1 .\" Man page generated from reStructuredText.
3 .TH "KADMIN" "1" " " "1.20.1" "MIT Kerberos"
5 kadmin \- Kerberos V5 database administration program
7 .nr rst2man-indent-level 0
11 level \\n[rst2man-indent-level]
12 level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
19 .\" .rstReportMargin pre:
21 . nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
22 . nr rst2man-indent-level +1
23 .\" .rstReportMargin post:
27 .\" indent \\n[an-margin]
28 .\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
29 .nr rst2man-indent-level -1
30 .\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
31 .in \\n[rst2man-indent\\n[rst2man-indent-level]]u
37 [\fB\-r\fP \fIrealm\fP]
38 [\fB\-p\fP \fIprincipal\fP]
39 [\fB\-q\fP \fIquery\fP]
40 [[\fB\-c\fP \fIcache_name\fP]|[\fB\-k\fP [\fB\-t\fP \fIkeytab\fP]]|\fB\-n\fP]
41 [\fB\-w\fP \fIpassword\fP]
42 [\fB\-s\fP \fIadmin_server\fP[:\fIport\fP]]
46 [\fB\-r\fP \fIrealm\fP]
47 [\fB\-p\fP \fIprincipal\fP]
48 [\fB\-q\fP \fIquery\fP]
49 [\fB\-d\fP \fIdbname\fP]
50 [\fB\-e\fP \fIenc\fP:\fIsalt\fP ...]
52 [\fB\-x\fP \fIdb_args\fP]
56 kadmin and kadmin.local are command\-line interfaces to the Kerberos V5
57 administration system. They provide nearly identical functionalities;
58 the difference is that kadmin.local directly accesses the KDC
59 database, while kadmin performs operations using kadmind(8)\&.
60 Except as explicitly noted otherwise, this man page will use "kadmin"
61 to refer to both versions. kadmin provides for the maintenance of
62 Kerberos principals, password policies, and service key tables
65 The remote kadmin client uses Kerberos to authenticate to kadmind
66 using the service principal \fBkadmin/admin\fP or \fBkadmin/ADMINHOST\fP
67 (where \fIADMINHOST\fP is the fully\-qualified hostname of the admin
68 server). If the credentials cache contains a ticket for one of these
69 principals, and the \fB\-c\fP credentials_cache option is specified, that
70 ticket is used to authenticate to kadmind. Otherwise, the \fB\-p\fP and
71 \fB\-k\fP options are used to specify the client Kerberos principal name
72 used to authenticate. Once kadmin has determined the principal name,
73 it requests a service ticket from the KDC, and uses that service
74 ticket to authenticate to kadmind.
76 Since kadmin.local directly accesses the KDC database, it usually must
77 be run directly on the primary KDC with sufficient permissions to read
78 the KDC database. If the KDC database uses the LDAP database module,
79 kadmin.local can be run on any host which can access the LDAP server.
84 Use \fIrealm\fP as the default database realm.
86 \fB\-p\fP \fIprincipal\fP
87 Use \fIprincipal\fP to authenticate. Otherwise, kadmin will append
88 \fB/admin\fP to the primary principal name of the default ccache,
89 the value of the \fBUSER\fP environment variable, or the username as
90 obtained with getpwuid, in order of preference.
93 Use a keytab to decrypt the KDC response instead of prompting for
94 a password. In this case, the default principal will be
95 \fBhost/hostname\fP\&. If there is no keytab specified with the
96 \fB\-t\fP option, then the default keytab will be used.
98 \fB\-t\fP \fIkeytab\fP
99 Use \fIkeytab\fP to decrypt the KDC response. This can only be used
100 with the \fB\-k\fP option.
