NAME
kadmin
—
Kerberos administration
utility
SYNOPSIS
kadmin |
[-p
string | --principal= string]
[-K string | --keytab= string]
[-c file | --config-file= file]
[-k file | --key-file= file]
[-r realm | --realm= realm]
[-a host | --admin-server= host]
[-s port number | --server-port= port number]
[-l | --local ]
[-h | --help ]
[-v | --version ]
[command] |
DESCRIPTION
Thekadmin
program is used to make modifications to the
Kerberos database, either remotely via the
kadmind(8) daemon, or locally (with the -l
option).
Supported options:
-p
string,--principal=
string- principal to authenticate as
-K
string,--keytab=
string- keytab for authentication principal
-c
file,--config-file=
file- location of config file
-k
file,--key-file=
file- location of master key file
-r
realm,--realm=
realm- realm to use
-a
host,--admin-server=
host- server to contact
-s
port number,--server-port=
port number- port to use
-l
,--local
- local admin mode
If no command is given on the command line,
kadmin
will prompt for commands to process. Some of
the commands that take one or more principals as argument
(delete
, ext_keytab
,
get
, modify
, and
passwd
) will accept a glob style wildcard, and
perform the operation on all matching principals.
Commands include:
add
[-r
|
--random-key
]
[--random-password
] [-p
string |
--password=
string]
[--key=
string]
[--max-ticket-life=
lifetime]
[--max-renewable-life=
lifetime]
[--attributes=
attributes]
[--expiration-time=
time]
[--pw-expiration-time=
time]
principal...
add_enctype
[-r
|
--random-key
] principal
enctypes...
delete
principal...
del_enctype
principal
enctypes...
ext_keytab
[-k
string |
--keytab=
string]
principal...
get
[-l
|
--long
] [-s
|
--short
] [-t
|
--terse
] [-o
string |
--column-info=
string]
principal...
-o
option.
The argument is a comma separated list of column names optionally appended
with an equal sign (‘=’) and a column header. Which columns are
printed by default differ slightly between short and long output.
The default terse output format is similar to
-s
-o
principal=, just printing the names of matched
principals.
Possible column names include: principal
,
princ_expire_time
,
pw_expiration
,
last_pwd_change
, max_life
,
max_rlife
, mod_time
,
mod_name
, attributes
,
kvno
, mkvno
,
last_success
, last_failed
,
fail_auth_count
, policy
, and
keytypes
.
modify
[-a
attributes |
--attributes=
attributes]
[--max-ticket-life=
lifetime]
[--max-renewable-life=
lifetime]
[--expiration-time=
time]
[--pw-expiration-time=
time]
[--kvno=
number]
principal...
Possible attributes are: new-princ
,
support-desmd5
,
pwchange-service
,
disallow-svr
,
requires-pw-change
,
requires-hw-auth
,
requires-pre-auth
,
disallow-all-tix
,
disallow-dup-skey
,
disallow-proxiable
,
disallow-renewable
,
disallow-tgt-based
,
disallow-forwardable
,
disallow-postdated
Attributes may be negated with a "-", e.g.,
kadmin -l modify -a -disallow-proxiable user
passwd
[-r
|
--random-key
]
[--random-password
] [-p
string |
--password=
string]
[--key=
string]
principal...
password-quality
principal password
privileges
add
,
add_enctype
, change-password
,
delete
, del_enctype
,
get
, list
, and
modify
.rename
from to
check
[realm]
When running in local mode, the following commands can also be used:
dump
[-d
|
--decrypt
] [dump-file]
--decrypt
is used.init
[--realm-max-ticket-life=
string]
[--realm-max-renewable-life=
string]
realm
load
file
merge
file
load
but just
modifies the database with the entries in the dump file.stash
[-e
enctype |
--enctype=
enctype]
[-k
keyfile |
--key-file=
keyfile]
[--convert-file
]
[--master-key-fd=
fd]