1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
KADMIN(1) BSD General Commands Manual KADMIN(1)
N�NA�AM�ME�E
k�ka�ad�dm�mi�in�n -- Kerberos administration utility
S�SY�YN�NO�OP�PS�SI�IS�S
k�ka�ad�dm�mi�in�n [-�-p�p _�s_�t_�r_�i_�n_�g | -�--�-p�pr�ri�in�nc�ci�ip�pa�al�l=�=_�s_�t_�r_�i_�n_�g] [-�-K�K _�s_�t_�r_�i_�n_�g | -�--�-k�ke�ey�yt�ta�ab�b=�=_�s_�t_�r_�i_�n_�g]
[-�-c�c _�f_�i_�l_�e | -�--�-c�co�on�nf�fi�ig�g-�-f�fi�il�le�e=�=_�f_�i_�l_�e] [-�-k�k _�f_�i_�l_�e | -�--�-k�ke�ey�y-�-f�fi�il�le�e=�=_�f_�i_�l_�e]
[-�-r�r _�r_�e_�a_�l_�m | -�--�-r�re�ea�al�lm�m=�=_�r_�e_�a_�l_�m] [-�-a�a _�h_�o_�s_�t | -�--�-a�ad�dm�mi�in�n-�-s�se�er�rv�ve�er�r=�=_�h_�o_�s_�t]
[-�-s�s _�p_�o_�r_�t _�n_�u_�m_�b_�e_�r | -�--�-s�se�er�rv�ve�er�r-�-p�po�or�rt�t=�=_�p_�o_�r_�t _�n_�u_�m_�b_�e_�r] [-�-l�l | -�--�-l�lo�oc�ca�al�l]
[-�-h�h | -�--�-h�he�el�lp�p] [-�-v�v | -�--�-v�ve�er�rs�si�io�on�n] [_�c_�o_�m_�m_�a_�n_�d]
D�DE�ES�SC�CR�RI�IP�PT�TI�IO�ON�N
The k�ka�ad�dm�mi�in�n program is used to make modifications to the Kerberos data-
base, either remotely via the kadmind(8) daemon, or locally (with the -�-l�l
option).
Supported options:
-�-p�p _�s_�t_�r_�i_�n_�g, -�--�-p�pr�ri�in�nc�ci�ip�pa�al�l=�=_�s_�t_�r_�i_�n_�g
principal to authenticate as
-�-K�K _�s_�t_�r_�i_�n_�g, -�--�-k�ke�ey�yt�ta�ab�b=�=_�s_�t_�r_�i_�n_�g
keytab for authentication principal
-�-c�c _�f_�i_�l_�e, -�--�-c�co�on�nf�fi�ig�g-�-f�fi�il�le�e=�=_�f_�i_�l_�e
location of config file
-�-k�k _�f_�i_�l_�e, -�--�-k�ke�ey�y-�-f�fi�il�le�e=�=_�f_�i_�l_�e
location of master key file
-�-r�r _�r_�e_�a_�l_�m, -�--�-r�re�ea�al�lm�m=�=_�r_�e_�a_�l_�m
realm to use
-�-a�a _�h_�o_�s_�t, -�--�-a�ad�dm�mi�in�n-�-s�se�er�rv�ve�er�r=�=_�h_�o_�s_�t
server to contact
-�-s�s _�p_�o_�r_�t _�n_�u_�m_�b_�e_�r, -�--�-s�se�er�rv�ve�er�r-�-p�po�or�rt�t=�=_�p_�o_�r_�t _�n_�u_�m_�b_�e_�r
port to use
-�-l�l, -�--�-l�lo�oc�ca�al�l
local admin mode
If no _�c_�o_�m_�m_�a_�n_�d is given on the command line, k�ka�ad�dm�mi�in�n will prompt for com-
mands to process. Some of the commands that take one or more principals
as argument (d�de�el�le�et�te�e, e�ex�xt�t_�_k�ke�ey�yt�ta�ab�b, g�ge�et�t, m�mo�od�di�if�fy�y, and p�pa�as�ss�sw�wd�d) will accept a
glob style wildcard, and perform the operation on all matching princi-
pals.