103 Requests anonymous processing. Two types of anonymous principals
104 are supported. For fully anonymous Kerberos, configure PKINIT on
105 the KDC and configure \fBpkinit_anchors\fP in the client\(aqs
106 krb5.conf(5)\&. Then use the \fB\-n\fP option with a principal
107 of the form \fB@REALM\fP (an empty principal name followed by the
108 at\-sign and a realm name). If permitted by the KDC, an anonymous
109 ticket will be returned. A second form of anonymous tickets is
110 supported; these realm\-exposed tickets hide the identity of the
111 client but not the client\(aqs realm. For this mode, use \fBkinit
112 \-n\fP with a normal principal name. If supported by the KDC, the
113 principal (but not realm) will be replaced by the anonymous
114 principal. As of release 1.8, the MIT Kerberos KDC only supports
115 fully anonymous operation.
117 \fB\-c\fP \fIcredentials_cache\fP
118 Use \fIcredentials_cache\fP as the credentials cache. The cache
119 should contain a service ticket for the \fBkadmin/admin\fP or
120 \fBkadmin/ADMINHOST\fP (where \fIADMINHOST\fP is the fully\-qualified
121 hostname of the admin server) service; it can be acquired with the
122 kinit(1) program. If this option is not specified, kadmin
123 requests a new service ticket from the KDC, and stores it in its
124 own temporary ccache.
126 \fB\-w\fP \fIpassword\fP
127 Use \fIpassword\fP instead of prompting for one. Use this option with
128 care, as it may expose the password to other users on the system
129 via the process list.
131 \fB\-q\fP \fIquery\fP
132 Perform the specified query and then exit.
134 \fB\-d\fP \fIdbname\fP
135 Specifies the name of the KDC database. This option does not
136 apply to the LDAP database module.
138 \fB\-s\fP \fIadmin_server\fP[:\fIport\fP]
139 Specifies the admin server which kadmin should contact.
142 If using kadmin.local, prompt for the database master password
143 instead of reading it from a stash file.
145 \fB\-e\fP "\fIenc\fP:\fIsalt\fP ..."
146 Sets the keysalt list to be used for any new keys created. See
147 Keysalt_lists in kdc.conf(5) for a list of possible
151 Force use of old AUTH_GSSAPI authentication flavor.
154 Prevent fallback to AUTH_GSSAPI authentication flavor.
156 \fB\-x\fP \fIdb_args\fP
157 Specifies the database specific arguments. See the next section
158 for supported options.
161 Starting with release 1.14, if any command\-line arguments remain after
162 the options, they will be treated as a single query to be executed.
163 This mode of operation is intended for scripts and behaves differently
164 from the interactive mode in several respects:
167 Query arguments are split by the shell, not by kadmin.
169 Informational and warning messages are suppressed. Error messages
170 and query output (e.g. for \fBget_principal\fP) will still be
173 Confirmation prompts are disabled (as if \fB\-force\fP was given).
174 Password prompts will still be issued as required.
176 The exit status will be non\-zero if the query fails.
179 The \fB\-q\fP option does not carry these behavior differences; the query
180 will be processed as if it was entered interactively. The \fB\-q\fP
181 option cannot be used in combination with a query in the remaining
185 Database options can be used to override database\-specific defaults.
186 Supported options for the DB2 module are:
191 \fB\-x dbname=\fP*filename*
192 Specifies the base filename of the DB2 database.
195 Make iteration operations hold the lock for the duration of
196 the entire operation, rather than temporarily releasing the
197 lock while handling each principal. This is the default
198 behavior, but this option exists to allow command line
199 override of a [dbmodules] setting. First introduced in
203 Make iteration operations unlock the database for each
204 principal, instead of holding the lock for the duration of the
205 entire operation. First introduced in release 1.13.
