Provided by: krb5-user_1.13.2+dfsg-5_amd64 bug

NAME

       kadmin - Kerberos V5 database administration program

SYNOPSIS

       kadmin  [-O|-N] [-r realm] [-p principal] [-q query] [[-c cache_name]|[-k [-t keytab]]|-n]
       [-w password] [-s admin_server[:port]]

       kadmin.local [-r realm] [-p principal] [-q query] [-d dbname] [-e enc:salt ...]  [-m]  [-x
       db_args]

DESCRIPTION

       kadmin  and  kadmin.local  are  command-line  interfaces to the Kerberos V5 administration
       system.   They  provide  nearly  identical  functionalities;  the   difference   is   that
       kadmin.local  directly  accesses  the KDC database, while kadmin performs operations using
       kadmind(8).  Except as explicitly noted otherwise, this man  page  will  use  "kadmin"  to
       refer  to  both  versions.   kadmin  provides  for the maintenance of Kerberos principals,
       password policies, and service key tables (keytabs).

       The remote kadmin client uses Kerberos  to  authenticate  to  kadmind  using  the  service
       principal  kadmin/ADMINHOST  (where ADMINHOST is the fully-qualified hostname of the admin
       server) or kadmin/admin.  If the credentials cache contains a  ticket  for  one  of  these
       principals,  and  the  -c  credentials_cache  option  is specified, that ticket is used to
       authenticate to kadmind.  Otherwise, the -p and -k options are used to specify the  client
       Kerberos  principal  name  used to authenticate.  Once kadmin has determined the principal
       name, it requests a service  ticket  from  the  KDC,  and  uses  that  service  ticket  to
       authenticate to kadmind.

       Since  kadmin.local directly accesses the KDC database, it usually must be run directly on
       the master KDC with sufficient permissions to read the KDC database.  If the KDC  database
       uses  the  LDAP  database module, kadmin.local can be run on any host which can access the
       LDAP server.

OPTIONS

       -r realm
              Use realm as the default database realm.

       -p principal
              Use principal to authenticate.  Otherwise, kadmin will append /admin to the primary
              principal  name  of the default ccache, the value of the USER environment variable,
              or the username as obtained with getpwuid, in order of preference.

       -k     Use a keytab to decrypt the KDC response instead of prompting for a  password.   In
              this  case,  the  default  principal  will be host/hostname.  If there is no keytab
              specified with the -t option, then the default keytab will be used.

       -t keytab
              Use keytab to decrypt the KDC response.  This can only be used with the -k option.

       -n     Requests anonymous processing.  Two types of anonymous  principals  are  supported.
              For   fully   anonymous  Kerberos,  configure  PKINIT  on  the  KDC  and  configure
              pkinit_anchors in the client's  krb5.conf(5).   Then  use  the  -n  option  with  a
              principal of the form @REALM (an empty principal name followed by the at-sign and a
              realm name).  If permitted by the KDC, an anonymous ticket  will  be  returned.   A
              second form of anonymous tickets is supported; these realm-exposed tickets hide the
              identity of the client but not the client's realm.  For this  mode,  use  kinit  -n
              with  a  normal  principal  name.   If supported by the KDC, the principal (but not
              realm) will be replaced by the anonymous principal.  As of  release  1.8,  the  MIT
              Kerberos KDC only supports fully anonymous operation.

       -c credentials_cache
              Use credentials_cache as the credentials cache.  The cache should contain a service
              ticket for the kadmin/ADMINHOST (where ADMINHOST is the fully-qualified hostname of
              the  admin  server)  or  kadmin/admin service; it can be acquired with the kinit(1)
              program.  If this option is not specified, kadmin requests  a  new  service  ticket
              from the KDC, and stores it in its own temporary ccache.

       -w password
              Use  password  instead  of prompting for one.  Use this option with care, as it may
              expose the password to other users on the system via the process list.

       -q query
              Perform the specified query and then exit.  This can be useful for writing scripts.

       -d dbname
              Specifies the name of the KDC database.  This option does not  apply  to  the  LDAP
              database module.

