Provided by: krb5-user_1.10+dfsg~beta1-2_i386 bug

NAME

       kadmin - Kerberos V5 database administration program

SYNOPSIS

       kadmin [-O | -N] [-r realm] [-p principal] [-q query]
              [[-c cache_name] | [-k [-t keytab]] | -n] [-w password] [-s
              admin_server[:port]

       kadmin.local    [-r realm] [-p principal] [-q query]
                       [-d dbname] [-e "enc:salt ..."] [-m] [-x db_args]

DESCRIPTION

       kadmin and kadmin.local are command-line interfaces to the Kerberos  V5
       KADM5  administration  system.   Both  kadmin  and kadmin.local provide
       identical functionalities; the difference is that kadmin.local runs  on
       the  master  KDC  if  the  database is db2 and does not use Kerberos to
       authenticate to the database. Except  as  explicitly  noted  otherwise,
       this  man  page  will  use  kadmin  to  refer to both versions.  kadmin
       provides for the maintenance of Kerberos  principals,  KADM5  policies,
       and service key tables (keytabs).

       The  remote  version uses Kerberos authentication and an encrypted RPC,
       to operate securely from anywhere on the network.  It authenticates  to
       the  KADM5  server  using  the  service principal kadmin/admin.  If the
       credentials cache contains a ticket for the kadmin/admin principal, and
       the  -c  credentials_cache  option is specified, that ticket is used to
       authenticate to KADM5.  Otherwise, the -p and -k options  are  used  to
       specify  the client Kerberos principal name used to authenticate.  Once
       kadmin has determined the principal name, it  requests  a  kadmin/admin
       Kerberos  service  ticket from the KDC, and uses that service ticket to
       authenticate to KADM5.

       If the database is db2, the local client kadmin.local, is  intended  to
       run  directly  on  the master KDC without Kerberos authentication.  The
       local version provides all of the functionality  of  the  now  obsolete
       kdb5_edit(8),  except for database dump and load, which is now provided
       by the kdb5_util(8) utility.

       If the database is LDAP, kadmin.local need not be run on the KDC.

       kadmin.local can be configured to log updates for incremental  database
       propagation.   Incremental  propagation  allows  slave  KDC  servers to
       receive principal and policy updates incrementally instead of receiving
       full  dumps  of  the  database.   This  facility  can be enabled in the
       kdc.conf  file  with  the  iprop_enable  option.   See   the   kdc.conf
       documentation  for  other  options  for  tuning incremental propagation
       parameters.

OPTIONS

       -r realm
              Use realm as the default database realm.

       -p principal
              Use principal to authenticate.  Otherwise,  kadmin  will  append
              "/admin"  to  the  primary principal name of the default ccache,
              the value of the USER environment variable, or the  username  as
              obtained with getpwuid, in order of preference.

       -k     Use  a  keytab  to decrypt the KDC response instead of prompting
              for a password on the TTY.  In this case, the default  principal
              will  be host/hostname.  If there is not a keytab specified with
              the -t option, then the default keytab will be used.

       -t keytab
              Use keytab to decrypt the KDC response.  This can only  be  used
              with  the  -k  option.   -n  Requests anonymous processing.  Two
              types  of  anonymous  principals  are  supported.    For   fully
              anonymous  Kerberos,  configure  pkinit on the KDC and configure
              pkinit_anchors in the  client's  krb5.conf.   Then  use  the  -n
              option  with  a principal of the form @REALM (an empty principal
              name followed by the at-sign and a realm name).  If permitted by
              the KDC, an anonymous ticket will be returned.  A second form of
              anonymous tickets is supported; these realm-exposed tickets hide
              the identity of the client but not the client's realm.  For this
              mode, use kinit -n with a normal principal name.   If  supported
              by  the  KDC,  the principal (but not realm) will be replaced by
              the anonymous principal.  As of release 1.8,  the  MIT  Kerberos
              KDC only supports fully anonymous operation.