210 Supported options for the LDAP module are:
215 \fB\-x host=\fP\fIldapuri\fP
216 Specifies the LDAP server to connect to by a LDAP URI.
218 \fB\-x binddn=\fP\fIbind_dn\fP
219 Specifies the DN used to bind to the LDAP server.
221 \fB\-x bindpwd=\fP\fIpassword\fP
222 Specifies the password or SASL secret used to bind to the LDAP
223 server. Using this option may expose the password to other
224 users on the system via the process list; to avoid this,
225 instead stash the password using the \fBstashsrvpw\fP command of
228 \fB\-x sasl_mech=\fP\fImechanism\fP
229 Specifies the SASL mechanism used to bind to the LDAP server.
230 The bind DN is ignored if a SASL mechanism is used. New in
233 \fB\-x sasl_authcid=\fP\fIname\fP
234 Specifies the authentication name used when binding to the
235 LDAP server with a SASL mechanism, if the mechanism requires
236 one. New in release 1.13.
238 \fB\-x sasl_authzid=\fP\fIname\fP
239 Specifies the authorization name used when binding to the LDAP
240 server with a SASL mechanism. New in release 1.13.
242 \fB\-x sasl_realm=\fP\fIrealm\fP
243 Specifies the realm used when binding to the LDAP server with
244 a SASL mechanism, if the mechanism uses one. New in release
247 \fB\-x debug=\fP\fIlevel\fP
248 sets the OpenLDAP client library debug level. \fIlevel\fP is an
249 integer to be interpreted by the library. Debugging messages
250 are printed to standard error. New in release 1.12.
256 When using the remote client, available commands may be restricted
257 according to the privileges specified in the kadm5.acl(5) file
262 \fBadd_principal\fP [\fIoptions\fP] \fInewprinc\fP
266 Creates the principal \fInewprinc\fP, prompting twice for a password. If
267 no password policy is specified with the \fB\-policy\fP option, and the
268 policy named \fBdefault\fP is assigned to the principal if it exists.
269 However, creating a policy named \fBdefault\fP will not automatically
270 assign this policy to previously existing principals. This policy
271 assignment can be suppressed with the \fB\-clearpolicy\fP option.
273 This command requires the \fBadd\fP privilege.
275 Aliases: \fBaddprinc\fP, \fBank\fP
280 \fB\-expire\fP \fIexpdate\fP
281 (getdate string) The expiration date of the principal.
283 \fB\-pwexpire\fP \fIpwexpdate\fP
284 (getdate string) The password expiration date.
286 \fB\-maxlife\fP \fImaxlife\fP
287 (duration or getdate string) The maximum ticket life
290 \fB\-maxrenewlife\fP \fImaxrenewlife\fP
291 (duration or getdate string) The maximum renewable
292 life of tickets for the principal.
294 \fB\-kvno\fP \fIkvno\fP
295 The initial key version number.
297 \fB\-policy\fP \fIpolicy\fP
298 The password policy used by this principal. If not specified, the
299 policy \fBdefault\fP is used if it exists (unless \fB\-clearpolicy\fP
303 Prevents any policy from being assigned when \fB\-policy\fP is not
306 {\-|+}\fBallow_postdated\fP
307 \fB\-allow_postdated\fP prohibits this principal from obtaining
308 postdated tickets. \fB+allow_postdated\fP clears this flag.
310 {\-|+}\fBallow_forwardable\fP
311 \fB\-allow_forwardable\fP prohibits this principal from obtaining
312 forwardable tickets. \fB+allow_forwardable\fP clears this flag.
314 {\-|+}\fBallow_renewable\fP
315 \fB\-allow_renewable\fP prohibits this principal from obtaining
316 renewable tickets. \fB+allow_renewable\fP clears this flag.
318 {\-|+}\fBallow_proxiable\fP
319 \fB\-allow_proxiable\fP prohibits this principal from obtaining
320 proxiable tickets. \fB+allow_proxiable\fP clears this flag.
322 {\-|+}\fBallow_dup_skey\fP
323 \fB\-allow_dup_skey\fP disables user\-to\-user authentication for this
324 principal by prohibiting others from obtaining a service ticket
325 encrypted in this principal\(aqs TGT session key.
