diff options
Diffstat (limited to 'kadmin/kadmin.8')
| -rw-r--r-- | kadmin/kadmin.8 | 414 |
1 files changed, 414 insertions, 0 deletions
diff --git a/kadmin/kadmin.8 b/kadmin/kadmin.8 new file mode 100644 index 0000000..06fe3d0 --- /dev/null +++ b/kadmin/kadmin.8 @@ -0,0 +1,414 @@ +.\" Copyright (c) 2000 - 2007 Kungliga Tekniska Högskolan +.\" (Royal Institute of Technology, Stockholm, Sweden). +.\" All rights reserved. +.\" +.\" Redistribution and use in source and binary forms, with or without +.\" modification, are permitted provided that the following conditions +.\" are met: +.\" +.\" 1. Redistributions of source code must retain the above copyright +.\" notice, this list of conditions and the following disclaimer. +.\" +.\" 2. Redistributions in binary form must reproduce the above copyright +.\" notice, this list of conditions and the following disclaimer in the +.\" documentation and/or other materials provided with the distribution. +.\" +.\" 3. Neither the name of the Institute nor the names of its contributors +.\" may be used to endorse or promote products derived from this software +.\" without specific prior written permission. +.\" +.\" THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +.\" ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +.\" SUCH DAMAGE. +.\" +.\" $Id: kadmin.8 21739 2007-07-31 15:55:32Z lha $ +.\" +.Dd Feb 22, 2007 +.Dt KADMIN 8 +.Os HEIMDAL +.Sh NAME +.Nm kadmin +.Nd Kerberos administration utility +.Sh SYNOPSIS +.Nm +.Bk -words +.Oo Fl p Ar string \*(Ba Xo +.Fl -principal= Ns Ar string +.Xc +.Oc +.Oo Fl K Ar string \*(Ba Xo +.Fl -keytab= Ns Ar string +.Xc +.Oc +.Oo Fl c Ar file \*(Ba Xo +.Fl -config-file= Ns Ar file +.Xc +.Oc +.Oo Fl k Ar file \*(Ba Xo +.Fl -key-file= Ns Ar file +.Xc +.Oc +.Oo Fl r Ar realm \*(Ba Xo +.Fl -realm= Ns Ar realm +.Xc +.Oc +.Oo Fl a Ar host \*(Ba Xo +.Fl -admin-server= Ns Ar host +.Xc +.Oc +.Oo Fl s Ar port number \*(Ba Xo +.Fl -server-port= Ns Ar port number +.Xc +.Oc +.Op Fl l | Fl -local +.Op Fl h | Fl -help +.Op Fl v | Fl -version +.Op Ar command +.Ek +.Sh DESCRIPTION +The +.Nm +program is used to make modifications to the Kerberos database, either remotely via the +.Xr kadmind 8 +daemon, or locally (with the +.Fl l +option). +.Pp +Supported options: +.Bl -tag -width Ds +.It Xo +.Fl p Ar string , +.Fl -principal= Ns Ar string +.Xc +principal to authenticate as +.It Xo +.Fl K Ar string , +.Fl -keytab= Ns Ar string +.Xc +keytab for authentication principal +.It Xo +.Fl c Ar file , +.Fl -config-file= Ns Ar file +.Xc +location of config file +.It Xo +.Fl k Ar file , +.Fl -key-file= Ns Ar file +.Xc +location of master key file +.It Xo +.Fl r Ar realm , +.Fl -realm= Ns Ar realm +.Xc +realm to use +.It Xo +.Fl a Ar host , +.Fl -admin-server= Ns Ar host +.Xc +server to contact +.It Xo +.Fl s Ar port number , +.Fl -server-port= Ns Ar port number +.Xc +port to use +.It Xo +.Fl l , +.Fl -local +.Xc +local admin mode +.El +.Pp +If no +.Ar command +is given on the command line, +.Nm +will prompt for commands to process. Some of the commands that take +one or more principals as argument +.Ns ( Nm delete , +.Nm ext_keytab , +.Nm get , +.Nm modify , +and +.Nm passwd ) +will accept a glob style wildcard, and perform the operation on all +matching principals. +.Pp +Commands include: +.