Provided by: krb5-kdc_1.4.3-5_i386 bug

NAME

       kdb5_util - Kerberos database maintainance utility

SYNOPSIS

       kdb5_util    [-r realm]    [-d dbname]    [-k mkeytype]   [-M mkeyname]
       [-sf stashfilename] [-m] command [command_options]

DESCRIPTION

       kdb5_util allows an administrator  to  perform  low-level  maintainance
       procedures  on  the  Kerberos  and  KADM5  database.   Databases can be
       created,  destroyed,  and  dumped  to  and  loaded  from  ASCII  files.
       Additionally,  kdb5_util  can  create a Kerberos master key stash file.
       kdb5_util subsumes the functionality of and makes obsolete the previous
       database  maintainance  programs  kdb5_create, kdb5_edit, kdb5_destroy,
       and kdb5_stash.

       When kdb5_util is run, it attempts to acquire the master key  and  open
       the  database.   However,  execution continues regardless of whether or
       not kdb5_util successfully opens the database, because the database may
       not exist yet or the stash file may be corrupt.

COMMAND-LINE OPTIONS

       -r realm
              specifies  the  Kerberos  realm  of the database; by default the
              realm returned by krb5_default_local_realm(3) is used.

       -d dbname
              specifies the name under which the principal database is stored;
              by  default  the  database  is  that listed in kdc.conf(5).  The
              KADM5 policy database and lock file are also derived  from  this
              value.

       -k mkeytype
              specifies  the  key  type of the master key in the database; the
              default is that given in kdc.conf.

       -M mkeyname
              principal name for the master key in the database;  the  default
              is that given in kdc.conf.

       -m     specifies  that the master database password should be read from
              the TTY rather than fetched from a file on disk.

       -sf stash_file
              specifies the stash file of the master database password.

       -P password
              specifies the master database  password.   This  option  is  not
              recommended.

COMMANDS

       create [-s]
              Creates  a  new  database.   If  the -s option is specified, the
              stash file is also created.  This command fails if the  database
              already  exists.   If the command is successful, the database is
              opened just as if it had already existed when  the  program  was
              first run.

       destroy [-f]
              Destroys  the  database,  first overwriting the disk sectors and
              then  unlinking  the  files,  after  prompting  the   user   for
              confirmation.  With the -f argument, does not prompt the user.

       stash [-f keyfile]
              Stores  the  master  principal’s  keys  in a stash file.  The -f
              argument can be  used  to  override  the  keyfile  specified  at
              startup.

       dump [-old] [-b6] [-b7] [-ov]
              [-verbose]  [-mkey_convert]  [-new_mkey_file  mkey_file]  [-rev]
              [-recurse] [filename [principals...]]
              Dumps the current Kerberos and  KADM5  database  into  an  ASCII
              file.   By  default,  the  database is dumped in current format,
              "kdb5_util load_dumpversion 5".  If filename is  not  specified,
              or  is  the  string  "-",  the  dump is sent to standard output.
              Options:

              -old   causes the dump to be  in  the  Kerberos  5  Beta  5  and
                     earlier  dump format ("kdb5_edit load_dump version 2.0").

              -b6    causes the dump to be in the Kerberos  5  Beta  6  format
                     ("kdb5_edit load_dump version 3.0").

              -b7    causes  the  dump  to  be in the Kerberos 5 Beta 7 format
                     ("kdb5_util load_dump version 4").   This  was  the  dump
                     format produced on releases prior to 1.2.2.

              -ov    causes the dump to be in ovsec_adm_export format.

              -verbose
                     causes  the  name  of  each  principal  and  policy to be
                     printed as it is dumped.

              -mkey_convert
                     prompts for a new master key.  This new master  key  will
                     be  used to re-encrypt the key data in the dumpfile.  The
                     key data in the database will not be changed.

              -new_mkey_file mkey_file
                     the filename of a stash file.  The  master  key  in  this
                     stash file will be used to re-encrypt the key data in the
                     dumpfile.  The key data  in  the  database  will  not  be
                     changed.