       -c credentials_cache
              Use   credentials_cache   as   the   credentials   cache.    The
              credentials_cache  should  contain  a  service  ticket  for  the
              kadmin/admin  service;  it  can  be  acquired  with the kinit(1)
              program.  If this option is not specified, kadmin requests a new
              service  ticket from the KDC, and stores it in its own temporary
              ccache.

       -w password
              Use password instead of prompting for one  on  the  TTY.   Note:
              placing   the   password   for   a   Kerberos   principal   with
              administration access into a shell script can  be  dangerous  if
              unauthorized users gain read access to the script.

       -q query
              pass query directly to kadmin, which will perform query and then
              exit.  This can be useful for writing scripts.

       -d dbname
              Specifies the name of the Kerberos database.  This  option  does
              not apply to the LDAP database.

       -s admin_server[:port]
              Specifies the admin server which kadmin should contact.

       -m     Do  not  authenticate  using  a  keytab.  This option will cause
              kadmin to prompt for the master database password.

       -e enc:salt_list
              Sets the list of encryption types and salt types to be used  for
              any new keys created.

       -O     Force use of old AUTH_GSSAPI authentication flavor.

       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.

       -x db_args
              Specifies the database specific arguments.

              Options supported for LDAP database are:

              -x host=<hostname>
                     specifies the LDAP server to connect to by a LDAP URI.

              -x binddn=<bind_dn>
                     specifies the DN of the object used by the administration
                     server to bind to the LDAP server.   This  object  should
                     have  the  read  and write rights on the realm container,
                     principal container and the subtree that is referenced by
                     the realm.

              -x bindpwd=<bind_password>
                     specifies the password for the above mentioned binddn. It
                     is recommended not to  use  this  option.   Instead,  the
                     password  can  be stashed using the stashsrvpw command of
                     kdb5_ldap_util.

DATE FORMAT

       Various commands  in  kadmin  can  take  a  variety  of  date  formats,
       specifying durations or absolute times.  Examples of valid formats are:

              1 month ago
              2 hours ago
              400000 seconds ago
              last year
              this Monday
              next Monday
              yesterday
              tomorrow
              now
              second Monday
              a fortnight ago
              3/31/92 10:00:07 PST
              January 23, 1987 10:05pm
              22:00 GMT

       Dates  which  do not have the "ago" specifier default to being absolute
       dates, unless they appear in a field where a duration is expected.   In
       that   case  the  time  specifier  will  be  interpreted  as  relative.
       Specifying "ago" in a duration may result in unexpected behavior.

COMMANDS

       add_principal [options] newprinc
              creates the principal newprinc, prompting twice for a  password.
              If  no  policy  is  specified  with  the -policy option, and the
              policy named "default" exists, then that policy is  assigned  to
              the  principal; note that the assignment of the policy "default"
              only occurs automatically when a principal is first created,  so
              the  policy  "default"  must already exist for the assignment to
              occur.  This assignment of "default" can be suppressed with  the
              -clearpolicy  option.   This command requires the add privilege.
              This command has the aliases addprinc and ank.  The options are:

              -x db_princ_args
                     Denotes the database specific options.  The  options  for
                     LDAP database are:

                     -x dn=<dn>
                            Specifies  the  LDAP  object that will contain the
                            Kerberos principal being created.

                     -x linkdn=<dn>
                            Specifies the  LDAP  object  to  which  the  newly
                            created Kerberos principal object will point to.

                     -x containerdn=<container_dn>
                            Specifies  the  container  object  under which the
                            Kerberos principal is to be created.

                     -x tktpolicy=<policy>
                            Associates  a  ticket  policy  to   the   Kerberos
                            principal.

              -expire expdate
                     expiration date of the principal

              -pwexpire pwexpdate
                     password expiration date

              -maxlife maxlife
                     maximum ticket life for the principal

              -maxrenewlife maxrenewlife
                     maximum renewable life of tickets for the principal

              -kvno kvno
                     explicitly set the key version number.