\" not using a list here, since groff apparently gets confused +.\" with nested Xo/Xc +.Bd -ragged -offset indent +.Nm add +.Op Fl r | Fl -random-key +.Op Fl -random-password +.Oo Fl p Ar string \*(Ba Xo +.Fl -password= Ns Ar string +.Xc +.Oc +.Op Fl -key= Ns Ar string +.Op Fl -max-ticket-life= Ns Ar lifetime +.Op Fl -max-renewable-life= Ns Ar lifetime +.Op Fl -attributes= Ns Ar attributes +.Op Fl -expiration-time= Ns Ar time +.Op Fl -pw-expiration-time= Ns Ar time +.Ar principal... +.Pp +.Bd -ragged -offset indent +Adds a new principal to the database. The options not passed on the +command line will be promped for. +.Ed +.Pp +.Nm add_enctype +.Op Fl r | Fl -random-key +.Ar principal enctypes... +.Pp +.Bd -ragged -offset indent +Adds a new encryption type to the principal, only random key are +supported. +.Ed +.Pp +.Nm delete +.Ar principal... +.Pp +.Bd -ragged -offset indent +Removes a principal. +.Ed +.Pp +.Nm del_enctype +.Ar principal enctypes... +.Pp +.Bd -ragged -offset indent +Removes some enctypes from a principal; this can be useful if the +service belonging to the principal is known to not handle certain +enctypes. +.Ed +.Pp +.Nm ext_keytab +.Oo Fl k Ar string \*(Ba Xo +.Fl -keytab= Ns Ar string +.Xc +.Oc +.Ar principal... +.Pp +.Bd -ragged -offset indent +Creates a keytab with the keys of the specified principals. +.Ed +.Pp +.Nm get +.Op Fl l | Fl -long +.Op Fl s | Fl -short +.Op Fl t | Fl -terse +.Op Fl o Ar string | Fl -column-info= Ns Ar string +.Ar principal... +.Pp +.Bd -ragged -offset indent +Lists the matching principals, short prints the result as a table, +while long format produces a more verbose output. Which columns to +print can be selected with the +.Fl o +option. The argument is a comma separated list of column names +optionally appended with an equal sign +.Pq Sq = +and a column header. Which columns are printed by default differ +slightly between short and long output. +.Pp +The default terse output format is similar to +.Fl s o Ar principal= , +just printing the names of matched principals. +.Pp +Possible column names include: +.Li principal , +.Li princ_expire_time , +.Li pw_expiration , +.Li last_pwd_change , +.Li max_life , +.Li max_rlife , +.Li mod_time , +.Li mod_name , +.Li attributes , +.Li kvno , +.Li mkvno , +.Li last_success , +.Li last_failed , +.Li fail_auth_count , +.Li policy , +and +.Li keytypes . +.Ed +.Pp +.Nm modify +.Oo Fl a Ar attributes \*(Ba Xo +.Fl -attributes= Ns Ar attributes +.Xc +.Oc +.Op Fl -max-ticket-life= Ns Ar lifetime +.Op Fl -max-renewable-life= Ns Ar lifetime +.Op Fl -expiration-time= Ns Ar time +.Op Fl -pw-expiration-time= Ns Ar time +.Op Fl -kvno= Ns Ar number +.Ar principal... +.Pp +.Bd -ragged -offset indent +Modifies certain attributes of a principal. If run without command +line options, you will be prompted. With command line options, it will +only change the ones specified. +.Pp +Possible attributes are: +.Li new-princ , +.Li support-desmd5 , +.Li pwchange-service , +.Li disallow-svr , +.Li requires-pw-change , +.Li