kadmin(1M)
NAME
kadmin, kadmin.local - Kerberos database administration pro-
gram
SYNOPSIS
/usr/sbin/kadmin [-r realm] [-p principal] [-q query] [
-s admin_server [:port]] [ [-c credential_cache] | [ -k [-
t keytab]] | [-w password]]
/usr/sbin/kadmin.local [-r realm] [-p principal] [-q query]
[-d dbname] [-e "enc:salt..."] [-m] [-D]
DESCRIPTION
kadmin and kadmin.local are interactive command-line inter-
faces to the Kerberos V5 administration system. They provide
for the maintenance of Kerberos principals, policies, and
service key tables (keytabs). kadmin and kadmin.local pro-
vide identical functionality; the difference is that
kadmin.local can run only on the master KDC and does not use
Kerberos authentication. Except as explicitly noted other-
wise, this man page will use kadmin to refer to both ver-
sions.
By default, both versions of kadmin attempt to determine
your user name and perform operations on behalf of your
"username/admin" instance. Operations performed are subject
to privileges granted or denied to this user instance by the
Kerberos ACL file (see kadm5.acl(4)). You may perform
administration as another user instance by using the -p
option.
The remote version, kadmin, uses Kerberos authentication and
an encrypted RPC to operate securely from anywhere on the
network. It normally prompts for a password and authenti-
cates the user to the Kerberos administration server, kad-
mind, whose service principal is kadmin/admin. Some options
specific to the remote version permit the password prompt to
be bypassed. The -c option searches the named credentials
cache for a valid ticket for the kadmin/admin service and
uses it to authenticate the user to the Kerberos admin
server without a password. The -k option searches a keytab
for a credential to authenticate to the kadmin/admin ser-
vice, and again no password is collected. If kadmin has col-
lected a password, it requests a kadmin/admin Kerberos ser-
vice ticket from the KDC, and uses that service ticket to
interact with kadmind.
The local version, kadmin.local, must be run with an effec-
tive UID of root, and normally uses a key from the
/var/krb5/.k5.realm stash file (see kdb5_util(1M)) to
decrypt information from the database rather than prompting
for a password. The -m option will bypass the .k5.realm
stash file and prompt for the master password.
OPTIONS
The following options are supported:
-c credentials_cache
Search credentials_cache for a service ticket for the
kadmin/admin service; it can be acquired with the
kinit(1) program. If this option is not specified,
kadmin requests a new service ticket from the KDC, and
stores it in its own temporary credentials cache.
-d dbname
Specify a non-standard database name. [Local only]
-D Turn on debug mode. [Local only]
-e "enc:salt ..."
Specify a different encryption type and/or key salt.
[Local only]
-k [-t keytab]
Use the default keytab (-k) or a specific keytab (-t
keytab) to decrypt the KDC response instead of prompt-
ing for a password. In this case, the default princi-
pal will be host/hostname. This is primarily used for
keytab maintenance.
-m Accept the database master password from the keyboard
rather than using the /var/krb5/.k5.realm stash file.
[Local only]
-p principal
Authenticate principal to the kadmin/admin service.
Otherwise, kadmin will append /admin to the primary
principal name of the default credentials cache, the
value of the USER environment variable, or the user-
name as obtained with getpwuid, in that order of
preference.
-q query
Pass query directly to kadmin, which will perform
query and then exit. This can be useful for writing
scripts.
-r realm
Use realm as the default database realm.
-s admin_server[:port]
Administer the specified admin server at the specified
port number (port). This can be useful in administer-
ing a realm not known to your client.
-w password
Use password instead of prompting for one. Note that
placing the password for a Kerberos principal with
administration access into a shell script can be
dangerous if unauthorized users gain read access to
the script or can read arguments of this command
through ps(1).
COMMANDS
list_requests
Lists all the commands available for kadmin. Aliased
by lr and ?.
get_privs
Lists the current Kerberos administration privileges
(ACLs) for the principal that is currently running
kadmin. The privileges are based on the
/etc/krb5/kadm5.acl file on the master KDC. Aliased by
getprivs.
add_principal [options] newprinc
Creates a new principal, newprinc, prompting twice for
a password. If the -policy option is not specified and
a policy named default exists, then the default policy
is assigned to the principal; note that the assignment
of the default policy occurs automatically only when a
principal is first created, so the default policy must
already exist for the assignment to occur. The
automatic assignment of the default policy can be
suppressed with the -clearpolicy option. This command
requires the add privilege. Aliased by addprinc and
ank. The options are:
-expire expdate
Expiration date of the principal. See the Time
Formats section for the valid absolute time for-
mats that you can specify for expdate.