              -policy policy
                     policy used by this principal.  If no policy is supplied,
                     then if the policy "default" exists and the  -clearpolicy
                     is not also specified, then the policy "default" is used;
                     otherwise, the principal  will  have  no  policy,  and  a
                     warning message will be printed.

              -clearpolicy
                     -clearpolicy  prevents  the  policy  "default" from being
                     assigned when -policy is not specified.  This option  has
                     no effect if the policy "default" does not exist.

              {-|+}allow_postdated
                     -allow_postdated  prohibits this principal from obtaining
                     postdated tickets.  (Sets the KRB5_KDB_DISALLOW_POSTDATED
                     flag.)  +allow_postdated clears this flag.

              {-|+}allow_forwardable
                     -allow_forwardable    prohibits   this   principal   from
                     obtaining     forwardable     tickets.      (Sets     the
                     KRB5_KDB_DISALLOW_FORWARDABLE  flag.)  +allow_forwardable
                     clears this flag.

              {-|+}allow_renewable
                     -allow_renewable prohibits this principal from  obtaining
                     renewable tickets.  (Sets the KRB5_KDB_DISALLOW_RENEWABLE
                     flag.)  +allow_renewable clears this flag.

              {-|+}allow_proxiable
                     -allow_proxiable prohibits this principal from  obtaining
                     proxiable tickets.  (Sets the KRB5_KDB_DISALLOW_PROXIABLE
                     flag.)  +allow_proxiable clears this flag.

              {-|+}allow_dup_skey
                     -allow_dup_skey Disables user-to-user authentication  for
                     this   principal   by  prohibiting  this  principal  from
                     obtaining a session key  for  another  user.   (Sets  the
                     KRB5_KDB_DISALLOW_DUP_SKEY flag.)  +allow_dup_skey clears
                     this flag.

              {-|+}requires_preauth
                     +requires_preauth    requires    this    principal     to
                     preauthenticate before being allowed to kinit.  (Sets the
                     KRB5_KDB_REQUIRES_PRE_AUTH   flag.)     -requires_preauth
                     clears this flag.

              {-|+}requires_hwauth
                     +requires_hwauth     requires     this    principal    to
                     preauthenticate using  a  hardware  device  before  being
                     allowed  to  kinit.   (Sets the KRB5_KDB_REQUIRES_HW_AUTH
                     flag.)  -requires_hwauth clears this flag.

              {-|+}ok_as_delegate
                     +ok_as_delegate sets the OK-AS-DELEGATE flag  on  tickets
                     issued  for use with this principal as the service, which
                     clients may use as a hint that credentials can and should
                     be  delegated  when authenticating to the service.  (Sets
                     the   KRB5_KDB_OK_AS_DELEGATE   flag.)    -ok_as_delegate
                     clears this flag.

              {-|+}allow_svr
                     -allow_svr  prohibits the issuance of service tickets for
                     this principal.  (Sets the  KRB5_KDB_DISALLOW_SVR  flag.)
                     +allow_svr clears this flag.

              {-|+}allow_tgs_req
                     -allow_tgs_req  specifies  that a Ticket-Granting Service
                     (TGS) request for a service ticket for this principal  is
                     not  permitted.   This option is useless for most things.
                     +allow_tgs_req  clears  this  flag.    The   default   is
                     +allow_tgs_req.    In  effect,  -allow_tgs_req  sets  the
                     KRB5_KDB_DISALLOW_TGT_BASED flag on the principal in  the
                     database.

              {-|+}allow_tix
                     -allow_tix  forbids  the issuance of any tickets for this
                     principal.  +allow_tix clears this flag.  The default  is
                     +allow_tix.     In    effect,    -allow_tix    sets   the
                     KRB5_KDB_DISALLOW_ALL_TIX flag on the  principal  in  the
                     database.

