Manual Pages for UNIX Darwin command on man kadmin

KADMIN(8) KADMIN(8)

NAME

kadmin - Kerberos V5 database administration program

SSYYNNOOPPSSYYSS

kkaaddmmiinn [-OO | -NN] [-rr realm] [-pp principal] [-qq query]

[[-cc cachename] | [-kk [-tt keytab]]] [-ww password] [-ss

adminserver[:port]

kkaaddmmiinn..llooccaall [-rr realm] [-pp principal] [-qq query]

[-dd dbname] [-ee "enc:salt ..."]] [[-mm]] [[-xx dbargs]]

DESCRIPTION

kkaaddmmiinn and kkaaddmmiinn..llooccaall are command-line interfaces to the Kerberos V5

KADM5 administration system. Both kkaaddmmiinn and kkaaddmmiinn..llooccaall provide identical functionalities; the difference is that kkaaddmmiinn..llooccaall runs on the master KDC if the database is db2 and does not use Kerberos to authenticate to the database. Except as explicitly noted otherwise,

this man page will use kkaaddmmiinn to refer to both versions. kkaaddmmiinn pro-

vides for the maintenance of Kerberos principals, KADM5 policies, and service key tables (keytabs). The remote version uses Kerberos authentication and an encrypted RPC, to operate securely from anywhere on the network. It authenticates to

the KADM5 server using the service principal kadmin/admin. If the cre-

dentials cache contains a ticket for the kadmin/admin principal, and

the -cc credentialscache option is specified, that ticket is used to

authenticate to KADM5. Otherwise, the -pp and -kk options are used to

specify the client Kerberos principal name used to authenticate. Once

kkaaddmmiinn has determined the principal name, it requests a kadmin/admin

Kerberos service ticket from the KDC, and uses that service ticket to authenticate to KADM5. If the database is db2, the local client kkaaddmmiinn..llooccaall, is intended to run directly on the master KDC without Kerberos authentication. The local version provides all of the functionality of the now obsolete kdb5edit(8), except for database dump and load, which is now provided by the kdb5util(8) utility.

If the database is LDAP, kadmin.local need not be run on the KDC.

OOPPTTIIOONNSS

-rr realm

Use realm as the default database realm.

-pp principal

Use principal to authenticate. Otherwise, kadmin will append

"/admin" to the primary principal name of the default ccache, the value of the USER environment variable, or the username as obtained with getpwuid, in order of preference.

-kk Use a keytab to decrypt the KDC response instead of prompting

for a password on the TTY. In this case, the default principal will be host/hostname. If there is not a keytab specified with

the -tt option, then the default keytab will be used.

-tt keytab

Use keytab to decrypt the KDC response. This can only be used

with the -kk option.

-cc credentialscache

Use credentialscache as the credentials cache. The creden-

tialscache should contain a service ticket for the kadmin/admin

service; it can be acquired with the kinit(1) program. If this option is not specified, kkaaddmmiinn requests a new service ticket from the KDC, and stores it in its own temporary ccache.

-ww password

Use password instead of prompting for one on the TTY. Note:

placing the password for a Kerberos principal with administra-

tion access into a shell script can be dangerous if unauthorized users gain read access to the script.

-qq query

pass query directly to kkaaddmmiinn, which will perform query and then exit. This can be useful for writing scripts.

-dd dbname

Specifies the name of the Kerberos database. This option does not apply to the LDAP database.

-ss adminserver[:port]

Specifies the admin server which kadmin should contact.

-mm Do not authenticate using a keytab. This option will cause kad-

min to prompt for the master database password.

-ee enc:saltlist

Sets the list of encryption types and salt types to be used for any new keys created.

-OO Force use of old AUTHGSSAPI authentication flavor.

-NN Prevent fallback to AUTHGSSAPI authentication flavor.

-xx dbargs

Specifies the database specific arguments. Options supported for LDAP database are:

-x host=

specifies the LDAP server to connect to by a LDAP URI.

-x binddn=

specifies the DN of the object used by the administration server to bind to the LDAP server. This object should have the read and write rights on the realm container, principal container and the subtree that is referenced by the realm.