requires-hw-auth , +.Li requires-pre-auth , +.Li disallow-all-tix , +.Li disallow-dup-skey , +.Li disallow-proxiable , +.Li disallow-renewable , +.Li disallow-tgt-based , +.Li disallow-forwardable , +.Li disallow-postdated +.Pp +Attributes may be negated with a "-", e.g., +.Pp +kadmin -l modify -a -disallow-proxiable user +.Ed +.Pp +.Nm passwd +.Op Fl r | Fl -random-key +.Op Fl -random-password +.Oo Fl p Ar string \*(Ba Xo +.Fl -password= Ns Ar string +.Xc +.Oc +.Op Fl -key= Ns Ar string +.Ar principal... +.Pp +.Bd -ragged -offset indent +Changes the password of an existing principal. +.Ed +.Pp +.Nm password-quality +.Ar principal +.Ar password +.Pp +.Bd -ragged -offset indent +Run the password quality check function locally. +You can run this on the host that is configured to run the kadmind +process to verify that your configuration file is correct. +The verification is done locally, if kadmin is run in remote mode, +no rpc call is done to the server. +.Ed +.Pp +.Nm privileges +.Pp +.Bd -ragged -offset indent +Lists the operations you are allowed to perform. These include +.Li add , +.Li add_enctype , +.Li change-password , +.Li delete , +.Li del_enctype , +.Li get , +.Li list , +and +.Li modify . +.Ed +.Pp +.Nm rename +.Ar from to +.Pp +.Bd -ragged -offset indent +Renames a principal. This is normally transparent, but since keys are +salted with the principal name, they will have a non-standard salt, +and clients which are unable to cope with this will fail. Kerberos 4 +suffers from this. +.Ed +.Pp +.Nm check +.Op Ar realm +.Pp +.Bd -ragged -offset indent +Check database for strange configurations on important principals. If +no realm is given, the default realm is used. +.Ed +.Pp +.Ed +.Pp +When running in local mode, the following commands can also be used: +.Bd -ragged -offset indent +.Nm dump +.Op Fl d | Fl -decrypt +.Op Ar dump-file +.Pp +.Bd -ragged -offset indent +Writes the database in +.Dq human readable +form to the specified file, or standard out. If the database is +encrypted, the dump will also have encrypted keys, unless +.Fl -decrypt +is used. +.Ed +.Pp +.Nm init +.Op Fl -realm-max-ticket-life= Ns Ar string +.Op Fl -realm-max-renewable-life= Ns Ar string +.Ar realm +.Pp +.Bd -ragged -offset indent +Initializes the Kerberos database with entries for a new realm. It's +possible to have more than one realm served by one server. +.Ed +.Pp +.Nm load +.Ar file +.Pp +.Bd -ragged -offset indent +Reads a previously dumped database, and re-creates that database from +scratch. +.Ed +.Pp +.Nm merge +.Ar file +.Pp +.Bd -ragged -offset indent +Similar to +.Nm load +but just modifies the database with the entries in the dump file. +.Ed +.Pp +.Nm stash +.Oo Fl e Ar enctype \*(Ba Xo +.Fl -enctype= Ns Ar enctype +.Xc +.Oc +.Oo Fl k Ar keyfile \*(Ba Xo +.Fl -key-file= Ns Ar keyfile +.Xc +.Oc +.Op Fl -convert-file +.Op Fl -master-key-fd= Ns Ar fd +.Pp +.Bd -ragged -offset indent +Writes the Kerberos master key to a file used by the KDC. +.Ed +.Pp +.Ed +.\".Sh ENVIRONMENT +.\".Sh FILES +.\".Sh EXAMPLES +.\".Sh DIAGNOSTICS +.Sh SEE ALSO +.Xr kadmind 8 , +.Xr kdc 8 +.\".Sh STANDARDS +.\".Sh HISTORY +.\".Sh AUTHORS +.\".Sh BUGS |
