1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
|
<html lang="en">
<head>
<title>Kerberos V5 System Administrator's Guide</title>
<meta http-equiv="Content-Type" content="text/html">
<meta name="description" content="Kerberos V5 System Administrator's Guide">
<meta name="generator" content="makeinfo 4.5">
<link href="http://www.gnu.org/software/texinfo/" rel="generator-home">
</head>
<body>
<div class="node">
<p>
Node:<a name="Kadmin%20Options">Kadmin Options</a>,
Next:<a rel="next" accesskey="n" href="Date-Format.html#Date%20Format">Date Format</a>,
Previous:<a rel="previous" accesskey="p" href="Administrating-the-Kerberos-Database.html#Administrating%20the%20Kerberos%20Database">Administrating the Kerberos Database</a>,
Up:<a rel="up" accesskey="u" href="Administrating-the-Kerberos-Database.html#Administrating%20the%20Kerberos%20Database">Administrating the Kerberos Database</a>
<hr><br>
</div>
<h3 class="section">Kadmin Options</h3>
<p>You can invoke <code>kadmin</code> or <code>kadmin.local</code> with any of the
following options:
<dl>
<dt><b>-r </b><i>REALM</i><b></b>
<dd>Use <i>REALM</i> as the default Kerberos realm for the database.
<br><dt><b>-p </b><i>principal</i><b></b>
<dd>Use the Kerberos principal <i>principal</i> to authenticate to Kerberos.
If this option is not given, <code>kadmin</code> will append <code>admin</code> to
either the primary principal name, the environment variable USER, or to
the username obtained from <code>getpwuid</code>, in order of preference.
<br><dt><b>-q </b><i>query</i><b></b>
<dd>Pass <i>query</i> directly to <code>kadmin</code>. This is useful for writing
scripts that pass specific queries to <code>kadmin</code>.
<p>You can invoke <code>kadmin</code> with any of the following options:
<br><dt><b>-k [-t </b><i>keytab</i><b>]</b>
<dd>Use the keytab <i>keytab</i> to decrypt the KDC response instead of
prompting for a password on the TTY. In this case, the principal will
be <code>host/</code><i>hostname</i><code></code>. If <b>-t</b> is not used to specify a keytab,
then the default keytab will be used.
<br><dt><b>-c </b><i>credentials cache</i><b></b>
<dd>Use <i>credentials_cache</i> as the credentials cache. The credentials
cache should contain a service ticket for the <code>kadmin/admin</code>
service, which can be acquired with the <code>kinit</code> program. If this
option is not specified, <code>kadmin</code> requests a new service ticket
from the KDC, and stores it in its own temporary ccache.
<br><dt><b>-w </b><i>password</i><b></b>
<dd>Use <i>password</i> as the password instead of prompting for one on the
TTY. Note: placing the password for a Kerberos principal with
administration access into a shell script can be dangerous if
unauthorized users gain read access to the script.
<br><dt><b>-s </b><i>admin_server[:port]</i><b></b>
<dd>Specifies the admin server that kadmin should contact.
<p>You can invoke <code>kadmin.local</code> with an of the follwing options:
<br><dt><b>-d_ </b><i>dbname</i><b></b>
<dd>Specifies the name of the Kerberos database.
<br><dt><b>-e </b><i>"enctypes ..."</i><b></b>
<dd>Sets the list of cryptosystem and salt types to be used for any new
keys created. See <a href="Supported-Encryption-Types.html#Supported%20Encryption%20Types">Supported Encryption Types</a> and <a href="Salts.html#Salts">Salts</a> for
available types.
<br><dt><b>-m</b>
<dd>Do not authenticate using a keytab. This option will cause kadmin to
prompt for the master database password.
</dl>
</body></html>
|
