heimdal-kadmin (8) - Linux Manuals
heimdal-kadmin: Kerberos administration utility
kadmin - Kerberos administration utility
SYNOPSIS-words [-p string | --principal= string ] [-K string | --keytab= string ] [-c file | --config-file= file ] [-k file | --key-file= file ] [-r realm | --realm= realm ] [-a host | --admin-server= host ] [-s port number | --server-port= port number ] [-l | --local ] [-h | --help ] [-v | --version ] [command ]
DESCRIPTIONThe program is used to make modifications to the Kerberos database, either remotely via the kadmind(8) daemon, or locally (with the -l option).
- -p string , --principal= string
- principal to authenticate as
- -K string , --keytab= string
- keytab for authentication principal
- -c file , --config-file= file
- location of config file
- -k file , --key-file= file
- location of master key file
- -r realm , --realm= realm
- realm to use
- -a host , --admin-server= host
- server to contact
- -s port number , --server-port= port number
- port to use
- -l , --local
- local admin mode
If no command is given on the command line, will prompt for commands to process. Some of the commands that take one or more principals as argument ( delete ext_keytab get modify and passwd will accept a glob style wildcard, and perform the operation on all matching principals.
add [-r | --random-key ] [--random-password ] [-p string | --password= string ] [--key= string ] [--max-ticket-life= lifetime ] [--max-renewable-life= lifetime ] [--attributes= attributes ] [--expiration-time= time ] [--pw-expiration-time= time ] [--policy= policy-name ] principal...
Adds a new principal to the database. The options not passed on the command line will be promped for. The only policy supported by Heimdal servers is
add_enctype [-r | --random-key ] principal enctypes...
Adds a new encryption type to the principal, only random key are supported.
Removes a principal.
del_enctype principal enctypes...
Removes some enctypes from a principal; this can be useful if the service belonging to the principal is known to not handle certain enctypes.
ext_keytab [-k string | --keytab= string ] principal...
Creates a keytab with the keys of the specified principals. Requires get-keys rights, otherwise the principal's keys are changed and saved in the keytab.
get [-l | --long ] [-s | --short ] [-t | --terse ] [-o string | --column-info= string ] principal...
Lists the matching principals, short prints the result as a table, while long format produces a more verbose output. Which columns to print can be selected with the -o option. The argument is a comma separated list of column names optionally appended with an equal sign (`=' ) and a column header. Which columns are printed by default differ slightly between short and long output.
The default terse output format is similar to -s o principal= just printing the names of matched principals.
Possible column names include: principal princ_expire_time pw_expiration last_pwd_change max_life max_rlife mod_time mod_name attributes kvno mkvno last_success last_failed fail_auth_count policy and keytypes
modify [-a attributes | --attributes= attributes ] [--max-ticket-life= lifetime ] [--max-renewable-life= lifetime ] [--expiration-time= time ] [--pw-expiration-time= time ] [--kvno= number ] [--policy= policy-name ] principal...
Modifies certain attributes of a principal. If run without command line options, you will be prompted. With command line options, it will only change the ones specified.
Only policy supported by Heimdal is
Possible attributes are: new-princ support-desmd5 pwchange-service disallow-svr requires-pw-change requires-hw-auth requires-pre-auth disallow-all-tix disallow-dup-skey disallow-proxiable disallow-renewable disallow-tgt-based disallow-forwardable disallow-postdated
Attributes may be negated with a "-", e.g.,
kadmin -l modify -a -disallow-proxiable user
passwd [--keepold ] [-r | --random-key ] [--random-password ] [-p string | --password= string ] [--key= string ] principal...
Changes the password of an existing principal.
password-quality principal password
Run the password quality check function locally. You can run this on the host that is configured to run the kadmind process to verify that your configuration file is correct. The verification is done locally, if kadmin is run in remote mode, no rpc call is done to the server.
Lists the operations you are allowed to perform. These include add add_enctype change-password delete del_enctype get get-keys list and modify
rename from to
Renames a principal. This is normally transparent, but since keys are salted with the principal name, they will have a non-standard salt, and clients which are unable to cope with this will fail. Kerberos 4 suffers from this.
check [realm ]
Check database for strange configurations on important principals. If no realm is given, the default realm is used.
When running in local mode, the following commands can also be used:
dump [-d | --decrypt ] [-f format | --format= format ] [dump-file ]
Writes the database in ``machine readable text'' form to the specified file, or standard out. If the database is encrypted, the dump will also have encrypted keys, unless --decrypt is used. If --format=MIT is used then the dump will be in MIT format. Otherwise it will be in Heimdal format.
init [--realm-max-ticket-life= string ] [--realm-max-renewable-life= string ] realm
Initializes the Kerberos database with entries for a new realm. It's possible to have more than one realm served by one server.
Reads a previously dumped database, and re-creates that database from scratch.
Similar to load but just modifies the database with the entries in the dump file.
stash [-e enctype | --enctype= enctype ] [-k keyfile | --key-file= keyfile ] [--convert-file ] [--master-key-fd= fd ]
Writes the Kerberos master key to a file used by the KDC.