+}\ **allow_tgs_req**
334 **-allow_tgs_req** specifies that a Ticket-Granting Service (TGS)
335 request for a service ticket for this principal is not permitted.
336 **+allow_tgs_req** clears this flag.
338 {-\|+}\ **allow_tix**
339 **-allow_tix** forbids the issuance of any tickets for this
340 principal. **+allow_tix** clears this flag.
342 {-\|+}\ **needchange**
343 **+needchange** forces a password change on the next initial
344 authentication to this principal. **-needchange** clears this
347 {-\|+}\ **password_changing_service**
348 **+password_changing_service** marks this principal as a password
349 change service principal.
351 {-\|+}\ **ok_to_auth_as_delegate**
352 **+ok_to_auth_as_delegate** allows this principal to acquire
353 forwardable tickets to itself from arbitrary users, for use with
354 constrained delegation.
356 {-\|+}\ **no_auth_data_required**
357 **+no_auth_data_required** prevents PAC or AD-SIGNEDPATH data from
358 being added to service tickets for the principal.
360 {-\|+}\ **lockdown_keys**
361 **+lockdown_keys** prevents keys for this principal from leaving
362 the KDC via kadmind. The chpass and extract operations are denied
363 for a principal with this attribute. The chrand operation is
364 allowed, but will not return the new keys. The delete and rename
365 operations are also denied if this attribute is set, in order to
366 prevent a malicious administrator from replacing principals like
367 krbtgt/* or kadmin/* with new principals without the attribute.
368 This attribute can be set via the network protocol, but can only
369 be removed using kadmin.local.
372 Sets the key of the principal to a random value.
375 Causes the principal to be created with no key. New in release
379 Sets the password of the principal to the specified string and
380 does not prompt for a password. Note: using this option in a
381 shell script may expose the password to other users on the system
382 via the process list.
384 **-e** *enc*:*salt*,...
385 Uses the specified keysalt list for setting the keys of the
386 principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
387 list of possible values.
389 **-x** *db_princ_args*
390 Indicates database-specific options. The options for the LDAP
394 Specifies the LDAP object that will contain the Kerberos
395 principal being created.
398 Specifies the LDAP object to which the newly created Kerberos
399 principal object will point.
401 **-x containerdn=**\ *container_dn*
402 Specifies the container object under which the Kerberos
403 principal is to be created.
405 **-x tktpolicy=**\ *policy*
406 Associates a ticket policy to the Kerberos principal.
410 - The **containerdn** and **linkdn** options cannot be
411 specified with the **dn** option.
412 - If the *dn* or *containerdn* options are not specified while
413 adding the principal, the principals are created under the
414 principal container configured in the realm or the realm
416 - *dn* and *containerdn* should be within the subtrees or
417 principal container configured in the realm.
421 kadmin: addprinc jennifer
422 No policy specified for "jennifer@ATHENA.MIT.EDU";
423 defaulting to no policy.
424 Enter password for principal jennifer@ATHENA.MIT.EDU:
425 Re-enter password for principal jennifer@ATHENA.MIT.EDU:
426 Principal "jennifer@ATHENA.MIT.EDU" created.
429 .. _add_principal_end:
431 .. _modify_principal:
436 **modify_principal** [*options*] *principal*
438 Modifies the specified principal, changing the fields as specified.
439 The options to **add_principal** also apply to this command, except
440 for the **-randkey**, **-pw**, and **-e** options. In addition, the
441 option **-clearpolicy** will clear the current policy of a principal.
443 This command requires the *modify* privilege.
447 Options (in addition to the **addprinc** options):
450 Unlocks a locked principal (one which has received too many failed
451 authentication attempts without enough time between them according
452 to its password policy) so that it can successfully authenticate.
454 .. _modify_principal_end:
456 .. _rename_principal:
461 **rename_principal** [**-force**] *old_principal* *new_principal*
463 Renames the specified *old_principal* to *new_principal*. This
464 command prompts for confirmation, unless the **-force** option is
467 This command requires the **add** and **delete** privileges.
471 .. _rename_principal_end:
473 .. _delete_principal:
478 **delete_principal** [**-force**] *principal*
480 Deletes the specified *principal* from the database. This command
481 prompts for deletion, unless the **-force** option is given.
483 This command requires the **delete** privilege.
487 .. _delete_principal_end:
494 **change_password** [*options*] *principal*
496 Changes the password of *principal*. Prompts for a new password if
497 neither **-randkey** or **-pw** is specified.
499 This command requires the **changepw** privilege, or that the
500 principal running the program is the same as the principal being
505 The following options are available:
508 Sets the key of the principal to a random value.
511 Set the password to the specified string. Using this option in a
512 script may expose the password to other users on the system via
515 **-e** *enc*:*salt*,...
516 Uses the specified keysalt list for setting the keys of the
517 principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
518 list of possible values.
521 Keeps the existing keys in the database. This flag is usually not
522 necessary except perhaps for ``krbtgt`` principals.