Commands include:
a�ad�dd�d [-�-r�r | -�--�-r�ra�an�nd�do�om�m-�-k�ke�ey�y] [-�--�-r�ra�an�nd�do�om�m-�-p�pa�as�ss�sw�wo�or�rd�d] [-�-p�p _�s_�t_�r_�i_�n_�g |
-�--�-p�pa�as�ss�sw�wo�or�rd�d=�=_�s_�t_�r_�i_�n_�g] [-�--�-k�ke�ey�y=�=_�s_�t_�r_�i_�n_�g] [-�--�-m�ma�ax�x-�-t�ti�ic�ck�ke�et�t-�-l�li�if�fe�e=�=_�l_�i_�f_�e_�t_�i_�m_�e]
[-�--�-m�ma�ax�x-�-r�re�en�ne�ew�wa�ab�bl�le�e-�-l�li�if�fe�e=�=_�l_�i_�f_�e_�t_�i_�m_�e] [-�--�-a�at�tt�tr�ri�ib�bu�ut�te�es�s=�=_�a_�t_�t_�r_�i_�b_�u_�t_�e_�s]
[-�--�-e�ex�xp�pi�ir�ra�at�ti�io�on�n-�-t�ti�im�me�e=�=_�t_�i_�m_�e] [-�--�-p�pw�w-�-e�ex�xp�pi�ir�ra�at�ti�io�on�n-�-t�ti�im�me�e=�=_�t_�i_�m_�e]
[-�--�-p�po�ol�li�ic�cy�y=�=_�p_�o_�l_�i_�c_�y_�-_�n_�a_�m_�e] _�p_�r_�i_�n_�c_�i_�p_�a_�l_�._�._�.
Adds a new principal to the database. The options not passed on the
command line will be promped for. The only policy supported by
Heimdal servers is 'default'.
a�ad�dd�d_�_e�en�nc�ct�ty�yp�pe�e [-�-r�r | -�--�-r�ra�an�nd�do�om�m-�-k�ke�ey�y] _�p_�r_�i_�n_�c_�i_�p_�a_�l _�e_�n_�c_�t_�y_�p_�e_�s_�._�._�.
Adds a new encryption type to the principal, only random key are
supported.
d�de�el�le�et�te�e _�p_�r_�i_�n_�c_�i_�p_�a_�l_�._�._�.
Removes a principal.
d�de�el�l_�_e�en�nc�ct�ty�yp�pe�e _�p_�r_�i_�n_�c_�i_�p_�a_�l _�e_�n_�c_�t_�y_�p_�e_�s_�._�._�.
Removes some enctypes from a principal; this can be useful if the
service belonging to the principal is known to not handle certain
enctypes.
e�ex�xt�t_�_k�ke�ey�yt�ta�ab�b [-�-k�k _�s_�t_�r_�i_�n_�g | -�--�-k�ke�ey�yt�ta�ab�b=�=_�s_�t_�r_�i_�n_�g] _�p_�r_�i_�n_�c_�i_�p_�a_�l_�._�._�.
Creates a keytab with the keys of the specified principals.
Requires get-keys rights, otherwise the principal's keys are
changed and saved in the keytab.
g�ge�et�t [-�-l�l | -�--�-l�lo�on�ng�g] [-�-s�s | -�--�-s�sh�ho�or�rt�t] [-�-t�t | -�--�-t�te�er�rs�se�e] [-�-o�o _�s_�t_�r_�i_�n_�g |
-�--�-c�co�ol�lu�um�mn�n-�-i�in�nf�fo�o=�=_�s_�t_�r_�i_�n_�g] _�p_�r_�i_�n_�c_�i_�p_�a_�l_�._�._�.
Lists the matching principals, short prints the result as a table,
while long format produces a more verbose output. Which columns to
print can be selected with the -�-o�o option. The argument is a comma
separated list of column names optionally appended with an equal
sign ('=') and a column header. Which columns are printed by
default differ slightly between short and long output.
The default terse output format is similar to -�-s�s -�-o�o _�p_�r_�i_�n_�c_�i_�p_�a_�l_�=,
just printing the names of matched principals.
Possible column names include: principal, princ_expire_time,
pw_expiration, last_pwd_change, max_life, max_rlife, mod_time,
mod_name, attributes, kvno, mkvno, last_success, last_failed,
fail_auth_count, policy, and keytypes.
m�mo�od�di�if�fy�y [-�-a�a _�a_�t_�t_�r_�i_�b_�u_�t_�e_�s | -�--�-a�at�tt�tr�ri�ib�bu�ut�te�es�s=�=_�a_�t_�t_�r_�i_�b_�u_�t_�e_�s]
[-�--�-m�ma�ax�x-�-t�ti�ic�ck�ke�et�t-�-l�li�if�fe�e=�=_�l_�i_�f_�e_�t_�i_�m_�e] [-�--�-m�ma�ax�x-�-r�re�en�ne�ew�wa�ab�bl�le�e-�-l�li�if�fe�e=�=_�l_�i_�f_�e_�t_�i_�m_�e]
[-�--�-e�ex�xp�pi�ir�ra�at�ti�io�on�n-�-t�ti�im�me�e=�=_�t_�i_�m_�e] [-�--�-p�pw�w-�-e�ex�xp�pi�ir�ra�at�ti�io�on�n-�-t�ti�im�me�e=�=_�t_�i_�m_�e] [-�--�-k�kv�vn�no�o=�=_�n_�u_�m_�b_�e_�r]
[-�--�-p�po�ol�li�ic�cy�y=�=_�p_�o_�l_�i_�c_�y_�-_�n_�a_�m_�e] _�p_�r_�i_�n_�c_�i_�p_�a_�l_�._�._�.