-pwexpire pwexpdate
Password expiration date. See the Time Formats
section for the valid absolute time formats that
you can specify for pwexpdate.
-maxlife maxlife
Maximum ticket life for the principal. See the
Time Formats section for the valid time duration
formats that you can specify for maxlife.
-maxrenewlife maxrenewlife
Maximum renewable life of tickets for the prin-
cipal. See the Time Formats section for the
valid time duration formats that you can specify
for maxrenewlife.
-kvno kvno
Explicitly set the key version number.
-policy policy
Policy used by the principal. If both the -pol-
icy and -clearpolicy options are not specified,
the default policy is used if it exists; other-
wise, the principal will have no policy. Also
note that the password and principal name must
be different when you add a new principal with a
specific policy or the default policy.
-clearpolicy
-clearpolicy prevents the default policy from
being assigned when -policy is not specified.
This option has no effect if the default policy
does not exist.
{-|+}allow_postdated
-allow_postdated prohibits the principal from
obtaining postdated tickets. (Sets the
KRB5_KDB_DISALLOW_POSTDATED flag.)
+allow_postdated clears this flag.
{-|+}allow_forwardable
-allow_forwardable prohibits the principal from
obtaining forwardable tickets. (Sets the
KRB5_KDB_DISALLOW_FORWARDABLE flag.)
+allow_forwardable clears this flag.
{-|+}allow_renewable
-allow_renewable prohibits the principal from
obtaining renewable tickets. (Sets the
KRB5_KDB_DISALLOW_RENEWABLE flag.)
+allow_renewable clears this flag.
{-|+}allow_proxiable
-allow_proxiable prohibits the principal from
obtaining proxiable tickets. (Sets the
KRB5_KDB_DISALLOW_PROXIABLE flag.)
+allow_proxiable clears this flag.
{-|+}allow_dup_skey
-allow_dup_skey disables user-to-user authenti-
cation for the principal by prohibiting this
principal from obtaining a session key for
another user. (Sets the
KRB5_KDB_DISALLOW_DUP_SKEY flag.)
+allow_dup_skey clears this flag.
{-|+}requires_preauth
+requires_preauth requires the principal to
preauthenticate before being allowed to kinit.
(Sets the KRB5_KDB_REQUIRES_PRE_AUTH flag.)
-requires_preauth clears this flag.
{-|+}requires_hwauth
+requires_hwauth requires the principal to
preauthenticate using a hardware device before
being allowed to kinit. (Sets the
KRB5_KDB_REQUIRES_HW_AUTH flag.)
-requires_hwauth clears this flag.
{-|+}allow_svr
-allow_svr prohibits the issuance of service
tickets for the principal. (Sets the
KRB5_KDB_DISALLOW_SVR flag.) +allow_svr clears
this flag.
{-|+}allow_tgs_req
-allow_tgs_req specifies that a Ticket-Granting
Service (TGS) request for a service ticket for
the principal is not permitted. This option is
useless for most things. +allow_tgs_req clears
this flag. The default is +allow_tgs_req. In
effect, -allow_tgs_req sets the
KRB5_KDB_DISALLOW_TGT_BASED flag on the princi-
pal in the database.
{-|+}allow_tix
-allow_tix forbids the issuance of any tickets
for the principal. +allow_tix clears this flag.
The default is +allow_tix. In effect,
-allow_tix sets the KRB5_KDB_DISALLOW_ALL_TIX
flag on the principal in the database.
{-|+}needchange
+needchange sets a flag in attributes field to
force a password change; -needchange clears it.
The default is -needchange. In effect,
+needchange sets the KRB5_KDB_REQUIRES_PWCHANGE
flag on the principal in the database.
{-|+}password_changing_service
+password_changing_service sets a flag in the
attributes field marking this as a password
change service principal (useless for most
things). -password_changing_service clears the
flag. This flag intentionally has a long name.
The default is -password_changing_service. In
effect, +password_changing_service sets the
KRB5_KDB_PWCHANGE_SERVICE flag on the principal
in the database.
-randkey
Sets the key of the principal to a random value.