-x bindpwd=

specifies the password for the above mentioned binddn. It is recommended not to use this option. Instead, the password can be stashed using the stashsrvpw command of kdb5ldaputil. DDAATTEE FFOORRMMAATT

Various commands in kadmin can take a variety of date formats, specify-

ing durations or absolute times. Examples of valid formats are: 1 month ago 2 hours ago 400000 seconds ago last year this Monday next Monday yesterday tomorrow now second Monday a fortnight ago 3/31/92 10:00:07 PST January 23, 1987 10:05pm 22:00 GMT Dates which do not have the "ago" specifier default to being absolute dates, unless they appear in a field where a duration is expected. In

that case the time specifier will be interpreted as relative. Specify-

ing "ago" in a duration may result in unexpected behavior. CCOOMMMMAANNDDSS aaddddpprriinncciippaall [options] newprinc creates the principal newprinc, prompting twice for a password.

If no policy is specified with the -policy option, and the pol-

icy named "default" exists, then that policy is assigned to the principal; note that the assignment of the policy "default" only occurs automatically when a principal is first created, so the policy "default" must already exist for the assignment to occur.

This assignment of "default" can be suppressed with the -clear-

policy option. This command requires the add privilege. This command has the aliases aaddddpprriinncc and aannkk. The options are:

-xx dbprincargs

Denotes the database specific options. The options for LDAP database are:

-x dn=

Specifies the LDAP object that will contain the Kerberos principal being created.

-x linkdn=

Specifies the LDAP object to which the newly cre-

ated Kerberos principal object will point to.

-x containerdn=

Specifies the container object under which the Kerberos principal is to be created.

-x tktpolicy=

Associates a ticket policy to the Kerberos princi-

pal.

-eexxppiirree expdate

expiration date of the principal

-ppwweexxppiirree pwexpdate

password expiration date

-mmaaxxlliiffee maxlife

maximum ticket life for the principal

-mmaaxxrreenneewwlliiffee maxrenewlife

maximum renewable life of tickets for the principal

-kkvvnnoo kvno

explicity set the key version number.

-ppoolliiccyy policy

policy used by this principal. If no policy is supplied,

then if the policy "default" exists and the -clearpolicy

is not also specified, then the policy "default" is used;

otherwise, the principal will have no policy, and a warn-

ing message will be printed.

-cclleeaarrppoolliiccyy

-cclleeaarrppoolliiccyy prevents the policy "default" from being

assigned when -ppoolliiccyy is not specified. This option has

no effect if the policy "default" does not exist.

{-|++}aalllloowwppoossttddaatteedd

-aalllloowwppoossttddaatteedd prohibits this principal from obtaining

postdated tickets. (Sets the KRB5KDBDISALLOWPOSTDATED flag.) ++aalllloowwppoossttddaatteedd clears this flag.

{-|++}aalllloowwffoorrwwaarrddaabbllee

-aalllloowwffoorrwwaarrddaabbllee prohibits this principal from obtain-

ing forwardable tickets. (Sets the KRB5KDBDISAL-

LOWFORWARDABLE flag.) ++aalllloowwffoorrwwaarrddaabbllee clears this flag.

{-|++}aalllloowwrreenneewwaabbllee

-aalllloowwrreenneewwaabbllee prohibits this principal from obtaining

renewable tickets. (Sets the KRB5KDBDISALLOWRENEWABLE flag.) ++aalllloowwrreenneewwaabbllee clears this flag.

{-|++}aalllloowwpprrooxxiiaabbllee

-aalllloowwpprrooxxiiaabbllee prohibits this principal from obtaining

proxiable tickets. (Sets the KRB5KDBDISALLOWPROXIABLE flag.) ++aalllloowwpprrooxxiiaabbllee clears this flag.

{-|++}aalllloowwdduuppsskkeeyy

-aalllloowwdduuppsskkeeyy Disables user-to-user authentication for

this principal by prohibiting this principal from obtain-

ing a session key for another user. (Sets the KRB5KDBDISALLOWDUPSKEY flag.) ++aalllloowwdduuppsskkeeyy clears this flag.

{-|++}rreeqquuiirreesspprreeaauutthh

++rreeqquuiirreesspprreeaauutthh requires this principal to preauthenti-

cate before being allowed to kinit. (Sets the

KRB5KDBREQUIRESPREAUTH flag.) -rreeqquuiirreesspprreeaauutthh

clears this flag.

{-|++}rreeqquuiirreesshhwwaauutthh

++rreeqquuiirreesshhwwaauutthh requires this principal to preauthenti-

cate using a hardware device before being allowed to kinit. (Sets the KRB5KDBREQUIRESHWAUTH flag.)

-rreeqquuiirreesshhwwaauutthh clears this flag.

{-|++}aalllloowwssvvrr

-aalllloowwssvvrr prohibits the issuance of service tickets for

this principal. (Sets the KRB5KDBDISALLOWSVR flag.) ++aalllloowwssvvrr clears this flag.