Modifies certain attributes of a principal. If run without command
line options, you will be prompted. With command line options, it
will only change the ones specified.
Only policy supported by Heimdal is 'default'.
Possible attributes are: new-princ, support-desmd5,
pwchange-service, disallow-svr, requires-pw-change,
requires-hw-auth, requires-pre-auth, disallow-all-tix,
disallow-dup-skey, disallow-proxiable, disallow-renewable,
disallow-tgt-based, disallow-forwardable, disallow-postdated
Attributes may be negated with a "-", e.g.,
kadmin -l modify -a -disallow-proxiable user
p�pa�as�ss�sw�wd�d [-�--�-k�ke�ee�ep�po�ol�ld�d] [-�-r�r | -�--�-r�ra�an�nd�do�om�m-�-k�ke�ey�y] [-�--�-r�ra�an�nd�do�om�m-�-p�pa�as�ss�sw�wo�or�rd�d] [-�-p�p _�s_�t_�r_�i_�n_�g |
-�--�-p�pa�as�ss�sw�wo�or�rd�d=�=_�s_�t_�r_�i_�n_�g] [-�--�-k�ke�ey�y=�=_�s_�t_�r_�i_�n_�g] _�p_�r_�i_�n_�c_�i_�p_�a_�l_�._�._�.
Changes the password of an existing principal.
p�pa�as�ss�sw�wo�or�rd�d-�-q�qu�ua�al�li�it�ty�y _�p_�r_�i_�n_�c_�i_�p_�a_�l _�p_�a_�s_�s_�w_�o_�r_�d
Run the password quality check function locally. You can run this
on the host that is configured to run the kadmind process to verify
that your configuration file is correct. The verification is done
locally, if kadmin is run in remote mode, no rpc call is done to
the server.
p�pr�ri�iv�vi�il�le�eg�ge�es�s
Lists the operations you are allowed to perform. These include add,
add_enctype, change-password, delete, del_enctype, get, get-keys,
list, and modify.
r�re�en�na�am�me�e _�f_�r_�o_�m _�t_�o
Renames a principal. This is normally transparent, but since keys
are salted with the principal name, they will have a non-standard
salt, and clients which are unable to cope with this will fail.
Kerberos 4 suffers from this.
c�ch�he�ec�ck�k [_�r_�e_�a_�l_�m]
Check database for strange configurations on important principals.
If no realm is given, the default realm is used.
When running in local mode, the following commands can also be used:
d�du�um�mp�p [-�-d�d | -�--�-d�de�ec�cr�ry�yp�pt�t] [-�-f�f_�f_�o_�r_�m_�a_�t | -�--�-f�fo�or�rm�ma�at�t=�=_�f_�o_�r_�m_�a_�t] [_�d_�u_�m_�p_�-_�f_�i_�l_�e]
Writes the database in ``machine readable text'' form to the speci-
fied file, or standard out. If the database is encrypted, the dump
will also have encrypted keys, unless -�--�-d�de�ec�cr�ry�yp�pt�t is used. If
-�--�-f�fo�or�rm�ma�at�t=�=M�MI�IT�T is used then the dump will be in MIT format. Other-
wise it will be in Heimdal format.
i�in�ni�it�t [-�--�-r�re�ea�al�lm�m-�-m�ma�ax�x-�-t�ti�ic�ck�ke�et�t-�-l�li�if�fe�e=�=_�s_�t_�r_�i_�n_�g] [-�--�-r�re�ea�al�lm�m-�-m�ma�ax�x-�-r�re�en�ne�ew�wa�ab�bl�le�e-�-l�li�if�fe�e=�=_�s_�t_�r_�i_�n_�g]
_�r_�e_�a_�l_�m
Initializes the Kerberos database with entries for a new realm.
It's possible to have more than one realm served by one server.
l�lo�oa�ad�d _�f_�i_�l_�e
Reads a previously dumped database, and re-creates that database
from scratch.
m�me�er�rg�ge�e _�f_�i_�l_�e
Similar to l�lo�oa�ad�d but just modifies the database with the entries in
the dump file.
s�st�ta�as�sh�h [-�-e�e _�e_�n_�c_�t_�y_�p_�e | -�--�-e�en�nc�ct�ty�yp�pe�e=�=_�e_�n_�c_�t_�y_�p_�e] [-�-k�k _�k_�e_�y_�f_�i_�l_�e | -�--�-k�ke�ey�y-�-f�fi�il�le�e=�=_�k_�e_�y_�f_�i_�l_�e]
[-�--�-c�co�on�nv�ve�er�rt�t-�-f�fi�il�le�e] [-�--�-m�ma�as�st�te�er�r-�-k�ke�ey�y-�-f�fd�d=�=_�f_�d]
Writes the Kerberos master key to a file used by the KDC.
S�SE�EE�E A�AL�LS�SO�O
kadmind(8), kdc(8)
HEIMDAL Feb 22, 2007 HEIMDAL
|
