NAME
kdb5util - Kerberos database maintainance utility
SYNOPSIS
kkddbb55uuttiill [-rr realm] [-dd dbname] [-kk mkeytype] [-MM mkeyname]
[-ssff stashfilename] [-mm] command [commandoptions]
DESCRIPTION
kkddbb55uuttiill allows an administrator to perform low-level maintainance
procedures on the Kerberos and KADM5 database. Databases can be cre-
ated, destroyed, and dumped to and loaded from ASCII files. Addition-
ally, kkddbb55uuttiill can create a Kerberos master key stash file. kkddbb55uuttiill subsumes the functionality of and makes obsolete the previous database maintainance programs kkddbb55ccrreeaattee, kkddbb55eeddiitt, kkddbb55ddeessttrrooyy, and kkddbb55ssttaasshh. When kkddbb55uuttiill is run, it attempts to acquire the master key and open the database. However, execution continues regardless of whether or not kkddbb55uuttiill successfully opens the database, because the database may not exist yet or the stash file may be corrupt. Note that some KDB plugins may not support all kkddbb55uuttiill commands.CCOOMMMMAANNDD-LLIINNEE OOPPTTIIOONNSS
-rr realm
specifies the Kerberos realm of the database; by default the realm returned by krb5defaultlocalrealm(3) is used.-dd dbname
specifies the name under which the principal database is stored; by default the database is that listed in kdc.conf(5). The KADM5 policy database and lock file are also derived from this value.-kk mkeytype
specifies the key type of the master key in the database; the default is that given in kdc.conf.-MM mkeyname
principal name for the master key in the database; the default is that given in kdc.conf.-mm specifies that the master database password should be read from
the TTY rather than fetched from a file on disk.-ssff stashfile
specifies the stash file of the master database password.-PP password
specifies the master database password. This option is not rec-
ommended. CCOOMMMMAANNDDSSccrreeaattee [-ss]
Creates a new database. If the -ss option is specified, the
stash file is also created. This command fails if the database already exists. If the command is successful, the database is opened just as if it had already existed when the program was first run.ddeessttrrooyy [-ff]
Destroys the database, first overwriting the disk sectors andthen unlinking the files, after prompting the user for confirma-
tion. With the -ff argument, does not prompt the user.
ssttaasshh [-ff keyfile]
Stores the master principal's keys in a stash file. The -ff
argument can be used to override the keyfile specified at startup.dduummpp [-oolldd] [-bb66] [-bb77] [-oovv]
[-vveerrbboossee] [-mmkkeeyyccoonnvveerrtt] [-nneewwmmkkeeyyffiillee mkeyfile] [-rreevv]
[-rreeccuurrssee] [filename [principals...]]
Dumps the current Kerberos and KADM5 database into an ASCII file. By default, the database is dumped in current format, "kdb5util loaddumpversion 5". If filename is not specified,or is the string "-", the dump is sent to standard output.
Options:-oolldd causes the dump to be in the Kerberos 5 Beta 5 and ear-
lier dump format ("kdb5edit loaddump version 2.0").-bb66 causes the dump to be in the Kerberos 5 Beta 6 format
("kdb5edit loaddump version 3.0").-bb77 causes the dump to be in the Kerberos 5 Beta 7 format
("kdb5util loaddump version 4"). This was the dump format produced on releases prior to 1.2.2.-oovv causes the dump to be in ovsecadmexport format.
-vveerrbboossee
causes the name of each principal and policy to be printed as it is dumped.-mmkkeeyyccoonnvveerrtt
prompts for a new master key. This new master key willbe used to re-encrypt the key data in the dumpfile. The
key data in the database will not be changed.-nneewwmmkkeeyyffiillee mkeyfile
the filename of a stash file. The master key in thisstash file will be used to re-encrypt the key data in the
dumpfile. The key data in the database will not be changed.-rreevv dumps in reverse order. This may recover principals that
do not dump normally, in cases where database corruption has occured.-rreeccuurrssee
causes the dump to walk the database recursively (btreeonly). This may recover principals that do not dump nor-
mally, in cases where database corruption has occured. In cases of such corruption, this option will probablyretrieve more principals than the -rreevv option will.
llooaadd [-oolldd] [-bb66] [-bb77] [-oovv] [-hhaasshh]
[-vveerrbboossee] [-uuppddaattee] filename [dbname] [admindbname]
Loads a database dump from the named file into the named data-
base. Unless the -oolldd or -bb66 option is given, the format of the
dump file is detected automatically and handled as appropriate.Unless the -uuppddaattee option is given, llooaadd creates a new database
containing only the principals in the dump file, overwriting the contents of any previously existing database. Note that whenusing the LDAP KDB plugin the -uuppddaattee must be given. Options:
-oolldd requires the database to be in the Kerberos 5 Beta 5 and
earlier format ("kdb5edit loaddump version 2.0").-bb66 requires the database to be in the Kerberos 5 Beta 6 for-
mat ("kdb5edit loaddump version 3.0").-bb77 requires the database to be in the Kerberos 5 Beta 7 for-
mat ("kdb5util loaddump version 4").-oovv requires the database to be in ovsecadmimport format.
Must be used with the -uuppddaattee option.
-hhaasshh requires the database to be stored as a hash. If this
option is not specified, the database will be stored as a btree. This option is not recommended, as databases stored in hash format are known to corrupt data and lose principals.-vveerrbboossee
causes the name of each principal and policy to be printed as it is dumped.-uuppddaattee
records from the dump file are added to or updated in the existing database; otherwise, a new database is created containing only what is in the dump file and the old one destroyed upon successful completion.ddbbnnaammee is optional and, when provided, overrides the value spec-
ified on the command line or the default. aaddmmiinnddbbnnaammee is optional and is derived from ddbbnnaammee if not specified.dduummppvv44 [-SS] [filename]
Dumps the current database into the Kerberos 4 database dumpformat. The -S option specifies the short lifetime algorithm.
llooaaddvv44 [-TT] [-vv] [-hh] [-SS]
[-tt] [-nn] [-KK] [-ss stashfile] inputfile
Loads a Kerberos 4 database dump file. Options:-KK prompts for the V5 master key instead of using the
stashed version.-nn prompts for the V4 master key, instead of reading from
the stash file.-ss stashfile
gets the V4 master key out of stashfile instead of /.k-TT creates a new krbtgt instead of converting the V4 one.
The V5 server will thus not recognize outstanding tick-
ets, so this should be used with caution.-vv lists each principal as it is converted or ignored.
-tt uses a temporary database, then moves that into place,
instead of adding the keys to the current database.-SS Uses the short lifetime algorithm for conversion.
-hh Stores the database as a hash instead of a btree. This
option is not recommended, as databases stored in hash format are known to corrupt data and lose principals. Note: if the Kerberos 4 database had a default expiration date of 12/31/1999 or 12/31/2009 (the compiled in defaults for older or newer Kerberos releases) then any entries which have the sameexpiration date will be converted to "never" expire in the ver-
sion 5 database. If the default did not match either value, all expiration dates will be preserved. Also, Kerberos 4 stored a single modification time for any change to a record; Version 5 stores a seperate modification time and last password change time. In practice, Version 4 "modifications" were always password changes. loadv4 copies the value into both fields. aarrkk Adds a random key.SEE ALSO
kadmin(8) KDB5UTIL(8)