              {-|+}needchange
                     +needchange  sets  a  flag in attributes field to force a
                     password change; -needchange clears it.  The  default  is
                     -needchange.     In    effect,   +needchange   sets   the
                     KRB5_KDB_REQUIRES_PWCHANGE flag on the principal  in  the
                     database.

              {-|+}password_changing_service
                     +password_changing_service  sets a flag in the attributes
                     field marking this as a password change service principal
                     (useless  for  most  things).  -password_changing_service
                     clears the flag.  This  flag  intentionally  has  a  long
                     name.   The  default  is  -password_changing_service.  In
                     effect,     +password_changing_service      sets      the
                     KRB5_KDB_PWCHANGE_SERVICE  flag  on  the principal in the
                     database.

              -randkey
                     sets the key of the principal to a random value

              -pw password
                     sets the key of the principal to the specified string and
                     does not prompt for a password.  Note:  using this option
                     in a shell script can be dangerous if unauthorized  users
                     gain read access to the script.

              -e "enc:salt ..."
                     uses  the  specified  list  of enctype-salttype pairs for
                     setting  the  key  of  the  principal.   The  quotes  are
                     necessary  if  there are multiple enctype-salttype pairs.
                     This will not function  against  kadmin  daemons  earlier
                     than krb5-1.2.

              EXAMPLE:
                     kadmin: addprinc tlyu/admin
                     WARNING: no policy specified for "tlyu/admin@BLEEP.COM";
                     defaulting to no policy.
                     Enter password for principal tlyu/admin@BLEEP.COM:
                     Re-enter password for principal tlyu/admin@BLEEP.COM:
                     Principal "tlyu/admin@BLEEP.COM" created.
                     kadmin:

                     kadmin: addprinc -x dn=cn=mwm_user,o=org mwm_user
                     WARNING: no policy specified for "mwm_user@BLEEP.COM";
                     defaulting to no policy.
                     Enter password for principal mwm_user@BLEEP.COM:
                     Re-enter password for principal mwm_user@BLEEP.COM:
                     Principal "mwm_user@BLEEP.COM" created.
                     kadmin:

              ERRORS:
                     KADM5_AUTH_ADD (requires "add" privilege)
                     KADM5_BAD_MASK (shouldn't happen)
                     KADM5_DUP (principal exists already)
                     KADM5_UNK_POLICY (policy does not exist)
                     KADM5_PASS_Q_* (password quality violations)

       delete_principal [-force] principal
              deletes the specified principal from the database.  This command
              prompts for deletion, unless the -force option  is  given.  This
              command requires the delete privilege.  Aliased to delprinc.

              EXAMPLE:
                     kadmin: delprinc mwm_user
                     Are you sure you want to delete the principal
                     "mwm_user@BLEEP.COM"? (yes/no): yes
                     Principal "mwm_user@BLEEP.COM" deleted.
                     Make sure that you have removed this principal from
                     all ACLs before reusing.
                     kadmin:

              ERRORS:
                     KADM5_AUTH_DELETE (requires "delete" privilege)
                     KADM5_UNK_PRINC (principal does not exist)

       modify_principal [options] principal
              modifies   the  specified  principal,  changing  the  fields  as
              specified.  The options are as above for  add_principal,  except
              that  password  changing  and flags related to password changing
              are  forbidden  by  this  command.   In  addition,  the   option
              -clearpolicy will clear the current policy of a principal.  This
              command requires the modify privilege.  Aliased to modprinc.

              -x db_princ_args
                     Denotes the database specific options.  The  options  for
                     LDAP database are:

                     -x tktpolicy=<policy>
                            Associates   a   ticket  policy  to  the  Kerberos
                            principal.

                     -x linkdn=<dn>
                            Associates  a  Kerberos  principal  with  a   LDAP
                            object.   This  option  is  honored  only  if  the
                            Kerberos principal is not already associated  with
                            a LDAP object.