326 \fB+allow_dup_skey\fP clears this flag.
328 {\-|+}\fBrequires_preauth\fP
329 \fB+requires_preauth\fP requires this principal to preauthenticate
330 before being allowed to kinit. \fB\-requires_preauth\fP clears this
331 flag. When \fB+requires_preauth\fP is set on a service principal,
332 the KDC will only issue service tickets for that service principal
333 if the client\(aqs initial authentication was performed using
336 {\-|+}\fBrequires_hwauth\fP
337 \fB+requires_hwauth\fP requires this principal to preauthenticate
338 using a hardware device before being allowed to kinit.
339 \fB\-requires_hwauth\fP clears this flag. When \fB+requires_hwauth\fP is
340 set on a service principal, the KDC will only issue service tickets
341 for that service principal if the client\(aqs initial authentication was
342 performed using a hardware device to preauthenticate.
344 {\-|+}\fBok_as_delegate\fP
345 \fB+ok_as_delegate\fP sets the \fBokay as delegate\fP flag on tickets
346 issued with this principal as the service. Clients may use this
347 flag as a hint that credentials should be delegated when
348 authenticating to the service. \fB\-ok_as_delegate\fP clears this
351 {\-|+}\fBallow_svr\fP
352 \fB\-allow_svr\fP prohibits the issuance of service tickets for this
353 principal. In release 1.17 and later, user\-to\-user service
354 tickets are still allowed unless the \fB\-allow_dup_skey\fP flag is
355 also set. \fB+allow_svr\fP clears this flag.
357 {\-|+}\fBallow_tgs_req\fP
358 \fB\-allow_tgs_req\fP specifies that a Ticket\-Granting Service (TGS)
359 request for a service ticket for this principal is not permitted.
360 \fB+allow_tgs_req\fP clears this flag.
362 {\-|+}\fBallow_tix\fP
363 \fB\-allow_tix\fP forbids the issuance of any tickets for this
364 principal. \fB+allow_tix\fP clears this flag.
366 {\-|+}\fBneedchange\fP
367 \fB+needchange\fP forces a password change on the next initial
368 authentication to this principal. \fB\-needchange\fP clears this
371 {\-|+}\fBpassword_changing_service\fP
372 \fB+password_changing_service\fP marks this principal as a password
373 change service principal.
375 {\-|+}\fBok_to_auth_as_delegate\fP
376 \fB+ok_to_auth_as_delegate\fP allows this principal to acquire
377 forwardable tickets to itself from arbitrary users, for use with
378 constrained delegation.
380 {\-|+}\fBno_auth_data_required\fP
381 \fB+no_auth_data_required\fP prevents PAC or AD\-SIGNEDPATH data from
382 being added to service tickets for the principal.
384 {\-|+}\fBlockdown_keys\fP
385 \fB+lockdown_keys\fP prevents keys for this principal from leaving
386 the KDC via kadmind. The chpass and extract operations are denied
387 for a principal with this attribute. The chrand operation is
388 allowed, but will not return the new keys. The delete and rename
389 operations are also denied if this attribute is set, in order to
390 prevent a malicious administrator from replacing principals like
391 krbtgt/* or kadmin/* with new principals without the attribute.
392 This attribute can be set via the network protocol, but can only
393 be removed using kadmin.local.
396 Sets the key of the principal to a random value.
399 Causes the principal to be created with no key. New in release
402 \fB\-pw\fP \fIpassword\fP
403 Sets the password of the principal to the specified string and
404 does not prompt for a password. Note: using this option in a
405 shell script may expose the password to other users on the system
406 via the process list.
408 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
409 Uses the specified keysalt list for setting the keys of the
410 principal. See Keysalt_lists in kdc.conf(5) for a
411 list of possible values.
413 \fB\-x\fP \fIdb_princ_args\fP
414 Indicates database\-specific options. The options for the LDAP
418 \fB\-x dn=\fP\fIdn\fP
419 Specifies the LDAP object that will contain the Kerberos
420 principal being created.