527 Enter password for principal systest@BLEEP.COM:
528 Re-enter password for principal systest@BLEEP.COM:
529 Password for systest@BLEEP.COM changed.
532 .. _change_password_end:
539 **purgekeys** [**-all**\|\ **-keepkvno** *oldest_kvno_to_keep*] *principal*
541 Purges previously retained old keys (e.g., from **change_password
542 -keepold**) from *principal*. If **-keepkvno** is specified, then
543 only purges keys with kvnos lower than *oldest_kvno_to_keep*. If
544 **-all** is specified, then all keys are purged. The **-all** option
545 is new in release 1.12.
547 This command requires the **modify** privilege.
556 **get_principal** [**-terse**] *principal*
558 Gets the attributes of principal. With the **-terse** option, outputs
559 fields as quoted tab-separated strings.
561 This command requires the **inquire** privilege, or that the principal
562 running the the program to be the same as the one being listed.
568 kadmin: getprinc tlyu/admin
569 Principal: tlyu/admin@BLEEP.COM
570 Expiration date: [never]
571 Last password change: Mon Aug 12 14:16:47 EDT 1996
572 Password expiration date: [never]
573 Maximum ticket life: 0 days 10:00:00
574 Maximum renewable life: 7 days 00:00:00
575 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
576 Last successful authentication: [never]
577 Last failed authentication: [never]
578 Failed password attempts: 0
580 Key: vno 1, aes256-cts-hmac-sha384-192
585 kadmin: getprinc -terse systest
586 systest@BLEEP.COM 3 86400 604800 1
587 785926535 753241234 785900000
588 tlyu/admin@BLEEP.COM 786100034 0 0
591 .. _get_principal_end:
598 **list_principals** [*expression*]
600 Retrieves all or some principal names. *expression* is a shell-style
601 glob expression that can contain the wild-card characters ``?``,
602 ``*``, and ``[]``. All principal names matching the expression are
603 printed. If no expression is provided, all principal names are
604 printed. If the expression does not contain an ``@`` character, an
605 ``@`` character followed by the local realm is appended to the
608 This command requires the **list** privilege.
610 Alias: **listprincs**, **get_principals**, **getprincs**
614 kadmin: listprincs test*
615 test3@SECURE-TEST.OV.COM
616 test2@SECURE-TEST.OV.COM
617 test1@SECURE-TEST.OV.COM
618 testuser@SECURE-TEST.OV.COM
621 .. _list_principals_end:
628 **get_strings** *principal*
630 Displays string attributes on *principal*.
632 This command requires the **inquire** privilege.
643 **set_string** *principal* *name* *value*
645 Sets a string attribute on *principal*. String attributes are used to
646 supply per-principal configuration to the KDC and some KDC plugin
647 modules. The following string attribute names are recognized by the
651 Specifies an authentication indicator which is required to
652 authenticate to the principal as a service. Multiple indicators
653 can be specified, separated by spaces; in this case any of the
654 specified indicators will be accepted. (New in release 1.14.)
657 Specifies the encryption types supported for session keys when the
658 principal is authenticated to as a server. See
659 :ref:`Encryption_types` in :ref:`kdc.conf(5)` for a list of the
663 Enables One Time Passwords (OTP) preauthentication for a client
664 *principal*. The *value* is a JSON string representing an array
665 of objects, each having optional ``type`` and ``username`` fields.
667 **pkinit_cert_match**
668 Specifies a matching expression that defines the certificate
669 attributes required for the client certificate used by the
670 principal during PKINIT authentication. The matching expression
671 is in the same format as those used by the **pkinit_cert_match**
672 option in :ref:`krb5.conf(5)`. (New in release 1.16.)
674 This command requires the **modify** privilege.
680 set_string host/foo.mit.edu session_enctypes aes128-cts
681 set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
690 **del_string** *principal* *key*
692 Deletes a string attribute from *principal*.
694 This command requires the **delete** privilege.
705 **add_policy** [*options*] *policy*
707 Adds a password policy named *policy* to the database.
709 This command requires the **add** privilege.
713 The following options are available:
716 (:ref:`duration` or :ref:`getdate` string) Sets the maximum
717 lifetime of a password.
720 (:ref:`duration` or :ref:`getdate` string) Sets the minimum
721 lifetime of a password.
723 **-minlength** *length*
724 Sets the minimum length of a password.
726 **-minclasses** *number*
727 Sets the minimum number of character classes required in a
728 password. The five character classes are lower case, upper case,
729 numbers, punctuation, and whitespace/unprintable characters.
731 **-history** *number*
732 Sets the number of past keys kept for a principal. This option is
733 not supported with the LDAP KDC database module.
735 .. _policy_maxfailure:
737 **-maxfailure** *maxnumber*
738 Sets the number of authentication failures before the principal is
739 locked. Authentication failures are only tracked for principals
740 which require preauthentication. The counter of failed attempts
741 resets to 0 after a successful attempt to authenticate. A
742 *maxnumber* value of 0 (the default) disables lockout.