              -unlock
                     Unlocks  a  locked  principal (one which has received too
                     many failed authentication attempts without  enough  time
                     between them according to its password policy) so that it
                     can successfully authenticate.

              ERRORS:
                     KADM5_AUTH_MODIFY    (requires    "modify"     privilege)
                     KADM5_UNK_PRINC     (principal     does     not    exist)
                     KADM5_UNK_POLICY (policy does not  exist)  KADM5_BAD_MASK
                     (shouldn't happen)

       change_password [options] principal
              changes  the  password of principal.  Prompts for a new password
              if neither -randkey or -pw is specified.  Requires the  changepw
              privilege,  or that the principal that is running the program to
              be the same as the one changed.  Aliased to cpw.  The  following
              options are available:

              -randkey
                     sets the key of the principal to a random value

              -pw password
                     set   the   password   to   the  specified  string.   Not
                     recommended.

              -e "enc:salt ..."
                     uses the specified list  of  enctype-salttype  pairs  for
                     setting  the  key  of  the  principal.   The  quotes  are
                     necessary if there are multiple  enctype-salttype  pairs.
                     This  will  not  function  against kadmin daemons earlier
                     than krb5-1.2.

              -keepold
                     Keeps the previous kvno's  keys  around.   This  flag  is
                     usually not necessary except perhaps for TGS keys.  Don't
                     use this flag unless you know  what  you're  doing.  This
                     option is not supported for the LDAP database.

              EXAMPLE:
                     kadmin: cpw systest
                     Enter password for principal systest@BLEEP.COM:
                     Re-enter password for principal systest@BLEEP.COM:
                     Password for systest@BLEEP.COM changed.
                     kadmin:

              ERRORS:
                     KADM5_AUTH_MODIFY (requires the modify privilege)
                     KADM5_UNK_PRINC (principal does not exist)
                     KADM5_PASS_Q_* (password policy violation errors)
                     KADM5_PADD_REUSE (password is in principal's password
                     history)
                     KADM5_PASS_TOOSOON (current password minimum life not
                     expired)

       purgekeys [-keepkvno oldest_kvno_to_keep] principal
              purges  previously retained old keys (e.g., from change_password
              -keepold) from principal.  If -keepkvno is specified, then  only
              purges keys with kvnos lower than oldest_kvno_to_keep.

       get_principal [-terse] principal
              gets   the   attributes  of  principal.   Requires  the  inquire
              privilege, or that the principal that is running the the program
              to be the same as the one being listed.  With the -terse option,
              outputs fields as quoted tab-separated strings.  Alias getprinc.

              EXAMPLES:
                     kadmin: getprinc tlyu/admin
                     Principal: tlyu/admin@BLEEP.COM
                     Expiration date: [never]
                     Last password change: Mon Aug 12 14:16:47 EDT 1996
                     Password expiration date: [none]
                     Maximum ticket life: 0 days 10:00:00
                     Maximum renewable life: 7 days 00:00:00
                     Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
                     Last successful authentication: [never]
                     Last failed authentication: [never]
                     Failed password attempts: 0
                     Number of keys: 2
                     Key: vno 1, DES cbc mode with CRC-32, no salt
                     Key: vno 1, DES cbc mode with CRC-32, Version 4
                     Attributes:
                     Policy: [none]
                     kadmin: getprinc -terse systest
                     systest@BLEEP.COM   3    86400     604800    1
                     785926535 753241234 785900000
                     tlyu/admin@BLEEP.COM     786100034 0    0
                     kadmin:

              ERRORS:
                     KADM5_AUTH_GET (requires the get (inquire) privilege)
                     KADM5_UNK_PRINC (principal does not exist)

       list_principals [expression]
              Retrieves all or some principal names.  Expression is  a  shell-
              style  glob expression that can contain the wild-card characters
              ?, *, and []'s.  All principal names matching the expression are
              printed.   If no expression is provided, all principal names are
              printed.  If the expression does not contain an  "@"  character,
              an  "@" character followed by the local realm is appended to the
              expression.  Requires the  list  privilege.   Alias  listprincs,
              get_principals, get_princs.