              -rev   dumps in reverse order.  This may recover principals that
                     do not dump normally, in cases where database  corruption
                     has occured.

              -recurse
                     causes  the  dump to walk the database recursively (btree
                     only).  This may recover  principals  that  do  not  dump
                     normally, in cases where database corruption has occured.
                     In cases of such corruption, this  option  will  probably
                     retrieve more principals than the -rev option will.

       load [-old] [-b6] [-b7] [-ov] [-hash]
              [-verbose] [-update] filename dbname [admin_dbname]
              Loads  a  database  dump  from  the  named  file  into the named
              database.  Unless the -old or -b6 option is given, the format of
              the   dump   file  is  detected  automatically  and  handled  as
              appropriate.  Unless the -update option is given, load creates a
              new  database  containing  only the principals in the dump file,
              overwriting the contents of any  previously  existing  database.
              Options:

              -old   requires  the database to be in the Kerberos 5 Beta 5 and
                     earlier format ("kdb5_edit load_dump version 2.0").

              -b6    requires the database to be in  the  Kerberos  5  Beta  6
                     format ("kdb5_edit load_dump version 3.0").

              -b7    requires  the  database  to  be  in the Kerberos 5 Beta 7
                     format ("kdb5_util load_dump version 4").

              -ov    requires the database to be in  ovsec_adm_import  format.
                     Must be used with the -update option.

              -hash  requires  the  database  to be stored as a hash.  If this
                     option is not specified, the database will be stored as a
                     btree.   This  option  is  not  recommended, as databases
                     stored in hash format are known to corrupt data and  lose
                     principals.

              -verbose
                     causes  the  name  of  each  principal  and  policy to be
                     printed as it is dumped.

              -update
                     records from the dump file are added to or updated in the
                     existing  database;  otherwise, a new database is created
                     containing only what is in the dump file and the old  one
                     destroyed upon successful completion.

              dbname is  required  and  overrides  the  value specified on the
                     command line or the default.

              admin_dbname
                     is optional and is derived from dbname if not  specified.

       dump_v4 [-S] [filename]
              Dumps  the  current  database  into the Kerberos 4 database dump
              format.  The -S option specifies the short lifetime algorithm.

       load_v4 [-T] [-v] [-h] [-S]
              [-t] [-n] [-K] [-s stashfile] inputfile
              Loads a Kerberos 4 database dump file.  Options:

              -K     prompts for the  V5  master  key  instead  of  using  the
                     stashed version.

              -n     prompts  for  the  V4 master key, instead of reading from
                     the stash file.

              -s stashfile
                     gets the V4 master key out of stashfile instead of /.k

              -T     creates a new krbtgt instead of converting  the  V4  one.
                     The   V5  server  will  thus  not  recognize  outstanding
                     tickets, so this should be used with caution.

              -v     lists each principal as it is converted or ignored.

              -t     uses a temporary database, then moves  that  into  place,
                     instead of adding the keys to the current database.

              -S     Uses the short lifetime algorithm for conversion.

              -h     Stores  the  database as a hash instead of a btree.  This
                     option is not recommended, as databases  stored  in  hash
                     format are known to corrupt data and lose principals.

              Note:  if  the Kerberos 4 database had a default expiration date
              of 12/31/1999 or 12/31/2009 (the compiled in defaults for  older
              or newer Kerberos releases) then any entries which have the same
              expiration date will be  converted  to  "never"  expire  in  the
              version  5 database.  If the default did not match either value,
              all expiration dates will be preserved.

              Also, Kerberos 4 stored  a  single  modification  time  for  any
              change  to  a  record;  Version 5 stores a seperate modification
              time and last password change  time.   In  practice,  Version  4
              "modifications"  were  always  password changes.  load_v4 copies
              the value into both fields.

       ark    Adds a random key.

SEE ALSO

       kadmin(8)

                                                                  KDB5_UTIL(8)