744 .. _policy_failurecountinterval:
746 **-failurecountinterval** *failuretime*
747 (:ref:`duration` or :ref:`getdate` string) Sets the allowable time
748 between authentication failures. If an authentication failure
749 happens after *failuretime* has elapsed since the previous
750 failure, the number of authentication failures is reset to 1. A
751 *failuretime* value of 0 (the default) means forever.
753 .. _policy_lockoutduration:
755 **-lockoutduration** *lockouttime*
756 (:ref:`duration` or :ref:`getdate` string) Sets the duration for
757 which the principal is locked from authenticating if too many
758 authentication failures occur without the specified failure count
759 interval elapsing. A duration of 0 (the default) means the
760 principal remains locked out until it is administratively unlocked
761 with ``modprinc -unlock``.
764 Specifies the key/salt tuples supported for long-term keys when
765 setting or changing a principal's password/keys. See
766 :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a list of the
767 accepted values, but note that key/salt tuples must be separated
768 with commas (',') only. To clear the allowed key/salt policy use
773 kadmin: add_policy -maxlife "2 days" -minlength 5 guests
783 **modify_policy** [*options*] *policy*
785 Modifies the password policy named *policy*. Options are as described
788 This command requires the **modify** privilege.
792 .. _modify_policy_end:
799 **delete_policy** [**-force**] *policy*
801 Deletes the password policy named *policy*. Prompts for confirmation
802 before deletion. The command will fail if the policy is in use by any
805 This command requires the **delete** privilege.
811 kadmin: del_policy guests
812 Are you sure you want to delete the policy "guests"?
816 .. _delete_policy_end:
823 **get_policy** [ **-terse** ] *policy*
825 Displays the values of the password policy named *policy*. With the
826 **-terse** flag, outputs the fields as quoted strings separated by
829 This command requires the **inquire** privilege.
835 kadmin: get_policy admin
837 Maximum password life: 180 days 00:00:00
838 Minimum password life: 00:00:00
839 Minimum password length: 6
840 Minimum number of password character classes: 2
841 Number of old keys kept: 5
844 kadmin: get_policy -terse admin
845 admin 15552000 0 6 2 5 17
848 The "Reference count" is the number of principals using that policy.
849 With the LDAP KDC database module, the reference count field is not
859 **list_policies** [*expression*]
861 Retrieves all or some policy names. *expression* is a shell-style
862 glob expression that can contain the wild-card characters ``?``,
863 ``*``, and ``[]``. All policy names matching the expression are
864 printed. If no expression is provided, all existing policy names are
867 This command requires the **list** privilege.
869 Aliases: **listpols**, **get_policies**, **getpols**.
884 .. _list_policies_end:
891 | **ktadd** [options] *principal*
892 | **ktadd** [options] **-glob** *princ-exp*
894 Adds a *principal*, or all principals matching *princ-exp*, to a
895 keytab file. Each principal's keys are randomized in the process.
896 The rules for *princ-exp* are described in the **list_principals**
899 This command requires the **inquire** and **changepw** privileges.
900 With the **-glob** form, it also requires the **list** privilege.
904 **-k[eytab]** *keytab*
905 Use *keytab* as the keytab file. Otherwise, the default keytab is
908 **-e** *enc*:*salt*,...
909 Uses the specified keysalt list for setting the new keys of the
910 principal. See :ref:`Keysalt_lists` in :ref:`kdc.conf(5)` for a
911 list of possible values.
914 Display less verbose information.
917 Do not randomize the keys. The keys and their version numbers stay
918 unchanged. This option cannot be specified in combination with the
921 An entry for each of the principal's unique encryption types is added,
922 ignoring multiple keys with the same encryption type but different
929 kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
930 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
931 encryption type aes256-cts-hmac-sha1-96 added to keytab
932 FILE:/tmp/foo-new-keytab
942 **ktremove** [options] *principal* [*kvno* | *all* | *old*]
944 Removes entries for the specified *principal* from a keytab. Requires
945 no permissions, since this does not require database access.
947 If the string "all" is specified, all entries for that principal are
948 removed; if the string "old" is specified, all entries for that
949 principal except those with the highest kvno are removed. Otherwise,
950 the value specified is parsed as an integer, and all entries whose
951 kvno match that integer are removed.
955 **-k[eytab]** *keytab*
956 Use *keytab* as the keytab file. Otherwise, the default keytab is
960 Display less verbose information.
966 kadmin: ktremove kadmin/admin all
967 Entry for principal kadmin/admin with kvno 3 removed from keytab
968 FILE:/etc/krb5.keytab
976 Lock database exclusively. Use with extreme caution! This command
977 only works with the DB2 KDC database module.
982 Release the exclusive database lock.
987 Lists available for kadmin requests.
989 Aliases: **lr**, **?**
994 Exit program. If the database was locked, the lock is released.
996 Aliases: **exit**, **q**
1002 The kadmin program was originally written by Tom Yu at MIT, as an
1003 interface to the OpenVision Kerberos administration program.
1009 See :ref:`kerberos(7)` for a description of Kerberos environment
1016 :ref:`kpasswd(1)`, :ref:`kadmind(8)`, :ref:`kerberos(7)`