       -s admin_server[:port]
              Specifies the admin server which kadmin should contact.

       -m     If  using  kadmin.local, prompt for the database master password instead of reading
              it from a stash file.

       -e enc:salt ...
              Sets the keysalt list to be used for any new keys created.   See  Keysalt_lists  in
              kdc.conf(5) for a list of possible values.

       -O     Force use of old AUTH_GSSAPI authentication flavor.

       -N     Prevent fallback to AUTH_GSSAPI authentication flavor.

       -x db_args
              Specifies  the  database  specific  arguments.   See the next section for supported
              options.

DATABASE OPTIONS

       Database options can be used to override database-specific  defaults.   Supported  options
       for the DB2 module are:

          -x dbname=*filename*
                 Specifies the base filename of the DB2 database.

          -x lockiter
                 Make  iteration  operations  hold  the  lock  for  the  duration  of  the entire
                 operation, rather than  temporarily  releasing  the  lock  while  handling  each
                 principal.   This  is  the  default  behavior,  but  this option exists to allow
                 command line override of a [dbmodules] setting.   First  introduced  in  release
                 1.13.

          -x unlockiter
                 Make  iteration  operations  unlock  the database for each principal, instead of
                 holding the lock for the duration of the entire operation.  First introduced  in
                 release 1.13.

       Supported options for the LDAP module are:

          -x host=ldapuri
                 Specifies the LDAP server to connect to by a LDAP URI.

          -x binddn=bind_dn
                 Specifies the DN used to bind to the LDAP server.

          -x bindpwd=password
                 Specifies  the  password  or SASL secret used to bind to the LDAP server.  Using
                 this option may expose the password to other users on the system via the process
                 list;  to avoid this, instead stash the password using the stashsrvpw command of
                 kdb5_ldap_util(8).

          -x sasl_mech=mechanism
                 Specifies the SASL mechanism used to bind to the LDAP server.  The  bind  DN  is
                 ignored if a SASL mechanism is used.  New in release 1.13.

          -x sasl_authcid=name
                 Specifies  the  authentication  name used when binding to the LDAP server with a
                 SASL mechanism, if the mechanism requires one.  New in release 1.13.

          -x sasl_authzid=name
                 Specifies the authorization name used when binding to the  LDAP  server  with  a
                 SASL mechanism.  New in release 1.13.

          -x sasl_realm=realm
                 Specifies  the realm used when binding to the LDAP server with a SASL mechanism,
                 if the mechanism uses one.  New in release 1.13.

          -x debug=level
                 sets the OpenLDAP client library  debug  level.   level  is  an  integer  to  be
                 interpreted  by  the library.  Debugging messages are printed to standard error.
                 New in release 1.12.

COMMANDS

       When using the remote client, available  commands  may  be  restricted  according  to  the
       privileges specified in the kadm5.acl(5) file on the admin server.

   add_principal
          add_principal [options] newprinc

       Creates  the principal newprinc, prompting twice for a password.  If no password policy is
       specified with the -policy option, and  the  policy  named  default  is  assigned  to  the
       principal  if  it exists.  However, creating a policy named default will not automatically
       assign this policy to previously existing  principals.   This  policy  assignment  can  be
       suppressed with the -clearpolicy option.

       This command requires the add privilege.

       Aliases: addprinc, ank

       Options:

       -expire expdate
              (getdate string) The expiration date of the principal.

       -pwexpire pwexpdate
              (getdate string) The password expiration date.

       -maxlife maxlife
              (getdate string) The maximum ticket life for the principal.

       -maxrenewlife maxrenewlife
              (getdate string) The maximum renewable life of tickets for the principal.

       -kvno kvno
              The initial key version number.

       -policy policy
              The  password  policy used by this principal.  If not specified, the policy default
              is used if it exists (unless -clearpolicy is specified).

       -clearpolicy
              Prevents any policy from being assigned when -policy is not specified.

       {-|+}allow_postdated
              -allow_postdated  prohibits  this  principal  from  obtaining  postdated   tickets.
              +allow_postdated clears this flag.