422 \fB\-x linkdn=\fP\fIdn\fP
423 Specifies the LDAP object to which the newly created Kerberos
424 principal object will point.
426 \fB\-x containerdn=\fP\fIcontainer_dn\fP
427 Specifies the container object under which the Kerberos
428 principal is to be created.
430 \fB\-x tktpolicy=\fP\fIpolicy\fP
431 Associates a ticket policy to the Kerberos principal.
439 The \fBcontainerdn\fP and \fBlinkdn\fP options cannot be
440 specified with the \fBdn\fP option.
442 If the \fIdn\fP or \fIcontainerdn\fP options are not specified while
443 adding the principal, the principals are created under the
444 principal container configured in the realm or the realm
447 \fIdn\fP and \fIcontainerdn\fP should be within the subtrees or
448 principal container configured in the realm.
460 kadmin: addprinc jennifer
461 No policy specified for "jennifer@ATHENA.MIT.EDU";
462 defaulting to no policy.
463 Enter password for principal jennifer@ATHENA.MIT.EDU:
464 Re\-enter password for principal jennifer@ATHENA.MIT.EDU:
465 Principal "jennifer@ATHENA.MIT.EDU" created.
474 \fBmodify_principal\fP [\fIoptions\fP] \fIprincipal\fP
478 Modifies the specified principal, changing the fields as specified.
479 The options to \fBadd_principal\fP also apply to this command, except
480 for the \fB\-randkey\fP, \fB\-pw\fP, and \fB\-e\fP options. In addition, the
481 option \fB\-clearpolicy\fP will clear the current policy of a principal.
483 This command requires the \fImodify\fP privilege.
485 Alias: \fBmodprinc\fP
487 Options (in addition to the \fBaddprinc\fP options):
491 Unlocks a locked principal (one which has received too many failed
492 authentication attempts without enough time between them according
493 to its password policy) so that it can successfully authenticate.
498 \fBrename_principal\fP [\fB\-force\fP] \fIold_principal\fP \fInew_principal\fP
502 Renames the specified \fIold_principal\fP to \fInew_principal\fP\&. This
503 command prompts for confirmation, unless the \fB\-force\fP option is
506 This command requires the \fBadd\fP and \fBdelete\fP privileges.
508 Alias: \fBrenprinc\fP
512 \fBdelete_principal\fP [\fB\-force\fP] \fIprincipal\fP
516 Deletes the specified \fIprincipal\fP from the database. This command
517 prompts for deletion, unless the \fB\-force\fP option is given.
519 This command requires the \fBdelete\fP privilege.
521 Alias: \fBdelprinc\fP
525 \fBchange_password\fP [\fIoptions\fP] \fIprincipal\fP
529 Changes the password of \fIprincipal\fP\&. Prompts for a new password if
530 neither \fB\-randkey\fP or \fB\-pw\fP is specified.
532 This command requires the \fBchangepw\fP privilege, or that the
533 principal running the program is the same as the principal being
538 The following options are available:
542 Sets the key of the principal to a random value.
544 \fB\-pw\fP \fIpassword\fP
545 Set the password to the specified string. Using this option in a
546 script may expose the password to other users on the system via
549 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
550 Uses the specified keysalt list for setting the keys of the
551 principal. See Keysalt_lists in kdc.conf(5) for a
552 list of possible values.
555 Keeps the existing keys in the database. This flag is usually not
556 necessary except perhaps for \fBkrbtgt\fP principals.