              EXAMPLES:
                     kadmin:  listprincs test*
                     test3@SECURE-TEST.OV.COM
                     test2@SECURE-TEST.OV.COM
                     test1@SECURE-TEST.OV.COM
                     testuser@SECURE-TEST.OV.COM
                     kadmin:

       get_strings principal
              displays  string attributes on principal.  String attributes are
              used to supply per-principal configuration to  some  KDC  plugin
              modules.  Alias getstrs.

       set_string principal key value
              sets a string attribute on principal.  Alias setstr.

       del_string principal key
              deletes a string attribute from principal.  Alias delstr.

       add_policy [options] policy
              adds  the named policy to the policy database.  Requires the add
              privilege.   Aliased  to  addpol.   The  following  options  are
              available:

              -maxlife time
                     sets the maximum lifetime of a password

              -minlife time
                     sets the minimum lifetime of a password

              -minlength length
                     sets the minimum length of a password

              -minclasses number
                     sets the minimum number of character classes allowed in a
                     password

              -history number
                     sets the number of past keys kept for a  principal.  This
                     option is not supported for LDAP database

              -maxfailure maxnumber
                     sets the maximum number of authentication failures before
                     the principal is  locked.   Authentication  failures  are
                     only     tracked    for    principals    which    require
                     preauthentication.

              -failurecountinterval failuretime
                     sets the allowable time between authentication  failures.
                     If  an  authentication  failure happens after failuretime
                     has elapsed since the previous  failure,  the  number  of
                     authentication  failures  is reset to 1.  A failure count
                     interval of 0 means forever.

              -lockoutduration lockouttime
                     sets the duration for which the principal is locked  from
                     authenticating  if too many authentication failures occur
                     without the specified failure count interval elapsing.  A
                     duration of 0 means forever.

              EXAMPLES:
                     kadmin: add_policy -maxlife "2 days" -minlength 5 guests
                     kadmin:

              ERRORS:
                     KADM5_AUTH_ADD (requires the add privilege)
                     KADM5_DUP (policy already exists)

       delete_policy [-force] policy
              deletes  the  named  policy.   Prompts  for  confirmation before
              deletion.  The command will fail if the policy is in use by  any
              principals.  Requires the delete privilege.  Alias delpol.

              EXAMPLE:
                     kadmin: del_policy guests
                     Are you sure you want to delete the policy "guests"?
                     (yes/no): yes
                     kadmin:

              ERRORS:
                     KADM5_AUTH_DELETE (requires the delete privilege)
                     KADM5_UNK_POLICY (policy does not exist)
                     KADM5_POLICY_REF (reference count on policy is not zero)

       modify_policy [options] policy
              modifies the named policy.  Options are as above for add_policy.
              Requires the modify privilege.  Alias modpol.

              ERRORS:
                     KADM5_AUTH_MODIFY (requires the modify privilege)
                     KADM5_UNK_POLICY (policy does not exist)

       get_policy [-terse] policy
              displays the values of the named policy.  Requires  the  inquire
              privilege.   With  the -terse flag, outputs the fields as quoted
              strings separated by tabs.  Alias getpol.

              EXAMPLES:
                     kadmin: get_policy admin
                     Policy: admin
                     Maximum password life: 180 days 00:00:00
                     Minimum password life: 00:00:00
                     Minimum password length: 6
                     Minimum number of password character classes: 2
                     Number of old keys kept: 5
                     Reference count: 17
                     kadmin: get_policy -terse admin
                     admin     15552000  0    6    2    5    17
                     kadmin:

              ERRORS:
                     KADM5_AUTH_GET (requires the get privilege)
                     KADM5_UNK_POLICY (policy does not exist)

       list_policies [expression]
              Retrieves all or some policy names.  Expression is a shell-style
              glob  expression that can contain the wild-card characters ?, *,
              and []'s.  All policy names matching the expression are printed.
              If  no  expression  is  provided,  all existing policy names are
              printed.   Requires  the  list   privilege.    Alias   listpols,
              get_policies, getpols.