{-|++}aalllloowwttggssrreeqq

-aalllloowwttggssrreeqq specifies that a Ticket-Granting Service

(TGS) request for a service ticket for this principal is not permitted. This option is useless for most things. ++aalllloowwttggssrreeqq clears this flag. The default is

++aalllloowwttggssrreeqq. In effect, -aalllloowwttggssrreeqq sets the

KRB5KDBDISALLOWTGTBASED flag on the principal in the database.

{-|++}aalllloowwttiixx

-aalllloowwttiixx forbids the issuance of any tickets for this

principal. ++aalllloowwttiixx clears this flag. The default is

++aalllloowwttiixx. In effect, -aalllloowwttiixx sets the KRB5KDBDIS-

ALLOWALLTIX flag on the principal in the database.

{-|++}nneeeeddcchhaannggee

++nneeeeddcchhaannggee sets a flag in attributes field to force a

password change; -nneeeeddcchhaannggee clears it. The default is

-nneeeeddcchhaannggee. In effect, ++nneeeeddcchhaannggee sets the

KRB5KDBREQUIRESPWCHANGE flag on the principal in the database.

{-|++}ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee

++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets a flag in the attributes field marking this as a password change service principal

(useless for most things). -ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee

clears the flag. This flag intentionally has a long

name. The default is -ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee. In

effect, ++ppaasssswwoorrddcchhaannggiinnggsseerrvviiccee sets the KRB5KDBPWCHANGESERVICE flag on the principal in the database.

-rraannddkkeeyy

sets the key of the principal to a random value

-ppww password

sets the key of the principal to the specified string and does not prompt for a password. Note: using this option in a shell script can be dangerous if unauthorized users gain read access to the script.

-ee "enc:salt ..."

uses the specified list of enctype-salttype pairs for

setting the key of the principal. The quotes are neces-

sary if there are multiple enctype-salttype pairs. This

will not function against kadmin daemons earlier than

krb5-1.2.

EXAMPLE:

kadmin: addprinc tlyu/admin

WARNING: no policy specified for "tlyu/admin@BLEEP.COM"; defaulting to no policy. Enter password for principal tlyu/admin@BLEEP.COM:

Re-enter password for principal tlyu/admin@BLEEP.COM:

Principal "tlyu/admin@BLEEP.COM" created.

kadmin:

kadmin: addprinc -x dn=cn=mwmuser,o=org mwmuser

WARNING: no policy specified for "mwmuser@BLEEP.COM"; defaulting to no policy. Enter password for principal mwmuser@BLEEP.COM:

Re-enter password for principal mwmuser@BLEEP.COM:

Principal "mwmuser@BLEEP.COM" created.

kadmin:

ERRORS:

KADM5AUTHADD (requires "add" privilege) KADM5BADMASK (shouldn't happen) KADM5DUP (principal exists already) KADM5UNKPOLICY (policy does not exist) KADM5PASSQ* (password quality violations)

ddeelleetteepprriinncciippaall [-ffoorrccee] principal

deletes the specified principal from the database. This command

prompts for deletion, unless the -ffoorrccee option is given. This

command requires the delete privilege. Aliased to ddeellpprriinncc..

EXAMPLE:

kadmin: delprinc mwmuser

Are you sure you want to delete the principal "mwmuser@BLEEP.COM"? (yes/no): yes Principal "mwmuser@BLEEP.COM" deleted. Make sure that you have removed this principal from all ACLs before reusing.

kadmin:

ERRORS:

KADM5AUTHDELETE (reequires "delete" privilege) KADM5UNKPRINC (principal does not exist) mmooddiiffyypprriinncciippaall [options] principal

modifies the specified principal, changing the fields as speci-

fied. The options are as above for aaddddpprriinncciippaall, except that password changing and flags related to password changing are

forbidden by this command. In addition, the option -cclleeaarrppoolliiccyy

will clear the current policy of a principal. This command requires the modify privilege. Aliased to mmooddpprriinncc.

-xx dbprincargs

Denotes the database specific options. The options for LDAP database are:

-x tktpolicy=

Associates a ticket policy to the Kerberos princi-

pal.

-x linkdn=

Associates a Kerberos principal with a LDAP

object. This option is honored only if the Ker-

beros principal is not already associated with a LDAP object.

ERRORS:

KADM5AUTHMODIFY (requires "modify" privilege)

KADM5UNKPRINC (principal does not exist) KADM5UNKPOL-

ICY (policy does not exist) KADM5BADMASK (shouldn't happen) cchhaannggeeppaasssswwoorrdd [options] principal changes the password of principal. Prompts for a new password

if neither -rraannddkkeeyy or -ppww is specified. Requires the changepw

privilege, or that the principal that is running the program to be the same as the one changed. Aliased to ccppww. The following options are available:

-rraannddkkeeyy

sets the key of the principal to a random value

-ppww password

set the password to the specified string. Not recom-

mended.