       {-|+}allow_forwardable
              -allow_forwardable  prohibits  this  principal  from obtaining forwardable tickets.
              +allow_forwardable clears this flag.

       {-|+}allow_renewable
              -allow_renewable  prohibits  this  principal  from  obtaining  renewable   tickets.
              +allow_renewable clears this flag.

       {-|+}allow_proxiable
              -allow_proxiable   prohibits  this  principal  from  obtaining  proxiable  tickets.
              +allow_proxiable clears this flag.

       {-|+}allow_dup_skey
              -allow_dup_skey  disables  user-to-user  authentication  for  this   principal   by
              prohibiting  this  principal  from  obtaining  a  session  key  for  another  user.
              +allow_dup_skey clears this flag.

       {-|+}requires_preauth
              +requires_preauth requires this principal to preauthenticate before  being  allowed
              to  kinit.  -requires_preauth clears this flag.  When +requires_preauth is set on a
              service principal, the KDC  will  only  issue  service  tickets  for  that  service
              principal   if   the   client's   initial   authentication   was   performed  using
              preauthentication.

       {-|+}requires_hwauth
              +requires_hwauth requires this principal to preauthenticate using a hardware device
              before   being   allowed  to  kinit.   -requires_hwauth  clears  this  flag.   When
              +requires_hwauth is set on a service principal, the KDC  will  only  issue  service
              tickets  for  that  service  principal  if  the client's initial authentication was
              performed using a hardware device to preauthenticate.

       {-|+}ok_as_delegate
              +ok_as_delegate sets the  okay  as  delegate  flag  on  tickets  issued  with  this
              principal  as  the  service.   Clients may use this flag as a hint that credentials
              should be delegated when authenticating to  the  service.   -ok_as_delegate  clears
              this flag.

       {-|+}allow_svr
              -allow_svr   prohibits   the  issuance  of  service  tickets  for  this  principal.
              +allow_svr clears this flag.

       {-|+}allow_tgs_req
              -allow_tgs_req specifies that a Ticket-Granting Service (TGS) request for a service
              ticket for this principal is not permitted.  +allow_tgs_req clears this flag.

       {-|+}allow_tix
              -allow_tix  forbids  the  issuance  of  any tickets for this principal.  +allow_tix
              clears this flag.

       {-|+}needchange
              +needchange forces a password change on the next  initial  authentication  to  this
              principal.  -needchange clears this flag.

       {-|+}password_changing_service
              +password_changing_service  marks  this  principal  as  a  password  change service
              principal.

       {-|+}ok_to_auth_as_delegate
              +ok_to_auth_as_delegate allows this principal to  acquire  forwardable  tickets  to
              itself from arbitrary users, for use with constrained delegation.

       {-|+}no_auth_data_required
              +no_auth_data_required  prevents  PAC  or  AD-SIGNEDPATH  data  from being added to
              service tickets for the principal.

       -randkey
              Sets the key of the principal to a random value.

       -nokey Causes the principal to be created with no key.  New in release 1.12.

       -pw password
              Sets the password of the principal to the specified string and does not prompt  for
              a  password.   Note: using this option in a shell script may expose the password to
              other users on the system via the process list.

       -e enc:salt,...
              Uses the specified keysalt list  for  setting  the  keys  of  the  principal.   See
              Keysalt_lists in kdc.conf(5) for a list of possible values.

       -x db_princ_args
              Indicates database-specific options.  The options for the LDAP database module are:

              -x dn=dn
                     Specifies  the  LDAP  object  that will contain the Kerberos principal being
                     created.

              -x linkdn=dn
                     Specifies the LDAP object to which  the  newly  created  Kerberos  principal
                     object will point.

              -x containerdn=container_dn
                     Specifies  the  container object under which the Kerberos principal is to be
                     created.

              -x tktpolicy=policy
                     Associates a ticket policy to the Kerberos principal.

              NOTE:

                 · The containerdn and linkdn options cannot be specified with the dn option.

                 · If the dn or containerdn options are not specified while adding the principal,
                   the  principals  are  created  under the principal container configured in the
                   realm or the realm container.