-pw password
Sets the key of the principal to the specified
string and does not prompt for a password. Note
that using this option in a shell script can be
dangerous if unauthorized users gain read access
to the script.
Example:
kadmin: addprinc tlyu/admin
WARNING: no policy specified for "tlyu/admin@ACME.COM";
defaulting to no policy.
Enter password for principal tlyu/admin@ACME.COM:
Re-enter password for principal tlyu/admin@ACME.COM:
Principal "tlyu/admin@ACME.COM" created.
kadmin:
Errors:
KADM5_AUTH_ADD (requires add privilege)
KADM5_BAD_MASK (should not happen)
KADM5_DUP (principal exists already)
KADM5_UNK_POLICY (policy does not exist)
KADM5_PASS_Q_* (password quality violations)
delete_principal [-force] principal
Deletes the specified principal from the database.
This command prompts for deletion, unless the -force
option is given. This command requires the delete
privilege. Aliased by delprinc.
Example:
kadmin: delprinc mwm_user
Are you sure you want to delete the principal
"mwm_user@ACME.COM"? (yes/no): yes
Principal "mwm_user@ACME.COM" deleted.
Make sure that you have removed this principal from
all kadmind ACLs before reusing.
kadmin:
Errors:
KADM5_AUTH_DELETE (requires delete privilege)
KADM5_UNK_PRINC (principal does not exist)
modify_principal [options] principal
Modifies the specified principal, changing the fields
as specified. The options are as above for
add_principal, except that password changing is for-
bidden by this command. In addition, the option
-clearpolicy will clear the current policy of a prin-
cipal. This command requires the modify privilege.
Aliased by modprinc.
Errors:
KADM5_AUTH_MODIFY (requires modify privilege)
KADM5_UNK_PRINC (principal does not exist)
KADM5_UNK_POLICY (policy does not exist)
KADM5_BAD_MASK (should not happen)
change_password [options] principal
Changes the password of principal. Prompts for a new
password if neither -randkey or -pw is specified.
Requires the changepw privilege, or that the principal
that is running the program to be the same as the one
changed. Aliased by cpw. The following options are
available:
-randkey
Sets the key of the principal to a random value.
-pw password
Sets the password to the specified string. Not
recommended.
Example:
kadmin: cpw systest
Enter password for principal systest@ACME.COM:
Re-enter password for principal systest@ACME.COM:
Password for systest@ACME.COM changed.
kadmin:
Errors:
KADM5_AUTH_MODIFY (requires the modify
privilege)
KADM5_UNK_PRINC (principal does not exist)
KADM5_PASS_Q_* (password policy violation
errors)
KADM5_PADD_REUSE (password is in principal's
password history)
KADM5_PASS_TOOSOON (current password minimum
life not expired)
get_principal [-terse] principal
Gets the attributes of principal. Requires the inquire
privilege, or that the principal that is running the
program to be the same as the one being listed. With
the -terse option, outputs fields as quoted tab-
separated strings. Aliased by getprinc.
Examples:
kadmin: getprinc tlyu/admin
Principal: tlyu/admin@ACME.COM
Expiration date: [never]
Last password change: Mon Aug 12 14:16:47 EDT 1996
Password expiration date: [none]
Maximum ticket life: 0 days 10:00:00
Maximum renewable life: 7 days 00:00:00
Last modified: Mon Aug 12 14:16:47 EDT 1996
(example_user/admin@ACME.COM)
Last successful authentication: [never]
Last failed authentication: [never]
Failed password attempts: 0
Number of keys: 2 Key: vno 1, DES cbc mode with CRC-32,
no salt Key: vno 1, DES cbc mode with CRC-32,
Version 4 Attributes:
Policy: [none]
kadmin: getprinc -terse systest
systest@ACME.COM 3 86400 604800 1 785926535 753241234
785900000
tlyu/admin@ACME.COM 786100034 0 0
kadmin:
Errors:
KADM5_AUTH_GET (requires the get [inquire]
privilege)
KADM5_UNK_PRINC (principal does not exist)
list_principals [expression]
Retrieves all or some principal names. expression is a
shell-style glob expression that can contain the
wild-card characters ?, *, and []'s. All principal
names matching the expression are printed. If no
expression is provided, all principal names are
printed. If the expression does not contain an "@"
character, an "@" character followed by the local
realm is appended to the expression. Requires the list
privilege. Aliased by listprincs, get_principals, and
getprincs.