              EXAMPLES:
                     kadmin:  listpols
                     test-pol
                     dict-only
                     once-a-min
                     test-pol-nopw
                     kadmin:  listpols t*
                     test-pol
                     test-pol-nopw
                     kadmin:

       ktadd [-k keytab] [-q] [-e keysaltlist]
              [-norandkey] [[principal | -glob princ-exp] [...]
              Adds  a  principal  or  all  principals  matching princ-exp to a
              keytab.  It randomizes each principal's key in the  process,  to
              prevent  a compromised admin account from reading out all of the
              keys  from  the  database.   However,   kadmin.local   has   the
              -norandkey  option,  which  leaves  the  keys  and their version
              numbers  unchanged,  similar  to  the  Kerberos  V4   ext_srvtab
              command.   That  allows  users  to continue to use the passwords
              they know  to  login  normally,  while  simultaneously  allowing
              scripts  to  login to the same account using a keytab.  There is
              no significant security risk added since  kadmin.local  must  be
              run by root on the KDC anyway.

              Requires the inquire and changepw privileges.  An entry for each
              of the principal's unique encryption types  is  added,  ignoring
              multiple  keys  with the same encryption type but different salt
              types.  If the -k argument is not specified, the default  keytab
              /etc/krb5.keytab  is  used.  If the -q option is specified, less
              verbose status information is displayed.

              The -glob option requires the list privilege.  princ-exp follows
              the same rules described for the list_principals command.

              EXAMPLE:
                     kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
                     Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with
                          kvno 3, encryption type DES-CBC-CRC added to keytab
                          WRFILE:/tmp/foo-new-keytab
                     kadmin:

       ktremove [-k keytab] [-q] principal [kvno | all | old]
              Removes  entries  for  the  specified  principal  from a keytab.
              Requires no permissions, since this does  not  require  database
              access.   If the string "all" is specified, all entries for that
              principal are removed; if the string  "old"  is  specified,  all
              entries  for  that  principal except those with the highest kvno
              are removed.  Otherwise, the value specified  is  parsed  as  an
              integer,  and  all  entries  whose  kvno  match that integer are
              removed.  If the -k  argument  is  not  specified,  the  default
              keytab /etc/krb5.keytab is used.  If the -q option is specified,
              less verbose status information is displayed.

              EXAMPLE:
                     kadmin: ktremove -k /usr/local/var/krb5kdc/kadmind.keytab kadmin/admin
                     Entry for principal kadmin/admin with kvno 3 removed
                          from keytab WRFILE:/usr/local/var/krb5kdc/kadmind.keytab.
                     kadmin:

FILES

       principal.db         default name for Kerberos principal database

       <dbname>.kadm5       KADM5 administrative  database.   (This  would  be
                            "principal.kadm5", if you use the default database
                            name.)  Contains policy information.

       <dbname>.kadm5.lock  lock file for the KADM5  administrative  database.
                            This  file  works  backwards  from most other lock
                            files.  I.e., kadmin will exit with  an  error  if
                            this file does not exist.

       Note:                The   above   three  files  are  specific  to  db2
                            database.

       kadm5.acl            file  containing  list  of  principals  and  their
                            kadmin  administrative privileges.  See kadmind(8)
                            for a description.

       kadm5.keytab         keytab file for kadmin/admin principal.

       kadm5.dict           file containing dictionary of  strings  explicitly
                            disallowed as passwords.

HISTORY

       The  kadmin  program  was  originally  written  by Tom Yu at MIT, as an
       interface to the OpenVision Kerberos administration program.

SEE ALSO

       kerberos(1), kpasswd(1), kadmind(8)

BUGS

       Command output needs to be cleaned up.

                                                                     KADMIN(1)