566 Enter password for principal systest@BLEEP.COM:
567 Re\-enter password for principal systest@BLEEP.COM:
568 Password for systest@BLEEP.COM changed.
577 \fBpurgekeys\fP [\fB\-all\fP|\fB\-keepkvno\fP \fIoldest_kvno_to_keep\fP] \fIprincipal\fP
581 Purges previously retained old keys (e.g., from \fBchange_password
582 \-keepold\fP) from \fIprincipal\fP\&. If \fB\-keepkvno\fP is specified, then
583 only purges keys with kvnos lower than \fIoldest_kvno_to_keep\fP\&. If
584 \fB\-all\fP is specified, then all keys are purged. The \fB\-all\fP option
585 is new in release 1.12.
587 This command requires the \fBmodify\fP privilege.
591 \fBget_principal\fP [\fB\-terse\fP] \fIprincipal\fP
595 Gets the attributes of principal. With the \fB\-terse\fP option, outputs
596 fields as quoted tab\-separated strings.
598 This command requires the \fBinquire\fP privilege, or that the principal
599 running the the program to be the same as the one being listed.
601 Alias: \fBgetprinc\fP
609 kadmin: getprinc tlyu/admin
610 Principal: tlyu/admin@BLEEP.COM
611 Expiration date: [never]
612 Last password change: Mon Aug 12 14:16:47 EDT 1996
613 Password expiration date: [never]
614 Maximum ticket life: 0 days 10:00:00
615 Maximum renewable life: 7 days 00:00:00
616 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
617 Last successful authentication: [never]
618 Last failed authentication: [never]
619 Failed password attempts: 0
621 Key: vno 1, aes256\-cts\-hmac\-sha384\-192
626 kadmin: getprinc \-terse systest
627 systest@BLEEP.COM 3 86400 604800 1
628 785926535 753241234 785900000
629 tlyu/admin@BLEEP.COM 786100034 0 0
638 \fBlist_principals\fP [\fIexpression\fP]
642 Retrieves all or some principal names. \fIexpression\fP is a shell\-style
643 glob expression that can contain the wild\-card characters \fB?\fP,
644 \fB*\fP, and \fB[]\fP\&. All principal names matching the expression are
645 printed. If no expression is provided, all principal names are
646 printed. If the expression does not contain an \fB@\fP character, an
647 \fB@\fP character followed by the local realm is appended to the
650 This command requires the \fBlist\fP privilege.
652 Alias: \fBlistprincs\fP, \fBget_principals\fP, \fBgetprincs\fP
660 kadmin: listprincs test*
661 test3@SECURE\-TEST.OV.COM
662 test2@SECURE\-TEST.OV.COM
663 test1@SECURE\-TEST.OV.COM
664 testuser@SECURE\-TEST.OV.COM
673 \fBget_strings\fP \fIprincipal\fP
677 Displays string attributes on \fIprincipal\fP\&.
679 This command requires the \fBinquire\fP privilege.
685 \fBset_string\fP \fIprincipal\fP \fIname\fP \fIvalue\fP
689 Sets a string attribute on \fIprincipal\fP\&. String attributes are used to
690 supply per\-principal configuration to the KDC and some KDC plugin
691 modules. The following string attribute names are recognized by the
696 Specifies an authentication indicator which is required to
697 authenticate to the principal as a service. Multiple indicators
698 can be specified, separated by spaces; in this case any of the
699 specified indicators will be accepted. (New in release 1.14.)
701 \fBsession_enctypes\fP
702 Specifies the encryption types supported for session keys when the
703 principal is authenticated to as a server. See
704 Encryption_types in kdc.conf(5) for a list of the
708 Enables One Time Passwords (OTP) preauthentication for a client
709 \fIprincipal\fP\&. The \fIvalue\fP is a JSON string representing an array
710 of objects, each having optional \fBtype\fP and \fBusername\fP fields.
712 \fBpkinit_cert_match\fP
713 Specifies a matching expression that defines the certificate
714 attributes required for the client certificate used by the
715 principal during PKINIT authentication. The matching expression
716 is in the same format as those used by the \fBpkinit_cert_match\fP
717 option in krb5.conf(5)\&. (New in release 1.16.)