Examples:
kadmin: listprincs test*
test3@ACME.COM
test2@ACME.COM
test1@ACME.COM
testuser@ACME.COM
kadmin:
add_policy [options] policy
Adds the named policy to the policy database. Requires
the add privilege. Aliased by addpol. The following
options are available:
-maxlife maxlife
sets the maximum lifetime of a password. See the
Time Formats section for the valid time duration
formats that you can specify for maxlife.
-minlife minlife
sets the minimum lifetime of a password. See the
Time Formats section for the valid time duration
formats that you can specify for minlife.
-minlength length
sets the minimum length of a password.
-minclasses number
sets the minimum number of character classes
allowed in a password. The valid values are:
1 only letters (himom)
2 both letters and numbers (hi2mom)
3 letters, numbers, and punctuation (hi2mom!)
-history number
sets the number of past keys kept for a princi-
pal.
Errors:
KADM5_AUTH_ADD (requires the add privilege)
KADM5_DUP (policy already exists)
delete_policy policy
Deletes the named policy. Prompts for confirmation
before deletion. The command will fail if the policy
is in use by any principals. Requires the delete
privilege. Aliased by delpol.
Example:
kadmin: del_policy guests
Are you sure you want to delete the
policy "guests"? (yes/no): yes
Policy "guests" deleted.
kadmin:
Errors:
KADM5_AUTH_DELETE (requires the delete
privilege)
KADM5_UNK_POLICY (policy does not exist)
KADM5_POLICY_REF (reference count on policy is
not zero)
modify_policy [options] policy
Modifies the named policy. Options are as above for
add_policy. Requires the modify privilege. Aliased by
modpol.
Errors:
KADM5_AUTH_MODIFY (requires the modify
privilege)
KADM5_UNK_POLICY (policy does not exist)
get_policy [-terse] policy
Displays the values of the named policy. Requires the
inquire privilege. With the -terse flag, outputs the
fields as quoted strings separated by tabs. Aliased by
getpol.
Examples:
kadmin: get_policy admin
Policy: admin
Maximum password life: 180 days 00:00:00
Minimum password life: 00:00:00
Minimum password length: 6
Minimum number of password character classes: 2
Number of old keys kept: 5
Reference count: 17
kadmin: get_policy -terse
admin admin 15552000 0 6 2 5 17
kadmin:
Errors:
KADM5_AUTH_GET (requires the get privilege)
KADM5_UNK_POLICY (policy does not exist)
list_policies [expression]
Retrieves all or some policy names. expression is a
shell-style glob expression that can contain the
wild-card characters ?, *, and []'s. All policy names
matching the expression are printed. If no expression
is provided, all existing policy names are printed.
Requires the list privilege. Aliased by listpols,
get_policies, and getpols.
Examples:
kadmin: listpols
test-pol dict-only once-a-min test-pol-nopw
kadmin: listpols t*
test-pol test-pol-nopw kadmin:
ktadd [-k keytab] [-q] [principal | -glob princ-exp] [...]
Adds a principal or all principals matching princ-exp
to a keytab, randomizing each principal's key in the
process. Requires the inquire and changepw privileges.
An entry for each of the principal's unique encryption
types is added, ignoring multiple keys with the same
encryption type but different salt types. If the -k
argument is not specified, the default keytab file,
/etc/krb5/krb5.keytab, is used. If the -q option is
specified, less status information is displayed.
Aliased by xst. The -glob option requires the list
privilege. Also, note that if you use -glob to create
a keytab, you need to remove /etc/krb5/kadm5.keytab
and create it again if you want to use -p */admin with
kadmin.
princ-exp follows the same rules described for the
list_principals command.
Example:
kadmin: ktadd -k /tmp/new-keytab nfs/chicago
Entry for principal nfs/chicago with kvno 2,
encryption type DES-CBC-CRC added to keytab
WRFILE:/tmp/new-keytab.
kadmin:
ktremove [-k keytab] [-q] principal [kvno | all | old]
Removes entries for the specified principal from a
keytab. Requires no privileges, since this does not
require database access. If all is specified, all
entries for that principal are removed; if old is
specified, all entries for that principal except those
with the highest kvno are removed. Otherwise, the
value specified is parsed as an integer, and all
entries whose kvno match that integer are removed. If
the -k argument is not specified, the default keytab
file, /etc/krb5/krb5.keytab, is used. If the -q option
is specified, less status information is displayed.
Aliased by ktrem.