-ee "enc:salt ..."

uses the specified list of enctype-salttype pairs for

setting the key of the principal. The quotes are neces-

sary if there are multiple enctype-salttype pairs. This

will not function against kadmin daemons earlier than

krb5-1.2.

-kkeeeeppoolldd

Keeps the previous kvno's keys around. There is no easy way to delete the old keys, and this flag is usually not necessary except perhaps for TGS keys. Don't use this flag unless you know what you're doing. This option is not supported for the LDAP database.

EXAMPLE:

kadmin: cpw systest

Enter password for principal systest@BLEEP.COM:

Re-enter password for principal systest@BLEEP.COM:

Password for systest@BLEEP.COM changed.

kadmin:

ERRORS:

KADM5AUTHMODIFY (requires the modify privilege) KADM5UNKPRINC (principal does not exist) KADM5PASSQ* (password policy violation errors) KADM5PADDREUSE (password is in principal's password history) KADM5PASSTOOSOON (current password minimum life not expired)

ggeettpprriinncciippaall [-tteerrssee] principal

gets the attributes of principal. Requires the inquire privi-

lege, or that the principal that is running the the program to

be the same as the one being listed. With the -tteerrssee option,

outputs fields as quoted tab-separated strings. Alias ggeettpprriinncc.

EXAMPLES:

kadmin: getprinc tlyu/admin

Principal: tlyu/admin@BLEEP.COM Expiration date: [never] Last password change: Mon Aug 12 14:16:47 EDT 1996 Password expiration date: [none] Maximum ticket life: 0 days 10:00:00 Maximum renewable life: 7 days 00:00:00 Last modified: Mon Aug 12 14:16:47 EDT 1996 (bjaspan/admin@BLEEP.COM) Last successful authentication: [never] Last failed authentication: [never] Failed password attempts: 0 Number of keys: 2

Key: vno 1, DES cbc mode with CRC-32, no salt

Key: vno 1, DES cbc mode with CRC-32, Version 4

Attributes: Policy: [none]

kadmin: getprinc -terse systest

systest@BLEEP.COM 3 86400 604800 1 785926535 753241234 785900000 tlyu/admin@BLEEP.COM 786100034 0 0

kadmin:

ERRORS:

KADM5AUTHGET (requires the get (inquire) privilege) KADM5UNKPRINC (principal does not exist) lliissttpprriinncciippaallss [expression]

Retrieves all or some principal names. Expression is a shell-

style glob expression that can contain the wild-card characters

?, *, and []'s. All principal names matching the expression are printed. If no expression is provided, all principal names are printed. If the expression does not contain an "@" character, an "@" character followed by the local realm is appended to the expression. Requires the list priviledge. Alias lliissttpprriinnccss, ggeettpprriinncciippaallss, ggeettpprriinnccss.

EXAMPLES:

kadmin: listprincs test*

test3@SECURE-TEST.OV.COM

test2@SECURE-TEST.OV.COM

test1@SECURE-TEST.OV.COM

testuser@SECURE-TEST.OV.COM

kadmin:

aaddddppoolliiccyy [options] policy adds the named policy to the policy database. Requires the add

privilege. Aliased to aaddddppooll. The following options are avail-

able:

-mmaaxxlliiffee time

sets the maximum lifetime of a password

-mmiinnlliiffee time

sets the minimum lifetime of a password

-mmiinnlleennggtthh length

sets the minimum length of a password

-mmiinnccllaasssseess number

sets the minimum number of character classes allowed in a password

-hhiissttoorryy number

sets the number of past keys kept for a principal. This option is not supported for LDAP database

EXAMPLES:

kadmin: addpolicy -maxlife "2 days" -minlength 5 guests

kadmin:

ERRORS:

KADM5AUTHADD (requires the add privilege) KADM5DUP (policy already exists)

ddeelleetteeppoolliiccyy [[-ffoorrccee]] policy

deletes the named policy. Prompts for confirmation before dele-

tion. The command will fail if the policy is in use by any principals. Requires the delete privilege. Alias ddeellppooll.