720 This command requires the \fBmodify\fP privilege.
730 set_string host/foo.mit.edu session_enctypes aes128\-cts
731 set_string user@FOO.COM otp "[{""type"":""hotp"",""username"":""al""}]"
739 \fBdel_string\fP \fIprincipal\fP \fIkey\fP
743 Deletes a string attribute from \fIprincipal\fP\&.
745 This command requires the \fBdelete\fP privilege.
751 \fBadd_policy\fP [\fIoptions\fP] \fIpolicy\fP
755 Adds a password policy named \fIpolicy\fP to the database.
757 This command requires the \fBadd\fP privilege.
761 The following options are available:
764 \fB\-maxlife\fP \fItime\fP
765 (duration or getdate string) Sets the maximum
766 lifetime of a password.
768 \fB\-minlife\fP \fItime\fP
769 (duration or getdate string) Sets the minimum
770 lifetime of a password.
772 \fB\-minlength\fP \fIlength\fP
773 Sets the minimum length of a password.
775 \fB\-minclasses\fP \fInumber\fP
776 Sets the minimum number of character classes required in a
777 password. The five character classes are lower case, upper case,
778 numbers, punctuation, and whitespace/unprintable characters.
780 \fB\-history\fP \fInumber\fP
781 Sets the number of past keys kept for a principal. This option is
782 not supported with the LDAP KDC database module.
786 \fB\-maxfailure\fP \fImaxnumber\fP
787 Sets the number of authentication failures before the principal is
788 locked. Authentication failures are only tracked for principals
789 which require preauthentication. The counter of failed attempts
790 resets to 0 after a successful attempt to authenticate. A
791 \fImaxnumber\fP value of 0 (the default) disables lockout.
795 \fB\-failurecountinterval\fP \fIfailuretime\fP
796 (duration or getdate string) Sets the allowable time
797 between authentication failures. If an authentication failure
798 happens after \fIfailuretime\fP has elapsed since the previous
799 failure, the number of authentication failures is reset to 1. A
800 \fIfailuretime\fP value of 0 (the default) means forever.
804 \fB\-lockoutduration\fP \fIlockouttime\fP
805 (duration or getdate string) Sets the duration for
806 which the principal is locked from authenticating if too many
807 authentication failures occur without the specified failure count
808 interval elapsing. A duration of 0 (the default) means the
809 principal remains locked out until it is administratively unlocked
810 with \fBmodprinc \-unlock\fP\&.
812 \fB\-allowedkeysalts\fP
813 Specifies the key/salt tuples supported for long\-term keys when
814 setting or changing a principal\(aqs password/keys. See
815 Keysalt_lists in kdc.conf(5) for a list of the
816 accepted values, but note that key/salt tuples must be separated
817 with commas (\(aq,\(aq) only. To clear the allowed key/salt policy use
818 a value of \(aq\-\(aq.
827 kadmin: add_policy \-maxlife "2 days" \-minlength 5 guests
836 \fBmodify_policy\fP [\fIoptions\fP] \fIpolicy\fP
840 Modifies the password policy named \fIpolicy\fP\&. Options are as described
841 for \fBadd_policy\fP\&.