Example:
kadmin: ktremove -k /tmp/new-keytab nfs/chicago
Entry for principal nfs/chicago with kvno 2
removed from keytab
WRFILE:/tmp/new-keytab.
kadmin:
quit Quits kadmin. Aliased by exit and q.
Time Formats
Various commands in kadmin can take a variety of time for-
mats, specifying time durations or absolute times. The kad-
min option variables maxrenewlife, maxlife, and minlife are
time durations, whereas expdate and pwexpdate are absolute
times.
Examples:
kadmin: modprinc -expire "12/31 7pm" jdb
kadmin: modprinc -maxrenewlife "2 fortnight" jdb
kadmin: modprinc -pwexpire "this sunday" jdb
kadmin: modprinc -expire never jdb
kadmin: modprinc -maxlife "7:00:00pm tomorrow" jdb
Note that times which do not have the "ago" specifier
default to being absolute times, unless they appear in a
field where a duration is expected. In that case, the time
specifier will be interpreted as relative. Specifying "ago"
in a duration can result in unexpected behavior.
The following time formats and units can be combined to
specify a time. The time and date format examples are based
on the date and time of July 2, 1999, 1:35:30 p.m.
_____________________________________________________________
| Time Format | Examples |
| hh[:mm][:ss][am/pm/a.m./p.m.]| 1p.m., 1:35, 1:35:30pm |
|______________________________|_____________________________|
Variable Description
hh hour (12-hour clock, lead-
ing zero permitted but not
required)
mm minutes
ss seconds
____________________________________________________________
| Date Format | Examples |
| mm/dd[/yy] | 07/02, 07/02/99 |
| yyyy-mm-dd | 1999-07-02 |
| dd-month-yyyy | 02-July-1999 |
| month [,yyyy] | Jul 02, July 02,1999 |
| dd month[ yyyy] | 02 JULY, 02 july 1999 |
|_____________________________|_____________________________|
Variable Description
dd day
mm month
yy year within century (00-38
is 2000 to 2038; 70-99 is
1970 to 1999)
yyyy year including century
month locale's full or abbrevi-
ated month name
____________________________________________________________
| Time Units | Examples |
| [+|- #] year | "-2 year" |
| [+|- #] month | "2 months" |
| [+|- #] fortnight | |
| [+|- #] week | |
| [+|- #] day | |
| [+|- #] hour | |
| [+|- #] minute | |
| [+|- #] min | |
| [+|- #] second | |
| [+|- #] sec | |
| tomorrow | |
| yesterday | |
| today | |
| now | |
| this | "this year" |
| last | "last saturday" |
| next | "next month" |
| sunday | |
| monday | |
| tuesday | |
| wednesday | |
| thursday | |
| friday | |
| saturday | |
| never | |
|_____________________________|_____________________________|
You can also use the following time modifiers: first,
second, third, fourth, fifth, sixth, seventh, eighth, ninth,
tenth, eleventh, twelfth, and ago.
ENVIRONMENT VARIABLES
See eviron(5) for descriptions of the following environment
variables that affect the execution of kadmin:
PAGER The command to use as a filter for paging output. This
can also be used to specify options. The default is
more(1).
FILES
/var/krb5/principal.db
Kerberos principal database.
/var/krb5/principal.kadm5
Kerberos administrative database. Contains policy
information.
/var/krb5/principal.kadm5.lock
Lock file for the Kerberos administrative database.
This file works backwards from most other lock files
(that is, kadmin will exit with an error if this file
does not exist).
/var/krb5/kadm5.dict
Dictionary of strings explicitly disallowed as pass-
words.
/etc/krb5/kadm5.acl
List of principals and their kadmin administrative
privileges.
/etc/krb5/kadm5.keytab
Keytab for kadmin/admin principal.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWkdcu |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
kpasswd(1), more(1), gkadmin(1M), kadmind(1M),
kdb5_util(1M), kadm5.acl(4), kdc.conf(4), krb5.conf(4),
attributes(5), eviron(5), SEAM(5)
HISTORY
The kadmin program was originally written by Tom Yu at MIT,
as an interface to the OpenVision Kerberos administration
program.
DIAGNOSTICS
The kadmin command is currently incompatible with the MIT
kadmind daemon interface, so you cannot use this command to
administer an MIT-based Kerberos database. However, SEAM-
based Kerberos clients can still use a MIT-based KDC.
Man(1) output converted with
man2html