                 · dn and containerdn should  be  within  the  subtrees  or  principal  container
                   configured in the realm.

       Example:

          kadmin: addprinc jennifer
          WARNING: no policy specified for "jennifer@ATHENA.MIT.EDU";
          defaulting to no policy.
          Enter password for principal jennifer@ATHENA.MIT.EDU:
          Re-enter password for principal jennifer@ATHENA.MIT.EDU:
          Principal "jennifer@ATHENA.MIT.EDU" created.
          kadmin:

   modify_principal
          modify_principal [options] principal

       Modifies  the  specified  principal,  changing  the  fields  as specified.  The options to
       add_principal also apply to this command, except for the -randkey, -pw,  and  -e  options.
       In addition, the option -clearpolicy will clear the current policy of a principal.

       This command requires the modify privilege.

       Alias: modprinc

       Options (in addition to the addprinc options):

       -unlock
              Unlocks  a  locked principal (one which has received too many failed authentication
              attempts without enough time between them according to its password policy) so that
              it can successfully authenticate.

   rename_principal
          rename_principal [-force] old_principal new_principal

       Renames   the   specified  old_principal  to  new_principal.   This  command  prompts  for
       confirmation, unless the -force option is given.

       This command requires the add and delete privileges.

       Alias: renprinc

   delete_principal
          delete_principal [-force] principal

       Deletes the specified principal from the database.  This  command  prompts  for  deletion,
       unless the -force option is given.

       This command requires the delete privilege.

       Alias: delprinc

   change_password
          change_password [options] principal

       Changes  the password of principal.  Prompts for a new password if neither -randkey or -pw
       is specified.

       This command requires the changepw privilege, or that the principal running the program is
       the same as the principal being changed.

       Alias: cpw

       The following options are available:

       -randkey
              Sets the key of the principal to a random value.

       -pw password
              Set the password to the specified string.  Using this option in a script may expose
              the password to other users on the system via the process list.

       -e enc:salt,...
              Uses the specified keysalt list  for  setting  the  keys  of  the  principal.   See
              Keysalt_lists in kdc.conf(5) for a list of possible values.

       -keepold
              Keeps the existing keys in the database.  This flag is usually not necessary except
              perhaps for krbtgt principals.

       Example:

          kadmin: cpw systest
          Enter password for principal systest@BLEEP.COM:
          Re-enter password for principal systest@BLEEP.COM:
          Password for systest@BLEEP.COM changed.
          kadmin:

   purgekeys
          purgekeys [-all|-keepkvno oldest_kvno_to_keep] principal

       Purges previously retained old keys (e.g., from change_password -keepold) from  principal.
       If   -keepkvno   is   specified,   then   only   purges   keys   with   kvnos  lower  than
       oldest_kvno_to_keep.  If -all is specified, then all keys are purged.  The -all option  is
       new in release 1.12.

       This command requires the modify privilege.

   get_principal
          get_principal [-terse] principal

       Gets  the  attributes  of  principal.   With  the  -terse option, outputs fields as quoted
       tab-separated strings.

       This command requires the inquire privilege, or that the principal running the the program
       to be the same as the one being listed.

       Alias: getprinc

       Examples:

          kadmin: getprinc tlyu/admin
          Principal: tlyu/admin@BLEEP.COM
          Expiration date: [never]
          Last password change: Mon Aug 12 14:16:47 EDT 1996
          Password expiration date: [none]
          Maximum ticket life: 0 days 10:00:00
          Maximum renewable life: 7 days 00:00:00
          Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM)
          Last successful authentication: [never]
          Last failed authentication: [never]
          Failed password attempts: 0
          Number of keys: 2
          Key: vno 1, des-cbc-crc
          Key: vno 1, des-cbc-crc:v4
          Attributes:
          Policy: [none]

          kadmin: getprinc -terse systest
          systest@BLEEP.COM   3    86400     604800    1
          785926535 753241234 785900000
          tlyu/admin@BLEEP.COM     786100034 0    0
          kadmin:

   list_principals
          list_principals [expression]

       Retrieves  all  or some principal names.  expression is a shell-style glob expression that
       can contain the wild-card characters ?, *, and  [].   All  principal  names  matching  the
       expression  are  printed.   If no expression is provided, all principal names are printed.
       If the expression does not contain an @ character, an @ character followed  by  the  local
       realm is appended to the expression.