EXAMPLE:

kadmin: delpolicy guests

Are you sure you want to delete the policy "guests"? (yes/no): yes

kadmin:

ERRORS:

KADM5AUTHDELETE (requires the delete privilege) KADM5UNKPOLICY (policy does not exist) KADM5POLICYREF (reference count on policy is not zero) mmooddiiffyyppoolliiccyy [options] policy modifies the named policy. Options are as above for aaddddppoolliiccyy. Requires the modify privilege. Alias mmooddppooll.

ERRORS:

KADM5AUTHMODIFY (requires the modify privilege) KADM5UNKPOLICY (policy does not exist)

ggeettppoolliiccyy [-tteerrssee] policy

displays the values of the named policy. Requires the inquire

privilege. With the -tteerrssee flag, outputs the fields as quoted

strings separated by tabs. Alias ggeettppooll.

EXAMPLES:

kadmin: getpolicy admin

Policy: admin Maximum password life: 180 days 00:00:00 Minimum password life: 00:00:00 Minimum password length: 6 Minimum number of password character classes: 2 Number of old keys kept: 5 Reference count: 17

kadmin: getpolicy -terse admin

admin 15552000 0 6 2 5 17

kadmin:

ERRORS:

KADM5AUTHGET (requires the get privilege) KADM5UNKPOLICY (policy does not exist) lliissttppoolliicciieess [expression]

Retrieves all or some policy names. Expression is a shell-style

glob expression that can contain the wild-card characters ?, *,

and []'s. All policy names matching the expression are printed. If no expression is provided, all existing policy names are printed. Requires the list priviledge. Alias lliissttppoollss, ggeettppoolliicciieess, ggeettppoollss.

EXAMPLES:

kadmin: listpols

test-pol

dict-only

once-a-min

test-pol-nopw

kadmin: listpols t*

test-pol

test-pol-nopw

kadmin:

kkttaadddd [-kk keytab] [-qq] [-ee keysaltlist]

[principal | -gglloobb princ-exp] [...]

Adds a principal or all principals matching princ-exp to a

keytab, randomizing each principal's key in the process. Requires the inquire and changepw privileges. An entry for each of the principal's unique encryption types is added, ignoring multiple keys with the same encryption type but different salt

types. If the -kk argument is not specified, the default keytab

/etc/krb5.keytab is used. If the -qq option is specified, less

verbose status information is displayed.

The -gglloobb option requires the list privilege. princ-exp follows

the same rules described for the lliissttpprriinncciippaallss command.

EXAMPLE:

kadmin: ktadd -k /tmp/foo-new-keytab host/foo.mit.edu

Entry for principal host/foo.mit.edu@ATHENA.MIT.EDU with

kvno 3, encryption type DES-CBC-CRC added to keytab

WRFILE:/tmp/foo-new-keytab

kadmin:

kkttrreemmoovvee [-kk keytab] [-qq] principal [kvno | aallll | oolldd]

Removes entries for the specified principal from a keytab. Requires no permissions, since this does not require database access. If the string "all" is specified, all entries for that principal are removed; if the string "old" is specified, all entries for that principal except those with the highest kvno are removed. Otherwise, the value specified is parsed as an integer, and all entries whose kvno match that integer are

removed. If the -kk argument is not specifeid, the default

keytab /etc/krb5.keytab is used. If the -qq option is specified,

less verbose status information is displayed.

EXAMPLE:

kadmin: ktremove -k /var/db/krb5kdc/kadmind.keytab kadmin/admin

Entry for principal kadmin/admin with kvno 3 removed

from keytab WRFILE:/db/var/krb5kdc/kadmind.keytab.

kadmin:

FILES principal.db default name for Kerberos principal database .kadm5 KADM5 administrative database. (This would be "principal.kadm5", if you use the default database name.) Contains policy information. .kadm5.lock lock file for the KADM5 administrative database. This file works backwards from most other lock files. I.e., kkaaddmmiinn will exit with an error if this file does not exist.

NNoottee:: The above three files are specific to db2 data-

base.

kadm5.acl file containing list of principals and their kkaadd-

mmiinn administrative privileges. See kadmind(8) for

a description.

kadm5.keytab keytab file for kadmin/admin principal.

kadm5.dict file containing dictionary of strings explicitly disallowed as passwords. HISTORY The kkaaddmmiinn prorgam was originally written by Tom Yu at MIT, as an interface to the OpenVision Kerberos administration program.

kerberos(1), kpasswd(1), kadmind(8)

BUGS

Command output needs to be cleaned up.

There is no way to delete a key kept around from a "-keepold" option to

a password-changing command, other than to do a password change without

the "-keepold" option, which will of course cause problems if the key

is a TGS key. There will be more powerful key-manipulation commands in

the future. KADMIN(8)