843 This command requires the \fBmodify\fP privilege.
849 \fBdelete_policy\fP [\fB\-force\fP] \fIpolicy\fP
853 Deletes the password policy named \fIpolicy\fP\&. Prompts for confirmation
854 before deletion. The command will fail if the policy is in use by any
857 This command requires the \fBdelete\fP privilege.
867 kadmin: del_policy guests
868 Are you sure you want to delete the policy "guests"?
878 \fBget_policy\fP [ \fB\-terse\fP ] \fIpolicy\fP
882 Displays the values of the password policy named \fIpolicy\fP\&. With the
883 \fB\-terse\fP flag, outputs the fields as quoted strings separated by
886 This command requires the \fBinquire\fP privilege.
896 kadmin: get_policy admin
898 Maximum password life: 180 days 00:00:00
899 Minimum password life: 00:00:00
900 Minimum password length: 6
901 Minimum number of password character classes: 2
902 Number of old keys kept: 5
905 kadmin: get_policy \-terse admin
906 admin 15552000 0 6 2 5 17
913 The "Reference count" is the number of principals using that policy.
914 With the LDAP KDC database module, the reference count field is not
919 \fBlist_policies\fP [\fIexpression\fP]
923 Retrieves all or some policy names. \fIexpression\fP is a shell\-style
924 glob expression that can contain the wild\-card characters \fB?\fP,
925 \fB*\fP, and \fB[]\fP\&. All policy names matching the expression are
926 printed. If no expression is provided, all existing policy names are
929 This command requires the \fBlist\fP privilege.
931 Aliases: \fBlistpols\fP, \fBget_policies\fP, \fBgetpols\fP\&.
957 \fBktadd\fP [options] \fIprincipal\fP
958 \fBktadd\fP [options] \fB\-glob\fP \fIprinc\-exp\fP
964 Adds a \fIprincipal\fP, or all principals matching \fIprinc\-exp\fP, to a
965 keytab file. Each principal\(aqs keys are randomized in the process.
966 The rules for \fIprinc\-exp\fP are described in the \fBlist_principals\fP
969 This command requires the \fBinquire\fP and \fBchangepw\fP privileges.
970 With the \fB\-glob\fP form, it also requires the \fBlist\fP privilege.
975 \fB\-k[eytab]\fP \fIkeytab\fP
976 Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
979 \fB\-e\fP \fIenc\fP:\fIsalt\fP,...
980 Uses the specified keysalt list for setting the new keys of the
981 principal. See Keysalt_lists in kdc.conf(5) for a
982 list of possible values.
985 Display less verbose information.
988 Do not randomize the keys. The keys and their version numbers stay
989 unchanged. This option cannot be specified in combination with the
993 An entry for each of the principal\(aqs unique encryption types is added,
994 ignoring multiple keys with the same encryption type but different
1005 kadmin: ktadd \-k /tmp/foo\-new\-keytab host/foo.mit.edu
1006 Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
1007 encryption type aes256\-cts\-hmac\-sha1\-96 added to keytab
1008 FILE:/tmp/foo\-new\-keytab
1017 \fBktremove\fP [options] \fIprincipal\fP [\fIkvno\fP | \fIall\fP | \fIold\fP]
1021 Removes entries for the specified \fIprincipal\fP from a keytab. Requires
1022 no permissions, since this does not require database access.
1024 If the string "all" is specified, all entries for that principal are
1025 removed; if the string "old" is specified, all entries for that
1026 principal except those with the highest kvno are removed. Otherwise,
1027 the value specified is parsed as an integer, and all entries whose
1028 kvno match that integer are removed.
1033 \fB\-k[eytab]\fP \fIkeytab\fP
1034 Use \fIkeytab\fP as the keytab file. Otherwise, the default keytab is
1038 Display less verbose information.
1049 kadmin: ktremove kadmin/admin all
1050 Entry for principal kadmin/admin with kvno 3 removed from keytab
1051 FILE:/etc/krb5.keytab
1059 Lock database exclusively. Use with extreme caution! This command
1060 only works with the DB2 KDC database module.
1063 Release the exclusive database lock.
1066 Lists available for kadmin requests.
1068 Aliases: \fBlr\fP, \fB?\fP
1071 Exit program. If the database was locked, the lock is released.
1073 Aliases: \fBexit\fP, \fBq\fP
1076 The kadmin program was originally written by Tom Yu at MIT, as an
1077 interface to the OpenVision Kerberos administration program.
1080 See kerberos(7) for a description of Kerberos environment
1084 kpasswd(1), kadmind(8), kerberos(7)
1089 .\" Generated by docutils manpage writer.