       This command requires the list privilege.

       Alias: listprincs, get_principals, get_princs

       Example:

          kadmin:  listprincs test*
          test3@SECURE-TEST.OV.COM
          test2@SECURE-TEST.OV.COM
          test1@SECURE-TEST.OV.COM
          testuser@SECURE-TEST.OV.COM
          kadmin:

   get_strings
          get_strings principal

       Displays string attributes on principal.

       This command requires the inquire privilege.

       Alias: getstr

   set_string
          set_string principal name value

       Sets  a string attribute on principal.  String attributes are used to supply per-principal
       configuration to the KDC and some KDC plugin  modules.   The  following  string  attribute
       names are recognized by the KDC:

       session_enctypes
              Specifies  the  encryption  types  supported for session keys when the principal is
              authenticated to as a server.  See Encryption_types in kdc.conf(5) for  a  list  of
              the accepted values.

       otp    Enables  One  Time  Passwords  (OTP) preauthentication for a client principal.  The
              value is a JSON string representing an array of objects, each having optional  type
              and username fields.

       This command requires the modify privilege.

       Alias: setstr

       Example:

          set_string host/foo.mit.edu session_enctypes aes128-cts
          set_string user@FOO.COM otp [{"type":"hotp","username":"custom"}]

   del_string
          del_string principal key

       Deletes a string attribute from principal.

       This command requires the delete privilege.

       Alias: delstr

   add_policy
          add_policy [options] policy

       Adds a password policy named policy to the database.

       This command requires the add privilege.

       Alias: addpol

       The following options are available:

       -maxlife time
              (getdate string) Sets the maximum lifetime of a password.

       -minlife time
              (getdate string) Sets the minimum lifetime of a password.

       -minlength length
              Sets the minimum length of a password.

       -minclasses number
              Sets  the  minimum  number  of  character classes required in a password.  The five
              character  classes  are  lower  case,  upper  case,   numbers,   punctuation,   and
              whitespace/unprintable characters.

       -history number
              Sets  the  number  of past keys kept for a principal.  This option is not supported
              with the LDAP KDC database module.

       -maxfailure maxnumber
              Sets the  number  of  authentication  failures  before  the  principal  is  locked.
              Authentication   failures   are   only   tracked   for   principals  which  require
              preauthentication.  The counter of failed attempts resets to 0 after  a  successful
              attempt to authenticate.  A maxnumber value of 0 (the default) disables lockout.

       -failurecountinterval failuretime
              (getdate  string)  Sets  the allowable time between authentication failures.  If an
              authentication failure happens after failuretime has  elapsed  since  the  previous
              failure,  the number of authentication failures is reset to 1.  A failuretime value
              of 0 (the default) means forever.

       -lockoutduration lockouttime
              (getdate string)  Sets  the  duration  for  which  the  principal  is  locked  from
              authenticating  if  too  many  authentication  failures occur without the specified
              failure count interval elapsing.  A duration of 0 (the default) means the principal
              remains locked out until it is administratively unlocked with modprinc -unlock.

       -allowedkeysalts
              Specifies the key/salt tuples supported for long-term keys when setting or changing
              a principal's password/keys.  See Keysalt_lists in kdc.conf(5) for a  list  of  the
              accepted  values, but note that key/salt tuples must be separated with commas (',')
              only.  To clear the allowed key/salt policy use a value of '-'.

       Example:

          kadmin: add_policy -maxlife "2 days" -minlength 5 guests
          kadmin:

   modify_policy
          modify_policy [options] policy

       Modifies the password policy named policy.  Options are as described for add_policy.

       This command requires the modify privilege.

       Alias: modpol

   delete_policy
          delete_policy [-force] policy

       Deletes the password policy named policy.  Prompts for confirmation before deletion.   The
       command will fail if the policy is in use by any principals.

       This command requires the delete privilege.

       Alias: delpol

       Example:

          kadmin: del_policy guests
          Are you sure you want to delete the policy "guests"?
          (yes/no): yes
          kadmin:

   get_policy
          get_policy [ -terse ] policy

       Displays  the  values  of the password policy named policy.  With the -terse flag, outputs
       the fields as quoted strings separated by tabs.

       This command requires the inquire privilege.

       Alias: getpol

       Examples:

          kadmin: get_policy admin
          Policy: admin
          Maximum password life: 180 days 00:00:00
          Minimum password life: 00:00:00
          Minimum password length: 6
          Minimum number of password character classes: 2
          Number of old keys kept: 5
          Reference count: 17

          kadmin: get_policy -terse admin
          admin     15552000  0    6    2    5    17
          kadmin:

       The "Reference count" is the number of principals using that policy.  With  the  LDAP  KDC
       database module, the reference count field is not meaningful.

   list_policies
          list_policies [expression]

       Retrieves  all or some policy names.  expression is a shell-style glob expression that can
       contain the wild-card characters ?, *, and [].  All policy names matching  the  expression
       are printed.  If no expression is provided, all existing policy names are printed.

       This command requires the list privilege.

       Aliases: listpols, get_policies, getpols.

       Examples:

          kadmin:  listpols
          test-pol
          dict-only
          once-a-min
          test-pol-nopw

          kadmin:  listpols t*
          test-pol
          test-pol-nopw
          kadmin:

   ktadd
          ktadd [options] principal
          ktadd [options] -glob princ-exp

       Adds  a  principal,  or  all  principals  matching  princ-exp,  to  a  keytab  file.  Each
       principal's keys are randomized in the process.  The rules for princ-exp are described  in
       the list_principals command.

       This  command  requires the inquire and changepw privileges.  With the -glob form, it also
       requires the list privilege.

       The options are:

       -k[eytab] keytab
              Use keytab as the keytab file.  Otherwise, the default keytab is used.

       -e enc:salt,...
              Uses the specified keysalt list for setting the new keys  of  the  principal.   See
              Keysalt_lists in kdc.conf(5) for a list of possible values.

       -q     Display less verbose information.

       -norandkey
              Do not randomize the keys. The keys and their version numbers stay unchanged.  This
              option is only available in kadmin.local, and cannot be  specified  in  combination
              with the -e option.

       An  entry  for each of the principal's unique encryption types is added, ignoring multiple
       keys with the same encryption type but different salt types.

       Example:

          kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu
          Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with kvno 3,
               encryption type aes256-cts-hmac-sha1-96 added to keytab
               FILE:/tmp/foo-new-keytab
          kadmin:

   ktremove
          ktremove [options] principal [kvno | all | old]

       Removes entries for the specified principal from a keytab.  Requires no permissions, since
       this does not require database access.

       If  the  string  "all"  is  specified,  all entries for that principal are removed; if the
       string "old" is specified, all entries for that principal except those  with  the  highest
       kvno are removed.  Otherwise, the value specified is parsed as an integer, and all entries
       whose kvno match that integer are removed.

       The options are:

       -k[eytab] keytab
              Use keytab as the keytab file.  Otherwise, the default keytab is used.

       -q     Display less verbose information.

       Example:

          kadmin: ktremove kadmin/admin all
          Entry for principal kadmin/admin with kvno 3 removed from keytab
               FILE:/etc/krb5.keytab
          kadmin:

   lock
       Lock database exclusively.  Use with extreme caution!  This command only  works  with  the
       DB2 KDC database module.

   unlock
       Release the exclusive database lock.

   list_requests
       Lists available for kadmin requests.

       Aliases: lr, ?

   quit
       Exit program.  If the database was locked, the lock is released.

       Aliases: exit, q

HISTORY

       The  kadmin  program  was  originally  written  by  Tom  Yu at MIT, as an interface to the
       OpenVision Kerberos administration program.

SEE ALSO

       kpasswd(1), kadmind(8)

AUTHOR

       MIT

COPYRIGHT

       1985-2015, MIT